066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
Size

2.7MB
MD5

79c7cfeb29cb3caeb9a404b0c370b6c0
SHA1

2f3cc0337060b209b18ce7b5f19290f5588baf8e
SHA256

066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de
SHA512

8e90d54fae89da4c4f53e8efe1b0738f0083352319b68c3a4975f31a44104d5e3aea78898b6267acdd475af491dbe3dbd4378b44d06969d2a2e0d7667fb4b01e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPZ\\xbodec.exe"	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ6\\dobdevloc.exe"	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
1900	xbodec.exe
1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1900	1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe	28
PID 1988 wrote to memory of 1900	1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe	28
PID 1988 wrote to memory of 1900	1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe	28
PID 1988 wrote to memory of 1900	1988	066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe	28

C:\Users\Admin\AppData\Local\Temp\066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe
"C:\Users\Admin\AppData\Local\Temp\066bb10dee4bac0726151deeed9eb54a1a3844c57210ae4eaa5e3270622ee1de.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988
- C:\FilesPZ\xbodec.exe
  C:\FilesPZ\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxQ6\dobdevloc.exe

Filesize
9KB

MD5
bf965ee8f9d95b943a5ea888a522c44e

SHA1
69326314abf4da6764942ada42d063b44fb707c9

SHA256
13c64f8ad509d213565146a5459b79218788b601d1d572943dfbacb755233c7e

SHA512
c5b066aa1f9c4aa2d78f788c9be796bc4016f479bb94a04aa8acc989526f1637cb18b97eefb4cc366cf3b29b7f7860dfe7860a23ddf51ae21401c53b0004d60b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
5617013f2d9f766686e0f1acc1301c85

SHA1
3f9fd27601e38b823d6f550d470980a24d4503b4

SHA256
1da115bce97a0de0cf30a4d4914ab9c3258dac69f914752f5fcf51118bb686cf

SHA512
9a99c8d1b2edce9f03bc90dd1986cef24a4e3b84d480d4e800cf7540899aaccd588e93012c13fb3b8a58b00685b2edce5b1f9de90ec128f1f7a9af71fe77f040

Download Submit
\FilesPZ\xbodec.exe

Filesize
2.7MB

MD5
b7b0998e02ac827da0ca4d9033a6e1a1

SHA1
3bc91a8dcf3fb5f5a8f96179408fe1e2a12a6d82

SHA256
b89ceaeb9bc94032833cbb1ad9cd03c875bcae757e63d1d7e2f94c30b63d3b7c

SHA512
1bee67755e3d721180168d9c7396695f01f761578d70fee6e89e1bc10fa71b58fe0d619ea891574207d1840026c98a63101612551f26ffd68ea60eebb0b3d0d3

Download Submit