e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
Size

2.7MB
MD5

0d57542bb8f9b71e35a6a9f511c3860e
SHA1

4cac8c2e4bd34c0e006a1bc751ee892ceee05b56
SHA256

e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37
SHA512

b701793167d9cc49fb2f5e0f1b676b96214f74a0d8013f4192dcb2d0791fd976cbb1e16748e12bcdcded9de4ae055e9f4335a39e0bfc6f68062525f0f63e0622
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1224	xbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS7\\xbodloc.exe"	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKC\\optixsys.exe"	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
1224	xbodloc.exe
1224	xbodloc.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1224	4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe	85
PID 4960 wrote to memory of 1224	4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe	85
PID 4960 wrote to memory of 1224	4960	e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe	85

C:\Users\Admin\AppData\Local\Temp\e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe
"C:\Users\Admin\AppData\Local\Temp\e0a5fc97faecd5abd00d32bb6b2b35d41a125adc6c580f290306167eb4a49f37.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960
- C:\IntelprocS7\xbodloc.exe
  C:\IntelprocS7\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocS7\xbodloc.exe

Filesize
2.7MB

MD5
4a215f3270c16cbd8097c6b71e6902b0

SHA1
b8230514cc4ab6bc91be9ff575e2d42f4f36b36a

SHA256
50e355915f84baf417b179fce5e3c8494bba5bad278662909fdcb5256a459274

SHA512
88f4897f47028ca73233a2927fbbd161dc8dcd5e33204d11c85c50d591c9d4611347b098a2cfabcdcc897148d568ee99537fadf238aa79a9aa40e0235b18cabf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
b41256fb5efdb1ba461c6fc71edb6c47

SHA1
eb6976c702025df82a10069252fcdafe7fccccd0

SHA256
5c8859e949cba754b01baabad7f07ab57984f8c90adcf2e477e6a48fbdf34a16

SHA512
b9e1c97dc4df044f2d95361edb67c44653f7aa451e78f96f3a4d204bca912f46a08b700ebf2740d7789e3304a7f435c7b49a8a03fcced273e199e3711665a5dc

Download Submit
C:\VidKC\optixsys.exe

Filesize
7KB

MD5
2a66be02c3c27b489db2b8f5953bfa44

SHA1
242635a3ee1d142a92bde39c7a1cc5f12f53958b

SHA256
03c57c4403a457ba972b4a8fdf0a50876ef50b8a586b9366482ff3c6b84629f8

SHA512
8aaf81d458a35a958dddb5bc34416bc1e466d0c165d37c2b731745a84fe3083d42dafb1a1f3ef64045127ac64eba2d82205268cb3b08604e71997aec0d2ce625

Download Submit
C:\VidKC\optixsys.exe

Filesize
2.7MB

MD5
06e2d7708e884c4c95ef0af841987a59

SHA1
f26e9a5181e4bcc077c1db1ffe78af350dcb0737

SHA256
a2f4a99128e1e0ac7031c8bb3081b659bd8c5b3a0ad31c8cd6d5a48d3d358691

SHA512
0c45098823a7096357fcd26b72cbb8dab5658c4848b058ab89b404dc1fd649d6475d20a863ad3b85645cefbad6bcbbbaaeb3b3853a4af468cd8baf3bd9a2b3cc

Download Submit