59a88fb3571c7839d37bc090322ee9d6003355d45fa881fa7b722ce233b514a7

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a129fff61c52a1e98de3db21daa75b0N.exe
Size

2.7MB
MD5

6a129fff61c52a1e98de3db21daa75b0
SHA1

3a191b45c786691c7e8d5b6c98f3d296a9502b4d
SHA256

59a88fb3571c7839d37bc090322ee9d6003355d45fa881fa7b722ce233b514a7
SHA512

008ddc15119315b21bd2f9eb04fb8bd53c116f97d0c668c567557022b79dc2bc8122a30482683af444b51037f6317dd677a81e2ea72b600f08e9c7da70b1a01d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4S+:+R0pI/IQlUoMPdmpSp74X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2656	xbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2852	6a129fff61c52a1e98de3db21daa75b0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWH\\xbodsys.exe"	6a129fff61c52a1e98de3db21daa75b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEP\\dobdevloc.exe"	6a129fff61c52a1e98de3db21daa75b0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a129fff61c52a1e98de3db21daa75b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe
2656	xbodsys.exe
2852	6a129fff61c52a1e98de3db21daa75b0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2656	2852	6a129fff61c52a1e98de3db21daa75b0N.exe	30
PID 2852 wrote to memory of 2656	2852	6a129fff61c52a1e98de3db21daa75b0N.exe	30
PID 2852 wrote to memory of 2656	2852	6a129fff61c52a1e98de3db21daa75b0N.exe	30
PID 2852 wrote to memory of 2656	2852	6a129fff61c52a1e98de3db21daa75b0N.exe	30

C:\Users\Admin\AppData\Local\Temp\6a129fff61c52a1e98de3db21daa75b0N.exe
"C:\Users\Admin\AppData\Local\Temp\6a129fff61c52a1e98de3db21daa75b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2852
- C:\SysDrvWH\xbodsys.exe
  C:\SysDrvWH\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZEP\dobdevloc.exe

Filesize
44KB

MD5
152adfe481ced658e20985f7e54f0662

SHA1
d40e90f4f6cf6927c554c8412181f45983f41566

SHA256
90c23d6898ba2b155f770e72796294fad8879498c2b492dc64e87dbefe9b4398

SHA512
423224cf1d31327a7463535c96766b895a91e719aca8a6cf25115d58499cb495e6d3cd81e505b759b52b47f75167243f6456d5e4db9519652dbf7a8c31abbac1

Download Submit
C:\LabZEP\dobdevloc.exe

Filesize
2.7MB

MD5
9db24087fc0918d608d831eddd3be1e3

SHA1
564b31471cad9bd81b65949bd051b889c6efdeb9

SHA256
ad61685ff49e37b5825c7dd8e9809a3ed3e7d6b984784f919fb6ca43b990f3dd

SHA512
82c5db30afdcb04cb9d56a5b644527b8a02b114ffe6c2c994ff8ed238630dd7d682571db74c8c1a412a79da4103357ef7d505a5d76d6d5dbb7a301df6e14a28d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
7d9d74ba49dd83de09c6d02a9cdb4f7f

SHA1
522a147dc5cf6c9c32b6acdbeeb49a03972135ee

SHA256
2f036b98113e163b3e09b4e60ce92f7adf0098885ffee81605f38dfd2b81cb2f

SHA512
8d56a85b9258dbc29afff33bb049d09700e4a78c3efb2791c5b951724c68d818889c35ad291d8d892618b803c313220f3865ab95d9c45013a1e21c5a66e94bcb

Download Submit
\SysDrvWH\xbodsys.exe

Filesize
2.7MB

MD5
1d99b221f34c6a552c2ebbebdbca64bd

SHA1
89c4ce1c245491cafbae898e17a43bed6897e1ff

SHA256
e35d2e6f0d7595a59cb137a89c7b1ddb20aa985e630b5aab346ea4efd6efe6b2

SHA512
d9a33dcd27f3e654c6448b2912b03cc56e667847fbf22e63cfffb835775e3cd0660b596bcac80bc5c45971f1d323961889d0906cccc67eb21f3f296b76424ee0

Download Submit