Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
35e70875e812ac8383c01c66741805e0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
35e70875e812ac8383c01c66741805e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
35e70875e812ac8383c01c66741805e0N.exe
-
Size
2.7MB
-
MD5
35e70875e812ac8383c01c66741805e0
-
SHA1
a2ef611c57ce7e7ac29dc652d01225cf69734033
-
SHA256
f853651eef774acb0e4ad3104cc1aedd2630c1b17388cd0496b5f97831d0fd9b
-
SHA512
606904076e4d70f26f2d24819575083857fd2ab6998a2a90eb2564afd700998d03e0d0a6afad116ead63f702599ff3ab876bbeee730125cd1d27e13a118a4711
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Sx:+R0pI/IQlUoMPdmpSpO4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2072 xbodloc.exe -
Loads dropped DLL 1 IoCs
pid Process 948 35e70875e812ac8383c01c66741805e0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD2\\xbodloc.exe" 35e70875e812ac8383c01c66741805e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRL\\optiaec.exe" 35e70875e812ac8383c01c66741805e0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 35e70875e812ac8383c01c66741805e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbodloc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 948 35e70875e812ac8383c01c66741805e0N.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe 2072 xbodloc.exe 948 35e70875e812ac8383c01c66741805e0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 948 wrote to memory of 2072 948 35e70875e812ac8383c01c66741805e0N.exe 29 PID 948 wrote to memory of 2072 948 35e70875e812ac8383c01c66741805e0N.exe 29 PID 948 wrote to memory of 2072 948 35e70875e812ac8383c01c66741805e0N.exe 29 PID 948 wrote to memory of 2072 948 35e70875e812ac8383c01c66741805e0N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe"C:\Users\Admin\AppData\Local\Temp\35e70875e812ac8383c01c66741805e0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948 -
C:\FilesD2\xbodloc.exeC:\FilesD2\xbodloc.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5f4f6f7cf635a7dc89cf2de93aaf23cf0
SHA1d27865a539055547390b30b0c05434ff8abb1f6c
SHA256e97cc6b9ec92514e388bf7a36e238e203cdbb8c9c32c6fd05808d83c03a682b1
SHA51220ce5f12a6eaafe9840990d5e3c1381ed4bbc59bfe8815ef41de64b85631577032340b71f65c8c119b3cdde94a7f8510a98199b7db97b709ae9e584ffafd8955
-
Filesize
2.7MB
MD546b809a78ebf02d8ebdf095281c1dcc2
SHA113c49e4b8b88561211d27764c1a5f2a54df803a6
SHA2569d7093b2cf7d56a08c5452589479987b6cca45c25d6b7e772428e70992f59ed7
SHA5123b7ee5f34f9dd158e564a21772f8a1794495365d6b3d4e8d65784ed41119cff87ae7204a8bd3404f5024ec4ef702fc199508604e1cf0e2f872aed4a19f943340
-
Filesize
200B
MD57b1e6bdb5d0d1fcaf188495e82f9560c
SHA165ae3bf06f42334c4f333fd32eaf84792f393a52
SHA256a25458ff5763ed6fb2fcf02e6921e3c4d7bf75a4eee1eea52e5a32be31abdc22
SHA51283e74d9ff5d22b05f949504c2d9c5032eb9994f8119f84f41175b176799020f7c98efaa8e5c96d68ba2f3f21056cbb7c8afaa627ff9efda0ee506949666b870f
-
Filesize
2.7MB
MD5d1aeb225d2087a77d3d9b8bd7dcf96c2
SHA1a6e6833479892c556357ed40a80cf5effb21118e
SHA256ce30808819d88557655e041d7c29bd33175e8fccda355694015afddd80906c6d
SHA512fe18ba555d324bd4b90ff539dac8e2c3e4e2371db784e89a1f8c356661e4dd6c8934986726138ec156f7575c040104e4f98847693fdc5815e6f224d705ee8426