8ddeb7332a07e58355feee924497f8b6e59108d94cf4a2dd010e24c6e86ab3a9

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85c99138156e9701c8baeac269b0ac90N.exe
Size

3.3MB
MD5

85c99138156e9701c8baeac269b0ac90
SHA1

4403f9027960f24c39d2e0087efd68341b706de1
SHA256

8ddeb7332a07e58355feee924497f8b6e59108d94cf4a2dd010e24c6e86ab3a9
SHA512

06ae8c36b9be07f9bc5f9c43df7a7a9840b97261baef37be6bfd34f8d83046fbf7d8ee04d32b2fcfa0f8d4b11e14d628b3995421fda6c7b4b2e95fe25c2ed7d1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4SLDtnkgXL35xZzlPBq4:+R0pI/IQlUoMPdmpSpO4ADtnkgvNW

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1544	85c99138156e9701c8baeac269b0ac90N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocAR\\xbodsys.exe"	85c99138156e9701c8baeac269b0ac90N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXV\\bodxloc.exe"	85c99138156e9701c8baeac269b0ac90N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1544	85c99138156e9701c8baeac269b0ac90N.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe
2760	xbodsys.exe
1544	85c99138156e9701c8baeac269b0ac90N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2760	1544	85c99138156e9701c8baeac269b0ac90N.exe	30
PID 1544 wrote to memory of 2760	1544	85c99138156e9701c8baeac269b0ac90N.exe	30
PID 1544 wrote to memory of 2760	1544	85c99138156e9701c8baeac269b0ac90N.exe	30
PID 1544 wrote to memory of 2760	1544	85c99138156e9701c8baeac269b0ac90N.exe	30

C:\Users\Admin\AppData\Local\Temp\85c99138156e9701c8baeac269b0ac90N.exe
"C:\Users\Admin\AppData\Local\Temp\85c99138156e9701c8baeac269b0ac90N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544
- C:\IntelprocAR\xbodsys.exe
  C:\IntelprocAR\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintXV\bodxloc.exe

Filesize
3.3MB

MD5
2ea51499d1686169fe657d00db434bf9

SHA1
274e75a028fd0740512ba57dfb8a64601fc68408

SHA256
d75a859698c0ec7e2388205b7f476811b29571160511335b67418d313adb6f07

SHA512
000ab2e53cc6417f791273a84535b3f92685596c618e11dd02c0b63e1c4b5f5d317983ec9ed82629b29efd68cf5266c74f779f972373dac4763066db2e9c7f72

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
cd965f4537afd9cd9f4e9d64c50a2db8

SHA1
e6f4dec9cce47d91071e1d32f18a43997892974c

SHA256
c4ad9f301b33f6d2113800d1075415311a06acaab50626305f2cdbf24da1aab4

SHA512
548845aba1519d553e8a23a134d5ffc5e99bd12bcdd343b0211cabc199bd279b8262afb7ed79d3b6ff62ff76b2ae489d8ac7a022c5838aea6d43e122c142794b

Download Submit
\IntelprocAR\xbodsys.exe

Filesize
3.3MB

MD5
c4f812b7b909445d5ba24c6d40af4b67

SHA1
083324da620683ea46082322edaf9ea14a007f2c

SHA256
fd121615fc56a4842ecf39c765d16d48110cafc7b8da95cce1d2b8eb2e495b3d

SHA512
3aea4e4905a036db3c6ee88e04f24a977494f60a32f7de3e1b85af7fba6b3580ddcb0eb3768b0d7c56cb9d3293e9b25e6be741b6415dbd2778081923383c79cf

Download Submit