60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
Size

2.7MB
MD5

e5f688c2d102219906f56c61e38837b5
SHA1

c30d654f6664510ea82bfce9004395882bf7d44f
SHA256

60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0
SHA512

a5d6e57be0ea0dd7c8ee4a6a55c58c7c79971a1fc63c2baf9e58767891458c8f1e39e7b44b7a4cf1121f868e253785f685f8b423c728469fb9249cc5de72da56
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2752	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQL\\xbodloc.exe"	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ47\\dobxec.exe"	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
2752	xbodloc.exe
2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2752	2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe	30
PID 2812 wrote to memory of 2752	2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe	30
PID 2812 wrote to memory of 2752	2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe	30
PID 2812 wrote to memory of 2752	2812	60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe	30

C:\Users\Admin\AppData\Local\Temp\60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe
"C:\Users\Admin\AppData\Local\Temp\60347fa606c3332df2009d10c5858940baf1095bd233ac08c5e38c05de995ff0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\SysDrvQL\xbodloc.exe
  C:\SysDrvQL\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ47\dobxec.exe

Filesize
2.7MB

MD5
a511b043f04c0a31c22b6fbcf87ff2a6

SHA1
09fbb9963a9415aa1b5752907850f3e313908d37

SHA256
4db7a7549b219f7d0d6b39e65e0a855adb6f8d3ddaa2b6a1c2f14f37553a82b1

SHA512
7f53b1c32be0b7b0bcce5768f8d8b27bec4897635d9797b69754607d485ccba431624b32be88e3f84aea97aadc69936acb56413dba498f1b0e852fd6b3ddca2c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
618a1743b022aab9e5368e76d499be46

SHA1
39acc4a392ca82702be1c2d3967a3897f26188b8

SHA256
b013b536bc1ee73b09fa57a49acb7f4629940d449a04497cb0f275db03a2a84d

SHA512
c831b3b60211c25a12f63d45aa071e7e42d19de86870fc1852da23524ad9e5b6ea4affac4333f51dacba6e1e734164f893180f0c84028bb96fbe6754f0b08899

Download Submit
\SysDrvQL\xbodloc.exe

Filesize
2.7MB

MD5
5f628be71846716481026f62f5f2d5f1

SHA1
28cce04f9472c782c23d72706a5f717caab963d2

SHA256
58c8b114ea24776e971467710cbff3754f1ba1889cf5174692f192c99d864d10

SHA512
6619086c1771ef1c564b91c30bafffbb67f3e3f2049325659c225b44ef2568fd00bc5543cd690efb8dcd6667cda4bf1e1724e56d6774b53136ecfb98b5c6d0ae

Download Submit