5aec07f48d974d389d709d3c89966c1cb9031bc7db0e2525125598120f2133b9

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
Size

2.7MB
MD5

6bcaa1f9fe8643b0285fbfa0edbc7470
SHA1

e62cca5f1d23823979dfa540ecbc2f6c77f5db3c
SHA256

5aec07f48d974d389d709d3c89966c1cb9031bc7db0e2525125598120f2133b9
SHA512

59ac3c9f40edc0b176c8589d88772babf622b0a462ece7372d90d5f25a6f65ec39d8952be0ac8984c6d3fe83b7aea541b055d3375dbb4234555e2969f54aac1e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2380	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPR\\xbodec.exe"	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxNH\\dobaloc.exe"	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
2380	xbodec.exe
2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2380	2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	30
PID 2396 wrote to memory of 2380	2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	30
PID 2396 wrote to memory of 2380	2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	30
PID 2396 wrote to memory of 2380	2396	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	30

C:\Users\Admin\AppData\Local\Temp\6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
"C:\Users\Admin\AppData\Local\Temp\6bcaa1f9fe8643b0285fbfa0edbc7470N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396
- C:\UserDotPR\xbodec.exe
  C:\UserDotPR\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxNH\dobaloc.exe

Filesize
2.7MB

MD5
93c30f0b85b9f911960e72c8490a2ba6

SHA1
e04c5d02a1ecdd9bb330910c91b63fb57d51f12e

SHA256
80b1cd43502753f2312a0c3691a297ec8a1979c170b8019e17ed629b022b092f

SHA512
9a6591608f1512c6fbcf7c94d6bdf381b9700e0ce89c591140315e5964bed346190598cd064f32b579140c16495f0dbd754dd351ca42955343e3f43d409f78cd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3c89958e7d4e8337d069cd713b7c3da2

SHA1
980c85a9b68ba19ec1807d9dfa3007f1a078e968

SHA256
d6d3be251d5bccae9028941c7cfa6ab39e31946d7bb24122da58c6d38714e6e5

SHA512
1631ccd7d73f081e0985f0907efb5a8b6884ee1efe9c101f6a05b6a1b0e21da5fc87b624a5d015e9500cdc3c583ee763210a8938927c2a8dd44f1e8d4707374d

Download Submit
\UserDotPR\xbodec.exe

Filesize
2.7MB

MD5
b447e80f15641e7f8efe1a3909234d28

SHA1
6ee32fbd298ebb009a11030870689b14d50f09b9

SHA256
a8c516efeaa8a5b21c51320c0d10d2f658b77ad99d29024b6d8a915228cb7657

SHA512
f785c6da81f9ae34b23e367ece40d88ace469ab2c44252544e2be44000ddb7b303e907a210930c70195a0273622b824c6f7f81986283bde5f9579de822923776

Download Submit