0af31e9a6ea42cc13110a6b508c465660291563d20170477b8b0cd08dd6efd59

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0b6622b4442ba6a98e1d018127e0c0N.exe
Size

2.7MB
MD5

0f0b6622b4442ba6a98e1d018127e0c0
SHA1

8a9b1b09211ac50667b669b961b1481a67d224d4
SHA256

0af31e9a6ea42cc13110a6b508c465660291563d20170477b8b0cd08dd6efd59
SHA512

730efebe6ea4394bf04f00012bc3e82371e95846ce61c786d8f00e36d280791ffd3cef1561213a8f39b0c67271a56f1809c73f0cd5831e278485522cd43ec1bd
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSp+4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVZ\\xbodsys.exe"	0f0b6622b4442ba6a98e1d018127e0c0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBD1\\boddevsys.exe"	0f0b6622b4442ba6a98e1d018127e0c0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2756	xbodsys.exe
2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2756	2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe	31
PID 2372 wrote to memory of 2756	2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe	31
PID 2372 wrote to memory of 2756	2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe	31
PID 2372 wrote to memory of 2756	2372	0f0b6622b4442ba6a98e1d018127e0c0N.exe	31

C:\Users\Admin\AppData\Local\Temp\0f0b6622b4442ba6a98e1d018127e0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\0f0b6622b4442ba6a98e1d018127e0c0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\UserDotVZ\xbodsys.exe
  C:\UserDotVZ\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBD1\boddevsys.exe

Filesize
2.7MB

MD5
d61dcc53d694f3b63a2f9ede8ce3b0f2

SHA1
d10f4372cf4fc8e2479924c1464dbbbdf845b26f

SHA256
678d1bb32377cdca89e04fa9f74df761a13a0584d62dd9126aa7ca64f81a79a7

SHA512
ace6d42b860ec29f9f12a64a000fd252d808207f54089746c6a26484b9a39f6fa4a13463789e49659caa683d1b51bb586660725f7d5e28a487cb76c70d9ced2e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
3c6b034a35c1abb5827b40c5663ed0c2

SHA1
54316cf10424c5086844f9d4a36cb0638f45890b

SHA256
84dcb99e3f4a6276930fac7c3aa8a056255a44fdaf10857736ceb3f6d9798894

SHA512
59f317f2333cf3297ec917230ff3013fc52c1b4cb1f3728af8dea2416c2f51d2a75e232c89dd096bf6c0ed0e1c9140f7195b474977299130b98a796a1abfbe37

Download Submit
\UserDotVZ\xbodsys.exe

Filesize
2.7MB

MD5
1d604ee928cdd0b4e209faaa82234533

SHA1
cbbc093877f45fe83e6f9f91594be767a6a7a121

SHA256
deeed1f39886d6cf18339fae1abe660e51bfaae61b5798aab0bfcf4b304c74cb

SHA512
05486588cf8e4147cfc41ad2684fd9ac9a2432983112a43c8ada970aa4a3826d92ee6bccca7b2237bb44e03ee6dd00a42fa5dd84133666115720c4875c6e4dc4

Download Submit