fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 05:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
Size

2.7MB
MD5

99ed481c038dc146b993d26269800d8e
SHA1

711d0479d3036b5b8900f4448d9d6f1e865c850b
SHA256

fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5
SHA512

39578e765cdb45447d60eb7120678426bc975077b6a95c5732ebceadfb9436349b41e42acd566990f020e55adce02bb94d54d05662903562187abd0a4f5424e4
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB59w4Sx:+R0pI/IQlUoMPdmpSpB4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1336	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVJ\\xbodloc.exe"	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGF\\bodaec.exe"	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
1336	xbodloc.exe
2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1336	2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe	28
PID 2084 wrote to memory of 1336	2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe	28
PID 2084 wrote to memory of 1336	2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe	28
PID 2084 wrote to memory of 1336	2084	fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe	28

C:\Users\Admin\AppData\Local\Temp\fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe
"C:\Users\Admin\AppData\Local\Temp\fb20653f84e1263660d667077895b564b43bb9ab89ebfe659f042c587ed58dd5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\FilesVJ\xbodloc.exe
  C:\FilesVJ\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZGF\bodaec.exe

Filesize
2.7MB

MD5
f21f651b0cae9861916720f38a179b74

SHA1
e9fb0e3f8b9530d8d5d48881e9077ca147723f01

SHA256
6e6d482bfa4817945fb2a6739e1617f675443b11ca9b6885fa4c3fa48efdf9b0

SHA512
07cc0094db5f92178205429273e2a4425d54e94651047ea636fbe177d2cc9bf2d1e718763c50c80ce73f1d418cdaaa5f6cd29c5b0efc3ddd4add9f660386a9f2

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
40d2fc25fe7416fffe256340e95fccad

SHA1
db9fed56ed7569fca0a79f934b1dd933f5495914

SHA256
f35500919510681ff7cdc793523a41bb28f909c7e5e8ecde3816458654b52f30

SHA512
6ee9679cfe06b1af4f0313893b29ae9c419642bad07b5b1b2418daa4a72945e271f36ee87c881261336bebc9bfa385aca67775c97ed6cae5fabd5908fb2db762

Download Submit
\FilesVJ\xbodloc.exe

Filesize
2.7MB

MD5
57291e61a9c319266639ca2c085082a5

SHA1
dff252942c6c06fd259e32a9e2fcdb87dc748328

SHA256
de895f70022773252bd14995788635791bdf4c7a293d3c9ac0e98f7ec09d66e6

SHA512
3e9d48342f45776c8529cca346a443cb34f27088da8fb115fc3b5c495661b2c54636cc170fb1a3546afa0ee5ec7d612da2cc050eaef9c7d0d6e99be5f6133436

Download Submit