54ace1c95f75914d0c5a8edf4e653b972b27554a150968d8ebd976422ccc1ebc

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fbe87883fe52a2df62e136fdb4f78b0N.exe
Size

2.7MB
MD5

1fbe87883fe52a2df62e136fdb4f78b0
SHA1

80e7adc046d8f589ca697d1b5a068cb87a6b7321
SHA256

54ace1c95f75914d0c5a8edf4e653b972b27554a150968d8ebd976422ccc1ebc
SHA512

d129bea16cfaddc7992cdfa8cce04ef5e539c26778fee904d844cca34c0c334f2508aeb3a10d6b9bce23f16c65d80e70c04793c43ef3b0b2ac5f925755811207
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot06\\xbodec.exe"	1fbe87883fe52a2df62e136fdb4f78b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU5\\dobaloc.exe"	1fbe87883fe52a2df62e136fdb4f78b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
904	xbodec.exe
904	xbodec.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe
1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 904	1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe	86
PID 1036 wrote to memory of 904	1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe	86
PID 1036 wrote to memory of 904	1036	1fbe87883fe52a2df62e136fdb4f78b0N.exe	86

C:\Users\Admin\AppData\Local\Temp\1fbe87883fe52a2df62e136fdb4f78b0N.exe
"C:\Users\Admin\AppData\Local\Temp\1fbe87883fe52a2df62e136fdb4f78b0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036
- C:\UserDot06\xbodec.exe
  C:\UserDot06\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBU5\dobaloc.exe

Filesize
10KB

MD5
8bb03f5eb2cd8f96453b68599a551494

SHA1
ba5f909ff201acda0b64888d016ac41ca08ef328

SHA256
db1d248f9bdf4f80c067cff30406d63dad0e7c4f5c8bed10fc2344a50f02f530

SHA512
d0d6dbdfad35e6a999154b9765d2dba5c85e8f8b3c2d0f6dc5ab34dfdd1a58b811591c20358170d3e747cb5948a80b8ad67e3240748079482b7a2a28b84d9ac7

Download Submit
C:\KaVBU5\dobaloc.exe

Filesize
2.7MB

MD5
1cbd9ba21fb533d735f0d122a20a2f8b

SHA1
b18df77e41606fd977a9c201da084140b8d5e911

SHA256
87887fd5745090231a11b73703390320fba5b2e289d9f72c4beec77f533fafbb

SHA512
9d1c6922bed0dea68db2883cd915503b6165e1e58b2f8941719b7071f3215e3da3ee363b6bb4ff76e6a3b4c8f4a60729bd9091af667abc0a7c17a844ef7c7641

Download Submit
C:\UserDot06\xbodec.exe

Filesize
2.7MB

MD5
1d7c634b90e7cb650b5ae054cbfdcb8e

SHA1
43eeef04b4e5c86eba917d0fb44cfc50e19740fb

SHA256
8a04c5668682d767fb570313a4a6aa5dd31333038e4ad75e07487cca423e1809

SHA512
47102665e6257d92d2a246cfe493d6f57f6abd9dcc9887853ae55c38d33321565dde73ee38506342e8e615c4f56b247f65c79fc85b991ea2220ed783e01db1cf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
04f439f74a3371c4eb41ff6980de7f45

SHA1
9338d69a95a5f3cb0830fb6096ffead901608a81

SHA256
033df3d8117129651a3b1108e82b0c5250c15f740266ab1e2c118d8a018d8c18

SHA512
640dee7d1e50ae3732e284c49b8b3aab7d27c71562a0630092f9f603cab57b537e09bf82070668c06acac1ef80017b488cd3f8b24ab47bd7d0a7028b7bf4d495

Download Submit