3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 03:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
Size

4.1MB
MD5

0c26c5feaf8b1db4877642819fee7840
SHA1

963637083f1ad01ba03591c176fa6229ca5f4240
SHA256

3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8
SHA512

e5fe7799257b00a42b4d70cfe10905db713fe0c1e3d9ef0e77ee74ccc24273d1155840ade08ac27e04ba14fdf94be1d094b2144f3709ef8fab15a8c98b5dabe1
SSDEEP

98304:+R0pI/IQlUoMPdmpSpP4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm85n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZU\\xbodec.exe"	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIS\\optiaec.exe"	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
2748	xbodec.exe
2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2748	2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe	30
PID 2844 wrote to memory of 2748	2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe	30
PID 2844 wrote to memory of 2748	2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe	30
PID 2844 wrote to memory of 2748	2844	3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe	30

C:\Users\Admin\AppData\Local\Temp\3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe
"C:\Users\Admin\AppData\Local\Temp\3356733af7982241f91a37eb99b8cdee7b0d07182eb7fa482a1a24631cee0cf8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2844
- C:\FilesZU\xbodec.exe
  C:\FilesZU\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxIS\optiaec.exe

Filesize
4.1MB

MD5
0fd6a7fc37fb4e5e5ce677e897be48b9

SHA1
7cda2450f5aef9b8c0144c563ed1ee21de0d7249

SHA256
04679561bdc59e81f6134c8a5ed5087d7a54c1c5646a21262c17f5fb8c6d17b5

SHA512
357b8a7128917b38a6b5c7c03eb000646c7c12e554d807408ab8e56a993395adfeb8c28675d0221a437a3912f539f81eb4f1b9b2b31394f2fe3aa458e2b0f304

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
c625ed3d7e6c9b5812bfe64a9b584c9e

SHA1
000222742011e53da44b95b241e8a127e55b9d42

SHA256
f4706ebc2285265d3eebdf860cd9892aaada7a93e948eb3ae3fb075db9b86f12

SHA512
82c15b6fbf5ef97144a7facae414ed2eede9cf2b4c31825e883416da4c20dde95623cbd6c43466c98da53dc6d030ff399a702f535c4e1ad72bd5a1c11edf386d

Download Submit
\FilesZU\xbodec.exe

Filesize
4.1MB

MD5
0e46c534c1456c5fb38319bb851241a1

SHA1
51081f904b16b5cc150a6cee912e44b951b4f71f

SHA256
eac522c6f1c180d2f5d00b1b2cef7f23f4cc21440085599e0fb3e7ebf6ee21b9

SHA512
acf36eb5fbe06e27b847c0840395393b2cecfe2b3cdd0c990f9756a1fb869db824d55077cc9331ddeae076a5effd881e5e35ca0d8ade3ac130521f05a66ba6c1

Download Submit