ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
Size

4.1MB
MD5

26de1807603c9ecf46d5ef7374fb5af8
SHA1

13b61aa8fb704da9ef5a78ddbb353c68c43871b9
SHA256

ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2
SHA512

00ae2ffd9a0814c73b646dc410cb1448e412199a1e0c75f3c32eb8461447f7f136d1eefbe8c54b9fa22231d5718f27c86be8d113c978398afc6d861ccdd433a5
SSDEEP

98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmU5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1868	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYR\\xbodloc.exe"	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZR\\dobdevsys.exe"	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
1868	xbodloc.exe
2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1868	2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe	31
PID 2328 wrote to memory of 1868	2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe	31
PID 2328 wrote to memory of 1868	2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe	31
PID 2328 wrote to memory of 1868	2328	ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe	31

C:\Users\Admin\AppData\Local\Temp\ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe
"C:\Users\Admin\AppData\Local\Temp\ae40c03df9b3a998b4b755ccf0e23ecd191b57e552ccae405639d9133d01adb2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
- C:\SysDrvYR\xbodloc.exe
  C:\SysDrvYR\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxZR\dobdevsys.exe

Filesize
4KB

MD5
15bc8e44efd5dc6751d7150cab1d8ad4

SHA1
a3a2438dd7ac72ab088f86260be2c7d0ab4b1336

SHA256
2085839491b628df2843cc336cf9e458da2fdf12d0b4275895af373778c5ae0a

SHA512
29eee9d4b6190bfa83b0b31b13b5defc8cb25ba13fc85718246983e0da1e75498cabce2753c579f851efbbe444cc3f360f3c4a3d72a4854cfbc715c220e2cd17

Download Submit
C:\GalaxZR\dobdevsys.exe

Filesize
4.1MB

MD5
4947549082e5c30617a1b26e3bdbc251

SHA1
39ce2e8a40aceea273f752b1344227dc5a269c7c

SHA256
b36229c0e7021d8a7fb9cdd85cdd1bcf841f956a171a0f3c711ec7302b4e7546

SHA512
16de6faefeb96e373292c7041628eca47b05ccc6f881fa6434ebae6cb7be932aa7ff855a2ab056c481afd51a10ef3c7a7c59dd5c95b4251c8b070a8eac8a6f1e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
71d8e9cffd0c4cb7b1f364870e9ee3ee

SHA1
d8797f2352f25016edee37a2c20802086d0eb92d

SHA256
c6f7823810f935e0588ce84a4728630d77eca3ce1aefc4b792e1f1e37721ff47

SHA512
2509b40dc061a4c47dce3e15db7c50e56b092ee0597e3c391a41cf7c9905da79a80fc70a51ea7573e69421804bac37581c96cbde61c60dc5df454a5bd39cd16c

Download Submit
\SysDrvYR\xbodloc.exe

Filesize
4.1MB

MD5
12bae0695ac713e48950cae010defbf3

SHA1
f2dae963ce6c27ba525d4b1cf76855c3b4b2253c

SHA256
acceb7e0879c462cff49ee09e8a92e881bf212da163162dbef00b08b1a7c6ed2

SHA512
9980305ece8d9830f8c589052237694bbf17473effaefcb693a763cfad7c5940ad91b6df01e505d623b3337c8b6717fbfbfa81c149e64b9878990431bfa389a3

Download Submit