a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 03:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
Size

2.7MB
MD5

b9a355504fd5198a4798530b339e7a20
SHA1

3ff26ba831b3b91f7dcc3f486dd3ffa3501d0950
SHA256

a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673
SHA512

7fff9e4b32c1d7fc079efff7888b0951cd93248a50c69e2fb9165c7252b5521fdc625989f055193f614e054bffb7f9c4e5d35c21ba5b28a5f2276f5470fd8815
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpq4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKD\\xbodec.exe"	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAI\\bodasys.exe"	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
2912	xbodec.exe
2912	xbodec.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2912	536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe	85
PID 536 wrote to memory of 2912	536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe	85
PID 536 wrote to memory of 2912	536	a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe	85

C:\Users\Admin\AppData\Local\Temp\a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe
"C:\Users\Admin\AppData\Local\Temp\a50fae300ddcea21727ffc5830f18fe14248e7fd74de78a08f905b47b99fc673.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536
- C:\IntelprocKD\xbodec.exe
  C:\IntelprocKD\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocKD\xbodec.exe

Filesize
2.7MB

MD5
7091a84a02c25c4457c10f568f0ec630

SHA1
e4c019e6839fd17a588c5657fab7fc7e5bc3cb58

SHA256
391c93b4a4e831f9d11b8c0d24054c41f30ea3467b38c6a67bbe2a79040b0fd6

SHA512
420242506182bd2ef99db70cae035cf20b7bd73a8040b1666d652bfa7b3bc78ec8feb26954116eac4400e63471fe7372b50eacfc010be75cda3b857764ecb143

Download Submit
C:\KaVBAI\bodasys.exe

Filesize
2.3MB

MD5
ff5a7b614ae9cff71d15401cf7014d4c

SHA1
4fb1f2760990a6528a4cbd7435d4587a54d1de51

SHA256
285c52e2331e385b135993df634debfc5f0367a09554fcf49dc1171bc67c3678

SHA512
47fbc8e97aada66e1bb405474cbc5741c37409bb8df1946235c6f8f311965673e4a6a8a6c67fb22311bd726a2c8a0e1052377d7b471d2b9e679b8cc6572e74ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
d647b141854b3f1d24e033069bb5ff0e

SHA1
01a55ce4b5bf09db09aa0355d2b02626ad03bd98

SHA256
3535217b456968f398e066dba4b512e3068800d4fa1f57e7a7a2aa9b669979e7

SHA512
b3046319f0d51c43f0e18ea47e46e6eade5a769905b50ba7d5556e95d25518b8fef5298845b7bbe7217f8ec2390da2be2790616adbcb9d4c565129f23bdc346a

Download Submit