d4f1cb11e5cb48182be8e93b2d67531e5a0be9ff56e66d31a90abcd22f333d2b

Analysis

max time kernel
119s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e73dc4756756a23afcd811de10d2c40N.exe
Size

2.7MB
MD5

2e73dc4756756a23afcd811de10d2c40
SHA1

30c64e1dade1965152c540b8b5fb26fd0a897a4e
SHA256

d4f1cb11e5cb48182be8e93b2d67531e5a0be9ff56e66d31a90abcd22f333d2b
SHA512

5f15be79c8bbbaa73f891e17f5c36b984d3bc59874d7ac6c325029101fe10cef0f973a393e2ef5fefe715f151a4ff289c6b06a0d2c7b92ac3b4595b977d8b1d9
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBu9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot06\\xbodec.exe"	2e73dc4756756a23afcd811de10d2c40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU5\\dobaloc.exe"	2e73dc4756756a23afcd811de10d2c40N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2340	xbodec.exe
2340	xbodec.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe
2748	2e73dc4756756a23afcd811de10d2c40N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2340	2748	2e73dc4756756a23afcd811de10d2c40N.exe	86
PID 2748 wrote to memory of 2340	2748	2e73dc4756756a23afcd811de10d2c40N.exe	86
PID 2748 wrote to memory of 2340	2748	2e73dc4756756a23afcd811de10d2c40N.exe	86

C:\Users\Admin\AppData\Local\Temp\2e73dc4756756a23afcd811de10d2c40N.exe
"C:\Users\Admin\AppData\Local\Temp\2e73dc4756756a23afcd811de10d2c40N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748
- C:\UserDot06\xbodec.exe
  C:\UserDot06\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBU5\dobaloc.exe

Filesize
2.7MB

MD5
3d74586ae2525fff0e6c02325d38d0fb

SHA1
4bb92390c0819ccbc8440ce3b58cd449e4f916eb

SHA256
f1232e0af020fb51d83793600256c5532df7ff3fafde5fb760b69d72178a896a

SHA512
569d163dc9be1b84af64de307f4b86ed2175a6012f0f312a0fa4eb8f31d58ca07036fee419646d4bdee825c1f7e4e6f825a500f4063b35c9ae49c8e7124d7a7e

Download Submit
C:\UserDot06\xbodec.exe

Filesize
2.7MB

MD5
85480312bcaf423db41717600de89274

SHA1
9745cdfa122c50b4d985e402325995469c41fec6

SHA256
189fec8eee98a539ac219f6d1816ad4c951a60b1378dd161f7034ca6ebbc66ad

SHA512
79dc90779c4f58c07593044034c5de8bf8667d13fa983e04ec63b0dc999e8ba55747bc354f16fa1a86979fb1395371761d39e44a7ebf686dfdbc44d142f08fb4

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
b5f2dc6a318bd49647b827de62bd4d40

SHA1
e99bc7966a19632b8aa93a1aa3089a2388e3d5df

SHA256
f994609fb9955362c4de7e6fd0e00830114011b4763a85fdb1998419f0b31426

SHA512
a91c6a4ba979a4d1a91916f59f6042736c0c069dba377e2d602cb6a946014224dc495d037f9d89eeb525b054da51acdff2d39f1a84b80c492dd6b81d78047c8d

Download Submit