868672d66d233ac9e20901691dbe63aaf75f5459493a37471c0a77c623774d75

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50d0d10ca2c126a10e0e52f639044470N.exe
Size

2.7MB
MD5

50d0d10ca2c126a10e0e52f639044470
SHA1

a44e6d95dbde148af2b98e282434c456463e1368
SHA256

868672d66d233ac9e20901691dbe63aaf75f5459493a37471c0a77c623774d75
SHA512

54e3c0a50d676bbfa59cf2d525cf5e0ce5c3f6d90003e1e3676a242a869bd36a1e6405a2190b4eecc7b6986d309d975629d95c86090e0294d78c7ca5c3f1ff32
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpm4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4640	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEL\\boddevloc.exe"	50d0d10ca2c126a10e0e52f639044470N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKT\\xbodsys.exe"	50d0d10ca2c126a10e0e52f639044470N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
4640	xbodsys.exe
4640	xbodsys.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe
2260	50d0d10ca2c126a10e0e52f639044470N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4640	2260	50d0d10ca2c126a10e0e52f639044470N.exe	86
PID 2260 wrote to memory of 4640	2260	50d0d10ca2c126a10e0e52f639044470N.exe	86
PID 2260 wrote to memory of 4640	2260	50d0d10ca2c126a10e0e52f639044470N.exe	86

C:\Users\Admin\AppData\Local\Temp\50d0d10ca2c126a10e0e52f639044470N.exe
"C:\Users\Admin\AppData\Local\Temp\50d0d10ca2c126a10e0e52f639044470N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260
- C:\FilesKT\xbodsys.exe
  C:\FilesKT\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesKT\xbodsys.exe

Filesize
2.7MB

MD5
2984128b4d097f60b739722190bac7af

SHA1
87bc344eb4705247ba39b5616de55561f908c2bd

SHA256
dc1f4556398dce0af5ea73cc93ed86b998c43ae06c99e88aee6678b8b6022de3

SHA512
eab9ca813903d191cb6f927d6271e11841b78c2bd7d695f69f6c8606eaed1c3bb207c8ad0291d192d44a9317519354d651a26389585a5b0e40d30ad961f0da0b

Download Submit
C:\KaVBEL\boddevloc.exe

Filesize
2.7MB

MD5
3da623b8a07fa1f9dc88e14e6ffd3f10

SHA1
d47a840552098474f78d496b5c98c1195414adaf

SHA256
d2bf92ba903c53957a1511e5e2e34db7e3d32098e736869453415d5328d77b5d

SHA512
2df8c65298256a06e91cf742fd49fa8db55c919c00bfb9c96b1ba2bdc8a03c83b3b35534007d5f185d60f4e518f4b5b263b80c89c37765f9cf0281460131fa38

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
adf69d6d76fa85f8fadc48d334b2c03d

SHA1
4cd64f42a00f0c3cb1ba5c0df96cdc5495f9ec32

SHA256
b69231d75d3f51c9d95f86f80669a59c8a133067c301a7a726202593782be4de

SHA512
2fe251d5f383e639f59a3d78b761c819e6542acc189ed069e2aeafb046ff6c6e04a517dac59d3a0b706627d14fc8fe0803a93ae69db78f81d13f8f1cfdc0e48d

Download Submit