228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
Size

4.1MB
MD5

f333cbea59fa4b884f5f7f176f4e49bf
SHA1

ba357bdd4c94c35f09e0b8431412396379441b9a
SHA256

228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287
SHA512

98c31f55a8299a65f3415b4bdc2d4c792d04d8f54222fc1efa348eee7ba1b997cfa4b11f6af5f82305c435213e1e4494382995865d56e71de5828a4f12fe747b
SSDEEP

98304:+R0pI/IQlUoMPdmpSpw4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmz5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1600	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe96\\xbodec.exe"	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax1Q\\dobxloc.exe"	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1600	xbodec.exe
1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1600	1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	30
PID 1512 wrote to memory of 1600	1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	30
PID 1512 wrote to memory of 1600	1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	30
PID 1512 wrote to memory of 1600	1512	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	30

C:\Users\Admin\AppData\Local\Temp\228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
"C:\Users\Admin\AppData\Local\Temp\228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Adobe96\xbodec.exe
  C:\Adobe96\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax1Q\dobxloc.exe

Filesize
4.1MB

MD5
f4a1256a10d8d082c352480a28127318

SHA1
8b3772a9419187f4a060f2a460210cb229a6babb

SHA256
c491294526b311cd119af7c6c7fecd6db32ee167c5b676dfb3945721efb5262b

SHA512
cb9e05cc3b80957bf8ceb1eef308637a396bc968294480f6208f64470a6e69d9eacc876d9bfb60b4d33ff55dd3f303c93951fc46c032c407e992d45f39f094d3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
cbda7416706fb828c4ce2ee6d73c1486

SHA1
cf3fbce0ba8fc2bb33d9f51076c2095c750acb9e

SHA256
99927d4d50ff95f0834bcfff051b47aa8de6e00bd515e6dcfbc9ed83763d72bc

SHA512
d62c588da0c8523ca1f273ef7773496e9dc39de78ea5b0f6d642717d56d8f4c884f00300278f46758ef735d5f9e9a74333900456e0adbf6aa69b363904c55cd5

Download Submit
\Adobe96\xbodec.exe

Filesize
4.1MB

MD5
9c6cbcb60dcbf9ca06f346c5a1420a9f

SHA1
fc223ac42fa1a53667182b9cac741fb2e903e24d

SHA256
09648455a2940aa6f3a9df7d5f8fb5129a3d23a5ff938b1fd5d7424445bb57e0

SHA512
6ff7ce5c5596a00c24bb992b38bb1fb5d421e58c827892683782b8002730f2fa7c277d4221a91a52d087751976951b09cd0cf61d9f9101d756ee05660620e36d

Download Submit