bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c

General

Target

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
Size

3.3MB
MD5

819af5ef27a8c0475785fc53787bbb59
SHA1

f14e4b56b60836ec55da20336a713683fc51d08e
SHA256

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c
SHA512

77fab1fcdde02f0bee992f1dc49d8d404b86f06375051ea3035a74e88736a18a656d5bb7f42489a5d3a8ec14000ddeb79b14268609c53062bead098b6a9a99aa
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBD9w4SLDtnkgXL35xZzlPBq4:+R0pI/IQlUoMPdmpSpD4ADtnkgvNW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xbodloc.exe

pid process

2456 xbodloc.exe
Loads dropped DLL 1 IoCs

Processes:

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

pid process

3068 bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

pid	process
2456	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGU\\xbodloc.exe"	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOK\\optixloc.exe"	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

NTFS ADS 1 IoCs

Processes:

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

description	ioc	process
File created	C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFecxbod.exe	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exexbodloc.exe

pid	process
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
2456	xbodloc.exe
3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe

description	pid	process	target process
PID 3068 wrote to memory of 2456	3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe	xbodloc.exe
PID 3068 wrote to memory of 2456	3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe	xbodloc.exe
PID 3068 wrote to memory of 2456	3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe	xbodloc.exe
PID 3068 wrote to memory of 2456	3068	bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe	xbodloc.exe

C:\Users\Admin\AppData\Local\Temp\bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe
"C:\Users\Admin\AppData\Local\Temp\bbe92161b61463b7e05160fe70372d10d288eb1ce5c29a039fae2bcb9896cc6c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3068

C:\AdobeGU\xbodloc.exe
C:\AdobeGU\xbodloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2456

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini
Filesize
200B

MD5
77dda27861448e7d45553f15e979de99

SHA1
3d67186cd43bc7414fb2403100d924b019d9f9da

SHA256
89522abee4a0c514d48bfa8e338e3c651d0da3c0f58cd78ad9c5862bfe231c23

SHA512
28509ca713fb1892ffc6884449118fb4a73f524cd6440682439de4a832b5980341fb87f701985644ac2d04aba020d23dfef321e0777c5ba5fb386844f52c2575

Download Submit
C:\VidOK\optixloc.exe
Filesize
3.3MB

MD5
2d5af20fe1cb1ec22d36a5c47e1716ef

SHA1
b9c04e5aa88e9933a510a21b5a7567a737faa5ef

SHA256
ed6c325be4dada42619d16b04edc955a8f81ed099c7fbcf0925cb43fcbd309ff

SHA512
2c9853e9ddb24e6d747e7996351497de7dd4aa355c9d2b8a35a98155b9737d770dbc3cf172ea941e3ce6ac983c6e6d8174b0c9ab3cc66d59c4f497baece825d9

Download Submit
\AdobeGU\xbodloc.exe
Filesize
3.3MB

MD5
280517acfd507e0d6c65667c3647797b

SHA1
c529e823ccb9506b2b7711c6a59aa9a5138c3333

SHA256
7a73baa522b809eab5a5976e20ccfc941243e7a5010c4a38d746d4653c4f6161

SHA512
945239540b0983b2415b6a128b835c0ff2df9e2e5d11fcf178a93779306c19d16890094370dbc7ef8f8f98dea0981a882977e7566fbe879be166cbaf9156b2a6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads