7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
Size

3.1MB
MD5

d4c9e36520fdf893834da9c5826685f5
SHA1

dbae3108fe8cfb696844d0ff6681eac8aae7ab7b
SHA256

7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a
SHA512

9921d5f0a5a5fcc244a53ea601a55885e993abdcfcb13a559e6a81e5962cb2b3681d37c937e031402b3be5049b98f0fd8d4146fd939ab46ecc73a75e4c8c78c4
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Su+LNfej:+R0pI/IQlUoMPdmpSp+4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3148	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVS\\xbodloc.exe"	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFO\\bodxec.exe"	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3148	xbodloc.exe
3148	xbodloc.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3148	4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	85
PID 4752 wrote to memory of 3148	4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	85
PID 4752 wrote to memory of 3148	4752	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	85

C:\Users\Admin\AppData\Local\Temp\7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
"C:\Users\Admin\AppData\Local\Temp\7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4752
- C:\FilesVS\xbodloc.exe
  C:\FilesVS\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesVS\xbodloc.exe

Filesize
3.1MB

MD5
ebbce3e150fa08a851008846b6187d92

SHA1
2b39d9c7f1a812ce3ecee9365d22943bfb7a5408

SHA256
13af5c4fee567657448c8753d8a5ca93cf7c30a674199b1377b7b1126c21ada8

SHA512
7ca7e0c6d15ee59292430d68bd25193694cd7b9815ce32aaa1b44f47be8bfd70341902721b120c6a2c9558e0bbd9125664551d76470a49c3f48a0763441520b5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
190B

MD5
f88ec54520d4cd1a452eddc3071c1840

SHA1
ac884b7e8d87a31083630f32669eef6cc2e14ad5

SHA256
2cdf4c022471dc23263e89f0ce7cc67cc671b57f34596749dd495787f0b4dc92

SHA512
200d65f3a04dcbe87d0ff1dcddfe9ed2a3dbd674218fecdb821154a53e97774797f30f255dd1dcee240b222c01fc9918a54e7d99e8e786f9b4859f3693e8dc97

Download Submit
C:\VidFO\bodxec.exe

Filesize
3.1MB

MD5
8b44ff20a0e5520a9843db6097b27d06

SHA1
a0df532569d7e30eff6b04a789b397860398ef56

SHA256
581be60e485bcdc957f502b854cdacf926c740bf2c01adff9963aac287d9da00

SHA512
ed9398d2e157ea2fa899e7fc4c5f15609b388d0201de27b713bfc9602f2f01f5a7111c0d10a52c20730df9cd9ecb5e66854ed9be6ef501592b2591eb4058900e

Download Submit