2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
Size

4.1MB
MD5

c8963a07a8fd2a5e12eb7316d169d973
SHA1

5fa134d5914dac63485888c8607693d2d6fb0f85
SHA256

2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed
SHA512

78189434b44344e4f6426cce1befbed99e851fcce912b4554142bad63b5d234c57e13a8eed6e474d531b1536c64c921ca556aa724544e2f93604cfd77e1e9f86
SSDEEP

98304:+R0pI/IQlUoMPdmpSpO4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm15n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHX\\xbodec.exe"	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidGU\\optixsys.exe"	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
2376	xbodec.exe
2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2376	2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	28
PID 2132 wrote to memory of 2376	2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	28
PID 2132 wrote to memory of 2376	2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	28
PID 2132 wrote to memory of 2376	2132	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	28

C:\Users\Admin\AppData\Local\Temp\2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
"C:\Users\Admin\AppData\Local\Temp\2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\SysDrvHX\xbodec.exe
  C:\SysDrvHX\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
c3eb900923e60a73227db74b6eec60e7

SHA1
640f61dacee4072d50cc666fe48986846d3714f5

SHA256
2c7095831df01874454cc05b3485e27a0641f095eb3bf33dbb03aaf2e8dd1ddf

SHA512
fbf7290ad5aed2e5d3305f3b1156b3342b7a2eb68c9874e1412187460c31a828985ac2ae7ea10361e7074a9556dcf8bd8c0be53fa6565e1941e07e5e32907d7c

Download Submit
C:\VidGU\optixsys.exe

Filesize
4.1MB

MD5
8d2620c05027c53c30be85443680c96f

SHA1
e96bac233599098394db90c8a59b03d13455474e

SHA256
9cdba68ab4e9245422308402482c9b5f1a086eb097ba0f597b7266ccdd06bb85

SHA512
e8fbb07eed891312d0cf69be60d0df0c323cd066d336d56cf43a68079a206054f6d33a792ad8e4f5dc02454560e1d60e85a390c321ce5f852c0bdd3942e1d66d

Download Submit
\SysDrvHX\xbodec.exe

Filesize
4.1MB

MD5
812aafde5e60225ee3f632d176102888

SHA1
b21a940167dfc569b8c922ab110b8abc357518fa

SHA256
b7c2cd862ffa0ed0da9af25263d10a498b854d15835bf63147f73dc491af7be4

SHA512
6d553fb7d8c8209ef2804dcd47aa100c038cc3595db4ef8e440de78502fa923121ba6fbff475efee80efa5f5e5c27164be32d5a73fd0d3001c659f2de1b83ca1

Download Submit