36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
Size

2.7MB
MD5

d2596e75b23c4fe6e7e414e05d9f899b
SHA1

d7def34d76a3bda8104dc227f9df03b2d60e02ff
SHA256

36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865
SHA512

a56b04319e03d917cf0a1950c7675eb95d46056253dfa3fef28c1215d2132d2cd82fe7fab04a2fe9aa87fca9a2ae659b0db9c8c53cb1490999d6a2ed151bbb7f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpq4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3720	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPU\\dobdevloc.exe"	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAH\\xbodec.exe"	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
3720	xbodec.exe
3720	xbodec.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 3720	4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	88
PID 4776 wrote to memory of 3720	4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	88
PID 4776 wrote to memory of 3720	4776	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	88

C:\Users\Admin\AppData\Local\Temp\36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
"C:\Users\Admin\AppData\Local\Temp\36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4776
- C:\AdobeAH\xbodec.exe
  C:\AdobeAH\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAH\xbodec.exe

Filesize
2.7MB

MD5
41e8ecc59840e74a80fc9c95e8df6452

SHA1
0df97af3bfccf6f62ece9e0cad8e172adecc4400

SHA256
d3210ca453ac1e61a3343bbcab11d2e278e47e8805460cb4a90d8f4064a9d4c4

SHA512
c93f9c4b5e1d4a5724f4c490eed28dcfb8f7db51786a1dfb61dc91f2db5918d4e377f5595f3aaedd4b259c8f16b9087c68cf904692c824341f6166032238c572

Download Submit
C:\LabZPU\dobdevloc.exe

Filesize
2.7MB

MD5
9be4c9680064b01e706f1773b97f47d1

SHA1
320b83bee94d0a8fb4272fc44a792bb7e4eb1c8b

SHA256
4914cb3424d972c3d9038c342f3d8fec468bed3b938be802c3d33a943cd688db

SHA512
6dd82879da18e437fcd2e1dfd6c25654ce432c2eec82820ba3320046fac2e1ddb36937857cc0f00be66d1e32b59fe0e19e12af3ac8dd29ddf14c922060de5fc4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
cf880c4ac8b9d60acd2ec205a54d0e3e

SHA1
47995180dd240815459f0c328025d9b2c2528882

SHA256
909cbaeec1a7c1a64d9ece3933b3642177fd366b9128e277edcb65824d1221b0

SHA512
df7c2ad16c8e30c315e0e2d526d10159cea16bdf6e43d90a478adfd2dc9da54f631d1b044f0e27fb07176fa7b5060e876afc52c1e1c93cdc8e8548d481306e5f

Download Submit