2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 20:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
Size

2.7MB
MD5

c04a4ae2e046622336926493584a6d83
SHA1

5c166d859b17980645adff8677db1a71dfd75baa
SHA256

2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54
SHA512

9a076cf07e5d882dab76b613434b5f50823a38322a91b3fe27f42dd1f478748cffe6bfbec3feb4c3f5514b2c25ec7fb12caa7f258c823902888e3fb473d06038
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBV9w4Sx:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ7\\xbodloc.exe"	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAH\\bodxloc.exe"	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a :R[bI=_\T_NZ`I@aN_ab]Ilocdevopti.exe	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
2468	xbodloc.exe
3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2468	3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe	28
PID 3040 wrote to memory of 2468	3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe	28
PID 3040 wrote to memory of 2468	3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe	28
PID 3040 wrote to memory of 2468	3040	2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe	28

C:\Users\Admin\AppData\Local\Temp\2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe
"C:\Users\Admin\AppData\Local\Temp\2b85ca0b813c174631af58b0dfc36894337916b8bf8ded08e31ca5c48818ed54.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040
- C:\IntelprocZ7\xbodloc.exe
  C:\IntelprocZ7\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAH\bodxloc.exe

Filesize
2.7MB

MD5
a55c6dd2692c97909e14a2e401f637a8

SHA1
0878647e1dd816c2c670055b690a6d7842f039fc

SHA256
bfe72aeabb7f9cf4422087ef895a6e7675f152a75b379582cebe762d7af48bc2

SHA512
ae081ace9f48e99fcfbd6d3c0fcddaf0ac6a3b460357ec549876327182ef178a9e42e48bcdfc7e150826a5032a5af63c9a3b163564db8ffc74d6c40eef450070

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
665f974e7f15908744d6f5c4fb863515

SHA1
bc039a23142d9dd74e0d0ec128f9d9816806342c

SHA256
8835bc7cd0c4ad12fb1a103bb23261121122832042d977948c1f4e8765418dd5

SHA512
eb63334f476b515ae70b3f484439423198995528f77f566893f1ff92e798cc2c9bc3a7286c23b5ff61316763a8245a058a8508568bd75958a8fb61455de374fc

Download Submit
\IntelprocZ7\xbodloc.exe

Filesize
2.7MB

MD5
dc7fe113879bc3d50593502a90d057fc

SHA1
36578ede87e01101e7d3e8a04614905706f236f9

SHA256
ff85a0f4e9740ea820c64e8ed25102aa45205e201090c1369260438c7b685de3

SHA512
222d1ea06232d828e3345eab1d2ea517937479ad4ab4030b1d4d38586a251aa304c8a10f8ce2bf6583193a0ce3a316c939d1479dec09d51bc6ff09d29580161a

Download Submit