bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
Size

2.7MB
MD5

26fcca53b499ac68c5d5375504c7733e
SHA1

15ee8e7856ef24579f468e873c0eda0f1fb9e1d5
SHA256

bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964
SHA512

170df37d08d43a78ddfa5fbf829f5f7f5ec2be165f329c71b11d76b84d92489d47907a2361d2d569ebaed13df6672dbcd9dad33b0784278f23839777d8da9727
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSpo4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
396	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGV\\xdobsys.exe"	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVQ\\bodaloc.exe"	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
396	xdobsys.exe
396	xdobsys.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 396	4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe	89
PID 4276 wrote to memory of 396	4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe	89
PID 4276 wrote to memory of 396	4276	bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe	89

C:\Users\Admin\AppData\Local\Temp\bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe
"C:\Users\Admin\AppData\Local\Temp\bec8bda418f414925e9e6f472ea923fbc4cf96a4529a5700e9e2fd49b13bf964.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4276
- C:\UserDotGV\xdobsys.exe
  C:\UserDotGV\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVQ\bodaloc.exe

Filesize
3KB

MD5
c7b51062c87a208f9442963c2b20d250

SHA1
0e547612586c272a27827db5dbbed56d37a255e7

SHA256
e3b4eadabd908d54c7c9252808b2cf750431927782a3b7b3e596467be1bde3e0

SHA512
fa80cfdd204d057f6913115178e8c1aa005c35300a166dbe3f278d747a2bd73b6ffc6df2602db45993d1fb681a48db8e6b9a5567228ee5007c7d933035c55e9c

Download Submit
C:\UserDotGV\xdobsys.exe

Filesize
2.7MB

MD5
fbaedf96a65d11fbf4bfd2773a063f8a

SHA1
e131c8187d6d9812770b071f8d57c667800d3379

SHA256
7d9397dcdc9bbc6c9d0ab13ded9081d06787e12824e22a334f5057af4507c65c

SHA512
886da6080537faffb55172a2af08db20ba81d72c3fe705405c9c9057c45331e28f5d20363cab5d8bfcbe4da5df5f3f2c39e888105ccc2d9cb6b4f10cde842c86

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
ad3a035a9d476dbd6bb96b151ec2104c

SHA1
7ff0dd177abe5a7343854baf68fc9fe71ce13d81

SHA256
ee321fc59cc6baec27eea8499a17fd7e942621ac356a8ff9c86c494e9a322aac

SHA512
9e92c9e52f0b1daa77f1603391bd9fa61648c9c9818aa1da09acfae041b0b40ae6234cf90d409b7cc72fc6c12f8c1a68d8fb4cc5b8edba628e43c295f1db9f80

Download Submit