65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
Size

2.7MB
MD5

ba2a467437c1c003e63f1443f9c03659
SHA1

358f3f3615b5effbf611382ca40a7d784fc0b882
SHA256

65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4
SHA512

2c8b9be073ddee7d26f164dbac7c19ae31f28f5a11cb98b5b01abaf3359b427f95c37edcbc950e4ab005ef33b8ab6fd529eef62cd21606b0ffbc20c6b7911b4c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBf9w4Sx:+R0pI/IQlUoMPdmpSpL4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3160	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4L\\xbodec.exe"	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6W\\dobasys.exe"	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
3160	xbodec.exe
3160	xbodec.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 3160	1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe	88
PID 1780 wrote to memory of 3160	1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe	88
PID 1780 wrote to memory of 3160	1780	65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe	88

C:\Users\Admin\AppData\Local\Temp\65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe
"C:\Users\Admin\AppData\Local\Temp\65e0443e9d37b8606ea5d19d22367843fedca4c9bace03f7856f7c39939192f4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Files4L\xbodec.exe
  C:\Files4L\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files4L\xbodec.exe

Filesize
2.7MB

MD5
56ed120af977ff3fa68f7b0e64437041

SHA1
6ce760402f675b3bf6736281c3b0cceec6e8d86e

SHA256
17d99710a7749be7bf4ea3014a44c4c460b6977abaaf2b1955521840ec82bfab

SHA512
7bc4a268c4155cedc52d61f393106d23539a7de707db9be192775d5b46ed6f9dc37ecbcf5812fbc8db1a0540100c66c512551658c7afb2b36e923594b79929f8

Download Submit
C:\KaVB6W\dobasys.exe

Filesize
1.4MB

MD5
607b79124d515fe644bd9519ca7b89b5

SHA1
6304b01995205223fb5328cce849b26033094f8a

SHA256
5002d06021e9640dc5b88018039de1fd0c27f220e92b527d903c4276a49bed8b

SHA512
5aa01dc6dd90f161e68f17e70ebf1c3b45ed6c6695ffc44f56a65664f8f523d3ccf429c7a8f44a51c4dd264d0e7479c768b06079ed029e8d9177f84327b3505c

Download Submit
C:\KaVB6W\dobasys.exe

Filesize
2.7MB

MD5
01a84a75306801db30ad37485f34b6c6

SHA1
a70684c32a613cfb570bc545eeba0a473bec8178

SHA256
76933d0e09c32cfa0572d16807d73814ed84c1eaacb0818a23ff47e1becd2a0c

SHA512
b5e8071b6d558cac4d2b58eefb944e27151b4f7b64e563c0a8ca9468cb65f0d18acb6b4ee0f925ed104ddfefad2b15b8164e3b8fe0515feab23d62d5f8e0b628

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
7355ad491e0d88bee5244dfe9d5e3ce6

SHA1
635bc632f64dcdcdde1cccf0aa3dcf5b255143d2

SHA256
1a499512740b015ad1b4b1483ccc079db09d695b5eee1325cb6402dff9e8f2bb

SHA512
259705b50ab28634c8bc3089603bd5292e4e1c0871dbf438da2be08308de9d9a065793a17beee658378b4693e7602aa785eda399662dcd309d8197117ff9cd2e

Download Submit