675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a

Analysis

max time kernel
157s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
Size

2.7MB
MD5

1801d4591c59ed5bdd2fb55fd9c98a2c
SHA1

75b238a35cd66af0b43cc12230ff9f51aa6fc233
SHA256

675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a
SHA512

4ebd462c516008164fda6e7954d39d70ac5395077dd4c776de067a13273c8d2049c4eb0330204e6d3a80155083a0d9bca8b1e638ceed0f056b16cc96f2e510f3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBl9w4Sx:+R0pI/IQlUoMPdmpSpl4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXX\\xbodec.exe"	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVJ\\optixsys.exe"	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe
2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
1964	xbodec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1964	2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe	90
PID 2220 wrote to memory of 1964	2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe	90
PID 2220 wrote to memory of 1964	2220	675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe	90

C:\Users\Admin\AppData\Local\Temp\675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe
"C:\Users\Admin\AppData\Local\Temp\675e50b9ed85d5d50ea049c1656019a6b330721f96712451a2d958160d485f4a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220
- C:\IntelprocXX\xbodec.exe
  C:\IntelprocXX\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocXX\xbodec.exe

Filesize
2.7MB

MD5
28c2b278c48019562d2a47d0508ae7d9

SHA1
032a826ababf5a7004239549a6f1de57982d06dc

SHA256
296132a0c1061b59ac08922c6cfac168b7ab968bf45b159f6f9d384f1411556f

SHA512
e3b414176b8219bf81de9a41c3403edfeffce0686cc102e3e60a3370999d29f5d57ec74213faba7d7e08a1472ee6acf30adde61058267daf6aced76b06541881

Download Submit
C:\LabZVJ\optixsys.exe

Filesize
2.7MB

MD5
f62b227202d1b8f0d26c739940b14fd8

SHA1
f83a70ac5662729d220bc18e5f9a204ff9320e2e

SHA256
ae2e8580c85f4ceafd8d1438af3fc187113387624c64909ab7bedce5192af983

SHA512
f9be9d43cbf6a89b4ceaba94cb1077586c8ed24426a2f674667d7d6732fdc64c5ba3ed9e6b61da05b38a5bc4e3e1fe43673289975c2e37a2f2e43cd5a2c65e82

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
4e47cff52575e7d963fb4d7fcc67131d

SHA1
f1450ec928d16fe1c7dae0cc12ea8b9c563a02ef

SHA256
fd9fb64a0155c933784fe6c40416d9dae912f06771a2419df860ec49c149f75f

SHA512
caf64c50038018f46f1fc2bef8a3724d7de2bca3d0b434f34feda9dd2361cf6379482076c9c43c49d8890f74c115cf1b716c38723b5d6518ba5eff69f98b100e

Download Submit