4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
Size

2.7MB
MD5

449b9503ba3fc7970f1caa592fe55bd3
SHA1

62de28032d6a87da97b91a0142249259f6255492
SHA256

4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167
SHA512

d2eaa1e4209dc0ef8a2392a179d00127950f90008ed2b1a9dc14c32e79ccd26cc0b43da16ffc2c9428eb61a8717ac0dacc3668ad9c7349d9c1058c7e60bfee3d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4Sx:+R0pI/IQlUoMPdmpSpm4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4588	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4M\\xbodloc.exe"	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM8\\dobdevloc.exe"	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
4588	xbodloc.exe
4588	xbodloc.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4588	2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe	90
PID 2004 wrote to memory of 4588	2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe	90
PID 2004 wrote to memory of 4588	2004	4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe	90

C:\Users\Admin\AppData\Local\Temp\4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe
"C:\Users\Admin\AppData\Local\Temp\4f84e9e2752b4e0781d5bea64590b2f28d1f04e4ea5fd8a990752fd1ad048167.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Files4M\xbodloc.exe
  C:\Files4M\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4M\xbodloc.exe

Filesize
2.7MB

MD5
32f78c96d05ec5385bda11fe2ece4695

SHA1
b4e47588df687b1cd0de814c53cba10825d440d3

SHA256
87f076ee1ebc56dea9d43495cbb4be0295ba1a608c775a4ea5f7e3955da6c631

SHA512
0280310317da2fa08c5e31569e51d1c178a110c93ac9f00e26a95100503cfc2ff40a0c15a4326f898b2836f62c7c54e0887e8a08c361824767f0b726cd64771a

Download Submit
C:\MintM8\dobdevloc.exe

Filesize
435KB

MD5
d28c637afa0ec192b7e98021fffcb9c1

SHA1
620ff073fd4f98f0fac44d9f41e4627d62baeedf

SHA256
793e1f4d95afb8663f3dd327e2ac415a87a4f874b787910aecd4b83f667d716e

SHA512
9cd7a63eedbf2067b7fa0102b59950b2a84199b2efa69e1fc2724eefd2efc83e9bcaa055b10d483b7f90753c8bc656978d9716e9d57ac00cdb985fa9fac45956

Download Submit
C:\MintM8\dobdevloc.exe

Filesize
2.7MB

MD5
39b881e7bb4d7e34a45c57a62bbb082d

SHA1
dc110fa443d4980edd31248d8ed398e77713a25d

SHA256
5441973e1374edb77c9716f1b80bd131f2cd7a6dc72ef617c5a4972ec30f65d7

SHA512
ec44ad2e986f9e4c6fc5e5c08a607a5a0619a853be01ef6d6a2a1054a1b5184416576e87b9dba50d09f8c2a658c27a3dd6bde515c36925c0686a076f91385c3e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
d8fd7f6ec6fa75cdea2ae257f0a96a2b

SHA1
fba1d9211465b56f60089296cb29388b918d6a4c

SHA256
5df83172b331f4856976258ab707969491563d789a6111a9983a86a81bd4ef39

SHA512
8abb182ab5d9bf0f8cef0f4f298d1a166d618eae4c07402e33db68459e68cce5dbb6a66adabcd6f7a226238f18b659280ee5e732af37835df6da2118f126dd0a

Download Submit