ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 01:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
Size

2.7MB
MD5

2b9063cc3a30a7300482dd021a0a30a4
SHA1

02bbfabd4e2ed1703789e665af0e1160ac623b5e
SHA256

ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf
SHA512

6640dfeef189cf3503b02198472cab183c912a4d935188d222115c7fdb2b62500ed5eb640070058179bbb079841dbbe5dd1e83ccfc789dcbf9a1b4d86cf94601
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4Sx:+R0pI/IQlUoMPdmpSpX4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2948	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot61\\xbodloc.exe"	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBB7\\dobdevloc.exe"	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
2948	xbodloc.exe
2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2948	2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe	28
PID 2904 wrote to memory of 2948	2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe	28
PID 2904 wrote to memory of 2948	2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe	28
PID 2904 wrote to memory of 2948	2904	ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe	28

C:\Users\Admin\AppData\Local\Temp\ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe
"C:\Users\Admin\AppData\Local\Temp\ac09826a273eef6922b980af1a96d81128770f0470adb764d9d8498f4db9b6bf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904
- C:\UserDot61\xbodloc.exe
  C:\UserDot61\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBB7\dobdevloc.exe

Filesize
2.7MB

MD5
1e5927be29e7545d01a119c995a09fa8

SHA1
929b411522082383f5cad5df715fb6b10bbbbf11

SHA256
4205a4824ac7be745706417e1239475367086dff50b06893ba5ae51b1b8e5f7b

SHA512
6a23c6b3ddc8d4a51f77929eb2ac2acce5d163c25e642d9b25332400462e44819d14e3a89c1b68f33d7aaf3f416961678a5af914a2147bf544b7e24a58682c56

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
e1561cd10c136cf1e8e2c7b8bd0ff5d1

SHA1
6138928e8e393a5cbe0bc8519a1ae699811a30a7

SHA256
470261767d00313680564f853b242f9b81cad41fdac94cc25f4222cf46efedd7

SHA512
dc1132f28c16049d7da8a65540a91642150063c80f9fa0306668bd4cd71f17789629a9200aa73c0655ba074e863dee6f2cb953751e9afe88650f6ac92341f865

Download Submit
\UserDot61\xbodloc.exe

Filesize
2.7MB

MD5
8773e1e9de4799c0ecf210084346a32b

SHA1
1c52f669730cb5e3b3e5925c1a61fd5f2bb1d0a0

SHA256
b42b7c376a3c9499ce7f8e778309b7d7bee43f020c9c72e4851d00bcd1248b93

SHA512
386e72056ace8bb029223ccf7ae71a8d4f1d55124d9c93b19be6d71b80f403f6cc5a10fe467aea04c03b8a1180111659a085fc8036aaf3e2900a56becdc77255

Download Submit