a5c9bbabc495da11a56bfea96af1ef6854db427a1d47c6ae625907314a51bbff

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2f500afa1a73c36bc8d009a2fae3a00N.exe
Size

4.1MB
MD5

d2f500afa1a73c36bc8d009a2fae3a00
SHA1

8cc60084d82c23a1cf9483a3c8be9ef95cd311b6
SHA256

a5c9bbabc495da11a56bfea96af1ef6854db427a1d47c6ae625907314a51bbff
SHA512

60a1aae745d1bb90c0a0f19233d6cb24f6938932406d2f227fc02609fece0547ddff05ea0c606d7e92f4c6869ac63048ef58e277ff1ac4f960b6461b59fbc6b4
SSDEEP

98304:+R0pI/IQlUoMPdmpSpb4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1756	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6F\\xbodec.exe"	d2f500afa1a73c36bc8d009a2fae3a00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4B\\bodxloc.exe"	d2f500afa1a73c36bc8d009a2fae3a00N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe
1756	xbodec.exe
2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1756	2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe	30
PID 2316 wrote to memory of 1756	2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe	30
PID 2316 wrote to memory of 1756	2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe	30
PID 2316 wrote to memory of 1756	2316	d2f500afa1a73c36bc8d009a2fae3a00N.exe	30

C:\Users\Admin\AppData\Local\Temp\d2f500afa1a73c36bc8d009a2fae3a00N.exe
"C:\Users\Admin\AppData\Local\Temp\d2f500afa1a73c36bc8d009a2fae3a00N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\UserDot6F\xbodec.exe
  C:\UserDot6F\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ4B\bodxloc.exe

Filesize
4.1MB

MD5
630fae55a600a59e06879779b9a90fba

SHA1
5ffbe8649f3e139d78e25d3af69ad6091a882f12

SHA256
e889892cffa19821c5e51e5bf7d95b891272dc5a24a834b1f1f0e0c4492d04fb

SHA512
ee88af9ddfbd8d82bfedee1f4b97438cd87f7bf8d7ccf4bd74d6b128b6ce605d1207d1f00638f7cb2a2e26d3d64a347162a5681467d5fc6e363770f52237e018

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
09dd74f7a9a063145f097a014864d198

SHA1
e64fd10ab233e0ba406b50b132cefb10038f2b88

SHA256
70db1f2899931d8ea85fc3f6d6adaaef7d55e405823d4c031ff641a2a35a70b1

SHA512
ae5f2bd3fabbc86890a510ade47cba578fccae4d43fc7934d36cf5cebfa8430f57da6e223ba40ea3018569b9c1a52c9247338c8931878255050605248d376543

Download Submit
\UserDot6F\xbodec.exe

Filesize
4.1MB

MD5
a3f5b6f5a0394fb8e63a0e3ce6439037

SHA1
ed799b6a0a9322c6bd94fbb9c6ec5249024a0f6e

SHA256
9acc4198a95e61057f0a66a1f95e2724b3353dc799b810a4a738ac7f4cec6520

SHA512
717d3d92c2f0f70795311c145bb750d28c1f90664410faedad3b67276a042a18c68f297980d03a964f08be1adffea53a3d89dea43ac9bb35a9a0a00bc8b9e498

Download Submit