7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 22:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
Size

3.1MB
MD5

378bacff7efdeeab1dd2e47fd11503b7
SHA1

2310a2d197f24e5b526ad4f93fe03a2b19c529df
SHA256

7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a
SHA512

19c534b3f1594bb2717a5cfb9dd6747219ed75f751d59fdf4efffdad5bc3d52a73602350dca4fe7acec0c7daaec8385bdc5ac33eb87b7f81540f8d4c65bbd152
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Su+LNfej:+R0pI/IQlUoMPdmpSpz4JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2768	xbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMH\\xbodsys.exe"	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY0\\dobdevec.exe"	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
2768	xbodsys.exe
2768	xbodsys.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2768	1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe	94
PID 1492 wrote to memory of 2768	1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe	94
PID 1492 wrote to memory of 2768	1492	7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe	94

C:\Users\Admin\AppData\Local\Temp\7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe
"C:\Users\Admin\AppData\Local\Temp\7adbb29890acdbe944f3955ca6eb412ba1450b21b2246f77b9eb2c924e244b6a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492
- C:\SysDrvMH\xbodsys.exe
  C:\SysDrvMH\xbodsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4020,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZY0\dobdevec.exe

Filesize
3.1MB

MD5
8f5896e6bd4d345dd284ab85bc4985fb

SHA1
b329c48e49be31c25c96dbc18d09405b91487ee8

SHA256
b7dd8cb02d39b33b698fa9bad4209a174870516e27b6e56b8140b034acec32a5

SHA512
3559c49e2608ff7c86cdd353eafe594f5d5f25f62f9c67a449b18e7ecb7951e10b9d64fe45de63bfb5752aace0baf24730f9276da848a185e5c6b850103db5cb

Download Submit
C:\SysDrvMH\xbodsys.exe

Filesize
3.1MB

MD5
81d5c19d21c9a0e18085ae4bba94866d

SHA1
3e86027489823f80fb3bccfa253e42d62c3f6aa4

SHA256
ca2d11e9100b814032b85873e5ae3dd33e6d929873f37c17ff6289fe5ebe85a2

SHA512
a47c4f99d961148da62d496abedeebd7b65386f9c8729aa574b579d0662671ea91a0fe895cae9fb549d6f5e5f6ad28152f5696579d0d48ae44cb58c27980f05a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
a59054717aef18d715ebb1e8ffb833d1

SHA1
306c742669bf28b1072a6634bc38e8c284b07b07

SHA256
697ab9455f35f1c93db3c867a6e4294edb0d6aa4617343420ee86dfe5a51f6b4

SHA512
d2e35cd1e25eb65f2370d0fcd195cf5826d74a8a13f647276250e83f8e73d42f55c3e81ab5bfa224dd71a9e21a9a68386aec5fe32b57c590e20692462f6f104a

Download Submit