e8a71542d2e6817bd00d98613eef4be2b10b9c989f5e6407ef3769785e8d53b8

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abf5c498f3d82868a352a5cc16551110N.exe
Size

2.7MB
MD5

abf5c498f3d82868a352a5cc16551110
SHA1

e1f3b95bfe3fbf4ec8b0802ec0e20acd38938090
SHA256

e8a71542d2e6817bd00d98613eef4be2b10b9c989f5e6407ef3769785e8d53b8
SHA512

52a7b75db5c2daa0cab2341b54892f23148f689e61c877c4ffd84dfcfb772c09bf9412aaeac6c67eb9793200e6e9c9c7c9e0867bc58e8ca0155dd72b8150c566
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSpq4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2616	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2604	abf5c498f3d82868a352a5cc16551110N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ3\\xbodloc.exe"	abf5c498f3d82868a352a5cc16551110N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSR\\optixec.exe"	abf5c498f3d82868a352a5cc16551110N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abf5c498f3d82868a352a5cc16551110N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a :R[bI=_\T_NZ`I@aN_ab]Ilocxbod.exe	abf5c498f3d82868a352a5cc16551110N.exe
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	abf5c498f3d82868a352a5cc16551110N.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe
2616	xbodloc.exe
2604	abf5c498f3d82868a352a5cc16551110N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2616	2604	abf5c498f3d82868a352a5cc16551110N.exe	29
PID 2604 wrote to memory of 2616	2604	abf5c498f3d82868a352a5cc16551110N.exe	29
PID 2604 wrote to memory of 2616	2604	abf5c498f3d82868a352a5cc16551110N.exe	29
PID 2604 wrote to memory of 2616	2604	abf5c498f3d82868a352a5cc16551110N.exe	29

C:\Users\Admin\AppData\Local\Temp\abf5c498f3d82868a352a5cc16551110N.exe
"C:\Users\Admin\AppData\Local\Temp\abf5c498f3d82868a352a5cc16551110N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604
- C:\UserDotZ3\xbodloc.exe
  C:\UserDotZ3\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZSR\optixec.exe

Filesize
2.7MB

MD5
aab336f17292098f39eee31f5b8a00b9

SHA1
29dcd9da67fb7016020837c931c41a5e96ea0f26

SHA256
ea9db6521ea3349c0f84555fedc55aea42e49ec2c91b5223d154b643674205fc

SHA512
dfb4007b8120643ecf18de136cf767b03e85bbf9fdeca244aa74c238754e06670e3cca664fb6fb13884a87b22bd073343cb97c528aff6d4848e5c78ca98ea131

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
6363a4dc7711734cb4ceed8a69518fbc

SHA1
e310197cd13c73b72006363935b030f788f201e4

SHA256
eb0514fabc873163a58b48e5296ecbdfaa3b82a7d05215c8eaa844ac56ab939c

SHA512
3f5b941300d112ef3a5fa21b928a5f1c5c862dc1798e0e9a1af2fbd0445f4ffc24d56e34b9492e2d2f2fbb79a4c324335975b9f9269473aee7b07c2507f44b99

Download Submit
\UserDotZ3\xbodloc.exe

Filesize
2.7MB

MD5
2a910c1fa24183b4bf5c70b6f748c713

SHA1
80652c1da1ea1235827096537544b229c14c8fd5

SHA256
1abe1e3243b646635e2aa549147e30ef51e5399276e0c7a0f8df7af7e193ee1e

SHA512
3a0bb8ff37b4adca272d32c8d7664f80e61a07807557cb474d715a1ffc03a7dbb3b4f405cf39340796fab089fa00ce9dd35dcf4f5befba77b7f9a45c0b8d3a5f

Download Submit