1073b8b818367ee91dd2832c756fda34ff19abc5cddd66b20327d67f10915f2d

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f61004a46ea798fc299ff54f5cfbe30N.exe
Size

2.7MB
MD5

5f61004a46ea798fc299ff54f5cfbe30
SHA1

05b5dbfbe1c1b5cfa38a0fefbf7a20a7350ad3c6
SHA256

1073b8b818367ee91dd2832c756fda34ff19abc5cddd66b20327d67f10915f2d
SHA512

6256ec53186c259c6081c82de1a1e149544f7378a48407bfeb00470579bb8a559491413cb3793450db5aa64427a8072703fc888863a12d4507ac98edd838b566
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBV9w4Sx:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot3E\\xbodec.exe"	5f61004a46ea798fc299ff54f5cfbe30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQI\\bodxec.exe"	5f61004a46ea798fc299ff54f5cfbe30N.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a :R[bI=_\T_NZ`I@aN_ab]Ilocabod.exe	5f61004a46ea798fc299ff54f5cfbe30N.exe
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe
1892	xbodec.exe
3028	5f61004a46ea798fc299ff54f5cfbe30N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1892	3028	5f61004a46ea798fc299ff54f5cfbe30N.exe	30
PID 3028 wrote to memory of 1892	3028	5f61004a46ea798fc299ff54f5cfbe30N.exe	30
PID 3028 wrote to memory of 1892	3028	5f61004a46ea798fc299ff54f5cfbe30N.exe	30
PID 3028 wrote to memory of 1892	3028	5f61004a46ea798fc299ff54f5cfbe30N.exe	30

C:\Users\Admin\AppData\Local\Temp\5f61004a46ea798fc299ff54f5cfbe30N.exe
"C:\Users\Admin\AppData\Local\Temp\5f61004a46ea798fc299ff54f5cfbe30N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\UserDot3E\xbodec.exe
  C:\UserDot3E\xbodec.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxQI\bodxec.exe

Filesize
2.7MB

MD5
90f3acf79a789d5f26f4ee71dd5039a8

SHA1
a39a845108b24bf07dafa20bd980144b73ae349e

SHA256
b1ef8a1251e614ba486d6bbe43c41cef7404935cb03488abf7b63c22e5f36089

SHA512
c6d1ddf6ffa418c0170b9f88bc82924e3224cbfa232904ae99568a4a6efa0cd2cca944e1cabf0f2e8cf032daf0cf0de9f254c833394ee57d0072efeb5017fbcc

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
6b694143e6bee099ba5bba952524326a

SHA1
c2b32eb0fce295bec2eab42bb4a15b849eb77590

SHA256
34f0c4ceb56f6e0e91428c515ed44c083235f9d57c6c380e74ceaaca1f7e2386

SHA512
80eb8c49ce7ff436f68d71fd543a453019adb692c9a2e476483ba45ccb526d76079249661bc04fa16c7d2aa03081be6f58ae1c0cfc71d9416792506894acfd0a

Download Submit
\UserDot3E\xbodec.exe

Filesize
2.7MB

MD5
d80c391cd27ed638707ef7664f221132

SHA1
639d9c3d3e41b9641da9d66b93890a230e312672

SHA256
3957e7eec321629db615f157934d5a7dc6577753d825f6558e861cf247762b05

SHA512
1373661c49fd834f327a28ae76ab2f1c498bb42fb53cacd021d0561c8c6818917abfdf69258b054cd21f0897c1cbab398b3a989d98b8c54662e48cab21e7de3f

Download Submit