Overview
overview
10Static
static
10[DemonArch...f3.exe
windows7-x64
10[DemonArch...5e.exe
windows7-x64
10[DemonArch...a8.exe
windows7-x64
10[DemonArch...55.exe
windows7-x64
[DemonArch...9c.exe
windows7-x64
8[DemonArch...ac.exe
windows7-x64
10[DemonArch...0f.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
8[DemonArch...5a.exe
windows7-x64
1[DemonArch...c4.exe
windows7-x64
[DemonArch...f3.exe
windows7-x64
10[DemonArch...8f.exe
windows7-x64
10[DemonArch...85.exe
windows7-x64
10[DemonArch...92.exe
windows7-x64
9[DemonArch...5b.exe
windows7-x64
10[DemonArch...59.exe
windows7-x64
7[DemonArch...0f.exe
windows7-x64
10[DemonArch...61.exe
windows7-x64
10[DemonArch...16.exe
windows7-x64
10[DemonArch...23.exe
windows7-x64
[DemonArch...6d.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...5c.exe
windows7-x64
10[DemonArch...52.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...fa.exe
windows7-x64
10[DemonArch...f1.exe
windows7-x64
7[DemonArch...7b.exe
windows7-x64
10[DemonArch...02.exe
windows7-x64
10[DemonArch...80.exe
windows7-x64
[DemonArch...c8.exe
windows7-x64
8Analysis
-
max time kernel
299s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:22
Behavioral task
behavioral1
Sample
[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
[DemonArchives]02352cbf001e9c8176a5b7d381ef9b5e.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral3
Sample
[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
[DemonArchives]04a8e202d70a574213680cdb7c82fb55.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral5
Sample
[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
[DemonArchives]07fe5f7c673e5faa200611f9cb716aac.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral7
Sample
[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral9
Sample
[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
[DemonArchives]0d061414e840b27ea6109e573bd2165a.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral11
Sample
[DemonArchives]1192a915b81f1f7878472391f42cb6c4.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
[DemonArchives]14049d0a3afad0faa21ab1fff2e417f3.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral13
Sample
[DemonArchives]149dd5469233f52aa4287362ce85b88f.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
[DemonArchives]1df7772347bfd34ecb1685a1ba69c285.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral15
Sample
[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
[DemonArchives]1ee7f65b0c08c4ff7e1047c14851575b.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral19
Sample
[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
[DemonArchives]26add802e0e75416385317658b116216.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral21
Sample
[DemonArchives]2bf9e607accd325cfb734cd594b00723.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
[DemonArchives]3825817f6028f26ff0b5cd748559286d.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral23
Sample
[DemonArchives]3e70eabf850c2134ac1acd815a2a90af.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral24
Sample
[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral25
Sample
[DemonArchives]42971155e95ad8ace7b6fc53d70fb952.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
[DemonArchives]47522f57257b441811cf5f87c9118faf.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral27
Sample
[DemonArchives]4782545d269557614be88caef0383cfa.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
[DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral31
Sample
[DemonArchives]550ad0e50316dfca7c0bfd14f9060880.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe
-
Size
3.7MB
-
MD5
4bed82d2182d95951a4dd3b090868cf1
-
SHA1
0f72d100c5030fae1258c9cde8a2b447dac50030
-
SHA256
f92f9a9950c0af5708121ca2ae9f029844ca129ada544fb592cee918dea8a209
-
SHA512
cedff70bbee2fc1f428f74676cde80e0b5b1846bfd19f9e411e10507c1f1b31458541fc1fea8cc631d716fdeaf7528158613f4a31c8b1b18a512b25d6b3966ad
-
SSDEEP
98304:+R0pI/IQlUoMPdmpSpt4ADtnkgvNWlw6:+R0pIAQhMPdmC5n9klR
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1200 xbodec.exe -
Loads dropped DLL 1 IoCs
pid Process 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOT\\xbodec.exe" [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIM\\boddevloc.exe" [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 1200 xbodec.exe 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2616 wrote to memory of 1200 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 28 PID 2616 wrote to memory of 1200 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 28 PID 2616 wrote to memory of 1200 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 28 PID 2616 wrote to memory of 1200 2616 [DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\SysDrvOT\xbodec.exeC:\SysDrvOT\xbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD52c56adba38fc0c1343cf810ea14ae8bf
SHA13cc4fd2010dbd6da1c40ce9df089c9ef8654f89c
SHA256506b1f35d95407d13fb7ebd989c77fd7dcff34955072246f6750ea489d1a7adb
SHA5122c9e3dadc2b8ac9cd65c89732341f02f96c5b6f720f1b774c6790e51c4fc187ec628e8ee07c37db4bfaf1ca04cd46fed156c21d1ac907028ae5b760308bcf48d
-
Filesize
3.7MB
MD5814a0a6173f4081e8f6454a14cf530f9
SHA16ed4d30b00c01663ed3b92f30b6ed90f85b84e09
SHA2565d542a2ac8bb59c2ffeff1c4fd29ba7594386fadb93c9ee61a437d04eafa7db4
SHA512ef0d4824afffe877dca7789fbbe80755e387125ad66be7b14e83b4fa5df4369628059c158b7bb28264a4c6d3d8af5698da9bb8a1bfe2ba0ecc80c062d552e347
-
Filesize
203B
MD562c63201d0847d644b5228b9b8dd80b3
SHA1b305d4a546193242907e38cb0b6d41b670d90efe
SHA256f464c9df170f619f27172d4289596a9674437c4f44069272390e85d6c65f8e6f
SHA51239d702b70d37623642b330ccc40d5b8af714eac047da1badcb5eaabd527776fbc412e112705aec4cdcc3653d0963fcb1f7cabae1f0488c5a0e8720ab6d1af19f
-
Filesize
3.7MB
MD5051882ac83f6a682ad2f1111f5f03afc
SHA144576ed3c868d2c13207023b645263f5c5502dfa
SHA2563011a8031483254dcfb87a5cdbcc9570db9f1668275da8055cdc8be23926003f
SHA5127f32ac973214cf0068ab945a6a1307356722b484f93b23d624d46714bf688a0b0c3c324562606ae9cf5ccc56f8dbd1a1cc8dbf76a5b860669f03bfb80360c75f