f36c12f48dc9512fc94e15e3b47826488934a7c70082036804285b27e0e7d858

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

567fe890340b1add8eace2b7c6341db0N.exe
Size

2.7MB
MD5

567fe890340b1add8eace2b7c6341db0
SHA1

c4eb46aed0fb4df467ea673bfb4ca8bcc9f10c55
SHA256

f36c12f48dc9512fc94e15e3b47826488934a7c70082036804285b27e0e7d858
SHA512

047c66037fc6a058cd93a3a52e4de662f1409a607f5e0630cbfa5db745e3e42856840b80bbcf3cf07eb8f9c8fa4cb03c6f93fe3fdf78502f8a140144a090dac7
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1068	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2416	567fe890340b1add8eace2b7c6341db0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTM\\xbodloc.exe"	567fe890340b1add8eace2b7c6341db0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBD8\\optiasys.exe"	567fe890340b1add8eace2b7c6341db0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	567fe890340b1add8eace2b7c6341db0N.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe
1068	xbodloc.exe
2416	567fe890340b1add8eace2b7c6341db0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1068	2416	567fe890340b1add8eace2b7c6341db0N.exe	30
PID 2416 wrote to memory of 1068	2416	567fe890340b1add8eace2b7c6341db0N.exe	30
PID 2416 wrote to memory of 1068	2416	567fe890340b1add8eace2b7c6341db0N.exe	30
PID 2416 wrote to memory of 1068	2416	567fe890340b1add8eace2b7c6341db0N.exe	30

C:\Users\Admin\AppData\Local\Temp\567fe890340b1add8eace2b7c6341db0N.exe
"C:\Users\Admin\AppData\Local\Temp\567fe890340b1add8eace2b7c6341db0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\IntelprocTM\xbodloc.exe
  C:\IntelprocTM\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBD8\optiasys.exe

Filesize
15KB

MD5
929475a0852ed2f5ca0986ebc10f8ecd

SHA1
6213d4a36c96ffc0c1a3b7334257be6a6e9d58d1

SHA256
d9a2dafc3db9c04100e4706f5d6c17576c054c21e786d0872b131aa0c245064f

SHA512
de7ac87b04a18933e1e215e23514840b31a32cfbea1d28bd4ab6c09ef96cd633eb8c6bb617def9044d2a613c8825e633412b65a9f98174c03c113950ae118419

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
1c6e467bf224ce095e63f0e73fda89ba

SHA1
69dc511c7012040681ced42285bbe4310ed9dd35

SHA256
e79862b3c95ce36b7c2c0a84e278f36843c7625825ee34e7f7f82a92ac45b904

SHA512
8f6ce03d0f9cfbdfaac499ce29d3b9110a4dbf5fa67aeeef1f57aaae5d87e0782af0e7bc392dff2867c0b0e2ea6f9c07b74d6118bbbef085db8a29f9089d7d90

Download Submit
\IntelprocTM\xbodloc.exe

Filesize
2.7MB

MD5
928aafc4ef5ca905e086d7bc02fef274

SHA1
1f020328b1fb5afa1799157c44b3ee1d547d1a21

SHA256
9f3f26f0839d9e51018a2f5e255d558b1897317383e7c674e8a33610d75d824c

SHA512
53a22244b58c8bb17c2cda5797aa569c45d33e234820661fd7ac181a01a6ebe4bae9dac97170f7029de9edac7e48bb1e0303b4ce921d1b6188de6c2bf4f4f929

Download Submit