951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
Size

4.1MB
MD5

5ba2eb6fdb36bcf398c6f6bfb489d546
SHA1

0b3d445b5cdd287c4fdae5a185770fedd1d19fd4
SHA256

951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021
SHA512

507572e5b79fecfdae5e27f3702a33037f84d8606a5641af8cf35bc304130266a26be0f30c50d4239f6df1bf2e956d3fa8ce3189bb71e80a4dac540923a50acc
SSDEEP

98304:+R0pI/IQlUoMPdmpSpf4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1444	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeMV\\xdobec.exe"	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxC4\\bodaec.exe"	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
1444	xdobec.exe
2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1444	2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe	28
PID 2256 wrote to memory of 1444	2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe	28
PID 2256 wrote to memory of 1444	2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe	28
PID 2256 wrote to memory of 1444	2256	951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe	28

C:\Users\Admin\AppData\Local\Temp\951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe
"C:\Users\Admin\AppData\Local\Temp\951942ba7c474b55ce1e4b4f76fd59d82727b94bb129c6d751d04ad231ba3021.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\AdobeMV\xdobec.exe
  C:\AdobeMV\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxC4\bodaec.exe

Filesize
4.1MB

MD5
26afc7bf35eb27dd0e3a860fe74eb137

SHA1
845e962b0455371c3cd39f179a7ae114abf5cd9e

SHA256
eb82076a0b7af4a0b9f57523bbd2517a24f366f0095c5a59b118e7f2c7585557

SHA512
89bc02833807ee695d32e9e5fd7d4bac2ed93032ce0a079bba15892659d698ee0ba51ab57fa3bd4fb65a903c604914457957426008ad300fadc1e2930834bea1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
dcad3b60f6b160c5143d10f32b5096aa

SHA1
1a9a8a16fad6c38bcd7fad026d3485dfd50a1787

SHA256
7051ed1374238bddbb87b8637eebf026f3caa62275924e51cff0dfa1bccb6c65

SHA512
63b440fcfbb2c5afc6a1d9c2b88229fa254207fdb2e4beda0ac801ab7658136fc8b34df69f99304c96053886d33cb492ebdf284ad939001395ba41c19ea7be42

Download Submit
\AdobeMV\xdobec.exe

Filesize
4.1MB

MD5
8bedb18efb062271b5c800ce611c0381

SHA1
f71d2c442dc4bdec5b8db7a7e860a26eca7405ad

SHA256
9daaa163305d217000de4e884afa63fc9e1ed10b40783ee54f0964528561b60a

SHA512
3d56cf0dd7faf2edc7e941e3d26ce2a3a07b34705977449fa1bcb84d4f46eb191bee528e35a27fa0fcecbfb128fa75b1114176e750439195a6ecede08c1a71e0

Download Submit