37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
Size

2.7MB
MD5

5a01170c0f52775d0457d02d0c654fbe
SHA1

a20fd9e4bbb4be6bb703e96f4fdd5c9abc8845b7
SHA256

37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316
SHA512

c4b5fbdbda85800a5d8f7ec31189a7779231a33ed788832a1689eba97c7c055fdbd1584aa7f1958f459ef3daf2c1194a45b37191ee4e4493594d9b13e420e40a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSp54

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2800	xdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLD\\xdobsys.exe"	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1V\\bodaec.exe"	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2800	xdobsys.exe
2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2800	2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	30
PID 2244 wrote to memory of 2800	2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	30
PID 2244 wrote to memory of 2800	2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	30
PID 2244 wrote to memory of 2800	2244	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	30

C:\Users\Admin\AppData\Local\Temp\37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
"C:\Users\Admin\AppData\Local\Temp\37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\FilesLD\xdobsys.exe
  C:\FilesLD\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB1V\bodaec.exe

Filesize
2.7MB

MD5
edee525538a4f7b480c73fe0f79c3526

SHA1
54374a5f2cdc805a4b4ac4f491ba678cce22e5dd

SHA256
e7e44c8e6532b7785d7b6dcdb29017cb445866a71e3d3362cf7b0618ba35ad2b

SHA512
d038a926fc2093f27695287fa8eddba5142c491759b6326b3bf377ee7d12140b48c52c17c33460ce6d074bd7362387e55df8150a7f2b859eaaad7aa79a145e6c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
b35fde2f60f0bd79719cf4fd3f1e2bac

SHA1
cb535da67c1b7a79f2e2860181713e82bab5c279

SHA256
0908086facaad5768ba5a8d96f54413dcd9d8085fd9f51f6d600fe2afba10b16

SHA512
6404b42924839d27d9935a01882376e5a66302da2f21fdb5b8ee96d37fd3130bdacc39295c5b4e6cae8ba6c704381f3b52c60a03adffb4938c44bf8bb057f4bc

Download Submit
\FilesLD\xdobsys.exe

Filesize
2.7MB

MD5
875b1b4081476e96be8efeb35a306198

SHA1
c0c554d53707c6af81af1781bae5474afc4eb9c8

SHA256
866c4408c7423a7e0d2fa2ef12ffe553387c51fd987801d42827d447144f26a8

SHA512
df59aa77e05d916669e87e85c8cb6ab40ae43eca4f8cc208d24d7542116ff08304a0bd6fc6cb240282c867ccdc44483f79db928c65f77425c005aad82e022cc3

Download Submit