4371806585704c25df9e64848b614d7b649266c88d2557388e9b052dc1e10ecf

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48659fa38f659570647db84a9e90e600N.exe
Size

2.7MB
MD5

48659fa38f659570647db84a9e90e600
SHA1

611d6f1dc7321edeb5270b6f00496a47e0f680e1
SHA256

4371806585704c25df9e64848b614d7b649266c88d2557388e9b052dc1e10ecf
SHA512

1b073f2d8a33fb06bb31cbfba1a16e781514f406ca216fbf204248e20d1fbba270f9c9157fecd31f623a3ca3f77df23e99028c3ee35064467abfb182ec597685
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	xbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	48659fa38f659570647db84a9e90e600N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvVF\\xbodloc.exe"	48659fa38f659570647db84a9e90e600N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLH\\dobasys.exe"	48659fa38f659570647db84a9e90e600N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48659fa38f659570647db84a9e90e600N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	48659fa38f659570647db84a9e90e600N.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe
2992	xbodloc.exe
2116	48659fa38f659570647db84a9e90e600N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2992	2116	48659fa38f659570647db84a9e90e600N.exe	29
PID 2116 wrote to memory of 2992	2116	48659fa38f659570647db84a9e90e600N.exe	29
PID 2116 wrote to memory of 2992	2116	48659fa38f659570647db84a9e90e600N.exe	29
PID 2116 wrote to memory of 2992	2116	48659fa38f659570647db84a9e90e600N.exe	29

C:\Users\Admin\AppData\Local\Temp\48659fa38f659570647db84a9e90e600N.exe
"C:\Users\Admin\AppData\Local\Temp\48659fa38f659570647db84a9e90e600N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\SysDrvVF\xbodloc.exe
  C:\SysDrvVF\xbodloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintLH\dobasys.exe

Filesize
2.7MB

MD5
20ef143759d97ab3f43f380bd3a0568d

SHA1
99fbf4445eaa82b754a655a5035217ea4ad082a9

SHA256
cbe37cfd55881c07cb41f1eb8448f463c22b4faa851c0da4a3f0937549c2edbd

SHA512
8faea74c0cf71e19b60d87bf7edec5ec0c36fbfeacf3fbc73f13c9e32f89976c2a089b5cba5ad374656e78319b9d14a29fda986c26ffb600d8652b25f209ae54

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
0367423623b2bb92b99fe5f4d5bde38b

SHA1
308dc63bef11962654a3903bc9b94ef5382ce1a6

SHA256
4c1ee03db012d05f1bffd3c99198a8c8c44866bba392298e12eb2bf77fb6d22f

SHA512
0949c4d864c76dc0811a3a4a3dc1a7df4f3d031d7fb746a1294d3ad14a766851063d8f9c7225d08b73c283d9bf4f0e51999834b1fd7d02053db034096dee6905

Download Submit
\SysDrvVF\xbodloc.exe

Filesize
2.7MB

MD5
ed9d7f1fc0378e26a4813420fc51519a

SHA1
b8b9274ef29a53ffb3e563e473f4243156a2c3f6

SHA256
2ab361a851d6bd104ccea99e26625a84836cdb7795a392e60bc700d23dd62c12

SHA512
9252875ef18da7008824019138b07abf7788b18a3b76ea25f5be46679c15de6f578a56bfe941389b1067f055b07892aedab3e1ec572ee1ce9a79b1c468527048

Download Submit