3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
Size

2.7MB
MD5

3cc28acb346a9e7d50cf31cb9e08b27f
SHA1

842ce7d37f6c26e7c63cc63ed099fe4463c54fb0
SHA256

3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678
SHA512

ed8184a70bda33de22296f67ae06e8971c077540185a6b0d0618013dd1fd9a8f9526caace0a742bf78fa330e9bd6c228809cca8745f582b4beec62ebefb62244
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3608	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv47\\xbodsys.exe"	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid2S\\dobaloc.exe"	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
3608	xbodsys.exe
3608	xbodsys.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3608	2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe	91
PID 2132 wrote to memory of 3608	2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe	91
PID 2132 wrote to memory of 3608	2132	3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe	91

C:\Users\Admin\AppData\Local\Temp\3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe
"C:\Users\Admin\AppData\Local\Temp\3b2eb0a83ca7967ba175ca7311b00ecce00f7b896bc56bb6a859f7822694a678.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\SysDrv47\xbodsys.exe
  C:\SysDrv47\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv47\xbodsys.exe

Filesize
2.7MB

MD5
8f9e6843e18819a619006fdf7aec2f72

SHA1
bb769a8f805148eacc6ebd42669f5c7d87eb845b

SHA256
9120ee4598d876cd8d491cbeb96f4d98fe473591dc523bc5f8ba7004ddb6b213

SHA512
627063421819f73ac6ceec8245f4272f4dae93ca7fc5c6e0a24a1fbdcadfd7e1aa09a934fe54b381ec9f217e6d2ba5510901e7445c098475a8927c2a6409145d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
f381d24c79480a15ecf2dc3266672c6c

SHA1
f3873a4850de7600c6ff1964dd0e9dad0bedca5f

SHA256
96eb0d7f29add912004ad1a9ffa03d0bb09e7ce3e0f24cc05d24401d6d15fe53

SHA512
15502fa90e9a5a2c23fe3ac4e3605295a47c93d5087f57a8b802428f9e7e096b8cd33cae886bbbeb054fcce26318fc8703b39339d9518a6357811f769cd159e4

Download Submit
C:\Vid2S\dobaloc.exe

Filesize
19KB

MD5
13b7be4099f3920c0a076cbbf5b83643

SHA1
a81de9811a57ec2cdbfe1e3a6cbedfbf2fbcfd4e

SHA256
7897ecdf3ddcd3490c17f2cc193f10a2e0b047eddef77884b9b5f187f0d09004

SHA512
fca7da7ace3651a9ca715a8593ce988a8b4f41cdc02d53bb79b7379add25e21edc3c75d7da18fcd92f433fd130cb2c29ea8d686055b1dbef197d00c85fdde05c

Download Submit