bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
Size

2.7MB
MD5

31594ef2e79383a89f81f4590fcf2423
SHA1

d13a297b0d1e8e6497364eb893a9d9b878310f7a
SHA256

bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1
SHA512

9ca68a6a588fccea45c1562128b11b7f9180ffce71e9ecadc444f12a50740be84b6a83e64321b597335bb36ae3f99530a7746d11a688cce214c5c9c5529338f6
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4S+:+R0pI/IQlUoMPdmpSp64X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBU\\xbodsys.exe"	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEN\\optialoc.exe"	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
2132	xbodsys.exe
2132	xbodsys.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2132	3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe	90
PID 3184 wrote to memory of 2132	3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe	90
PID 3184 wrote to memory of 2132	3184	bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe	90

C:\Users\Admin\AppData\Local\Temp\bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe
"C:\Users\Admin\AppData\Local\Temp\bfd8840f6a09deabb3c7d3cb6d4dd60447950a4d596504753cb3984784b042a1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3184
- C:\IntelprocBU\xbodsys.exe
  C:\IntelprocBU\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocBU\xbodsys.exe

Filesize
2.7MB

MD5
83f50f4229711bff9e723b275ebeedc6

SHA1
516190306ea0489df7f966e8c90501b89b5d94d4

SHA256
0884fdb15faf66c14655c6198959d1d3aa40f4efcce18ab4d2c961f02c2f6bd4

SHA512
b400bc2202ff26a5242551c039ab95d88d417b5d5ec082abf52a556cc71b18f422d43d1719035d7cc0e723c679da33dd805b9f196cd0afbc7395b589404165c1

Download Submit
C:\LabZEN\optialoc.exe

Filesize
976KB

MD5
8d06af6f06d99ac429247b61c0f11d55

SHA1
c9e6b310da1086ada36a43f6140ec2df13225331

SHA256
8dbee90ce6ab2bca7131fece1c5d5daddb4c92f2a9da8401ca788d6dc433060f

SHA512
f4a31b67cab9ec47d16f35370b135156473b688e6688f5a0a810d20ffc3e3338c20522a5ae157594ee457597e9d9124f738556eca584521ad70d7377ab2a3fd9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
8e4f52a500f8bd68a781592f65dafa84

SHA1
a1ac0f8bcd408e4166e099418f2ec5475f497807

SHA256
a91324d16cfc6c0fbe1e1caad96b0a3e8aead88fa9876b992f764e95af421f3c

SHA512
1b7ce5a7aee61c29557b2150c669ebf7b99fb09768ec8d699da2dcfd004f116d56370ae55398db0d5eab78c880f58195ed63195418410b246e6f2b1a558def0b

Download Submit