8d94fda133b16643fe8f28a71e5c5b0e7053666a6f782f9c141d990c465d7a6f

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b03326eb0891edd6f64d4a7e006d7a0N.exe
Size

2.7MB
MD5

1b03326eb0891edd6f64d4a7e006d7a0
SHA1

b31b549ceb576952220affe3d5c3cb39fb34f1ab
SHA256

8d94fda133b16643fe8f28a71e5c5b0e7053666a6f782f9c141d990c465d7a6f
SHA512

b0f06af1dfd48367920c41bbeef50e1998071f6666af5248247fad9c166e7b47329eff60e634602a8a999697ac25883cd997cbcc212d2b48ef05672d368155a7
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4S+:+R0pI/IQlUoMPdmpSpT4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0X\\xbodec.exe"	1b03326eb0891edd6f64d4a7e006d7a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOF\\optidevloc.exe"	1b03326eb0891edd6f64d4a7e006d7a0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
1924	xbodec.exe
1924	xbodec.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe
552	1b03326eb0891edd6f64d4a7e006d7a0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 1924	552	1b03326eb0891edd6f64d4a7e006d7a0N.exe	89
PID 552 wrote to memory of 1924	552	1b03326eb0891edd6f64d4a7e006d7a0N.exe	89
PID 552 wrote to memory of 1924	552	1b03326eb0891edd6f64d4a7e006d7a0N.exe	89

C:\Users\Admin\AppData\Local\Temp\1b03326eb0891edd6f64d4a7e006d7a0N.exe
"C:\Users\Admin\AppData\Local\Temp\1b03326eb0891edd6f64d4a7e006d7a0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552
- C:\UserDot0X\xbodec.exe
  C:\UserDot0X\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDot0X\xbodec.exe

Filesize
2.7MB

MD5
6e7c41b02da0316fd06922817079489d

SHA1
006eca01c2168787bb94f7e8bd23fd928e12bb7d

SHA256
9431f018fd0cdf5d7f49669141c7082867d0609d2745eb9ed19fd597fb148d2a

SHA512
96bc40ec6e4f61c0a186047acd9d780143b743a0b3222140ed840945e5127220081c7d19fe261964ce017614d080ddc834ea024ee34ce3d021a74af22238b081

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
7f1f32f680334f6eafc30963c452b165

SHA1
00a013cfbd45a94c7e8350a7f5780ee76e988677

SHA256
da8e34a365d714cb03ce9846e6b5848a7f8d95318882014316bfcde2b0022aac

SHA512
4d6c89c078dd8439dcae418e856108f62b4ac5161a777bd12b8131669def445d0699d528fe2da9ffcce871fe6ef859836c4e70d1013fbcb169dcc84d0fe7e3e3

Download Submit
C:\VidOF\optidevloc.exe

Filesize
175KB

MD5
69e8c547267c9338e8f890c51b6127d7

SHA1
14f5a072ceb5d9d2e204eb61ec513e14d3591e08

SHA256
0471e725658788cb24334eecca5252e01e91662ea42559b90f20a2e6eec38186

SHA512
69d646080d89f4491858439b3f6fb43e9cac87a1e890a07a3fa4c9f91f6667586dc58cc6f0aa7f6e780ab638960fb241db6f741d77918a18e2588fa85e2da169

Download Submit