c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 02:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
Size

2.7MB
MD5

04160aa426263ea895a7008ecca806e0
SHA1

063d465187ed434ca937259efe67a7b4061291c7
SHA256

c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2
SHA512

c2ff38c4079023457714886ac427710f96fc9481cffb7294f15f8b778233e6ca70d74486fa6eca93097fa7447ae33cf38811a7d7b0013e9f89a6b94c625a5be5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBf9w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	xbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe02\\xbodec.exe"	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXK\\dobxec.exe"	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
2896	xbodec.exe
2896	xbodec.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2896	1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe	89
PID 1496 wrote to memory of 2896	1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe	89
PID 1496 wrote to memory of 2896	1496	c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe	89

C:\Users\Admin\AppData\Local\Temp\c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe
"C:\Users\Admin\AppData\Local\Temp\c66dfcc18a9e9f2cec1e15cc94210aa69f62894d1db3b0315bd1648a819dfea2N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Adobe02\xbodec.exe
  C:\Adobe02\xbodec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
1⤵
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe02\xbodec.exe

Filesize
2.7MB

MD5
c83eaeae053b7d731fba8ca9417c314f

SHA1
2473b9cd695f3e70a6303d5134e14f2c48889320

SHA256
5063138dff56ef7518e4127a4362d217a4acd51c993afbcfe82c24ba1dea5da5

SHA512
a7f838b509b9de96ee5343bea698a938ddef1cb6ee38c237a3ca89cccfda85b71f85224ec33650ac82fbe541985f34df5bd40dd5b399d34040126b2dbcdf8974

Download Submit
C:\KaVBXK\dobxec.exe

Filesize
2.7MB

MD5
71e8bdb9974d35d9417a3e375a879516

SHA1
3e9b9a4a5c06029d1da8aaee19f9c532e2afc876

SHA256
a512b45d18415b638c11fda189063b488253ad5ee8e1f2e2637cefa311ee1fdd

SHA512
e1681e93a515ccb4019d500cab42a5c763d120b3147ea0b579ea64a23a55892ea1c406296215b963ef0ab9bc3d36d39adffb9282acf9baf2e46e2267d90e429c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
198B

MD5
268dcc03422b79acaa7215b079e65493

SHA1
d73c9df0af4c31492595d3314bc852f79196de26

SHA256
6b4f0f6ab3da4a7bfd4865c34c9489e472139747b2184668cc27ca306c4034d0

SHA512
06e6ec42e88825215c6df17b179bbc23bc29fe0b35fa56e4f2810aad293b0a05728355c7fc0ad9cafd2f26d0f05349cc8abd5b98f11c0eb9335ef36fdf92b4c9

Download Submit