8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

General

Target

8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
Size

714KB
MD5

6d83d702fad47bf24a04c4b3e2c9d930
SHA1

e706a46e3bbb821e8f4aec1f3e488be1504b855b
SHA256

8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07
SHA512

62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d
SSDEEP

12288:mSuYrHkpL3KyptgMzPez1OkvHj3CfL0PzGJRZLB3LE:X1kpL3KyAWPez1fD3mLIzGvZt3LE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3172	xlobkpb.exe
4908	xlobkpb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 3172 set thread context of 4908	3172	xlobkpb.exe	85

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
4064	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
4064	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
3172	xlobkpb.exe
3172	xlobkpb.exe
4908	xlobkpb.exe
4908	xlobkpb.exe
4908	xlobkpb.exe
4908	xlobkpb.exe
4908	xlobkpb.exe
4908	xlobkpb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4908	xlobkpb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
3172	xlobkpb.exe
3172	xlobkpb.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 4824 wrote to memory of 4064	4824	8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe	83
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 3172 wrote to memory of 4908	3172	xlobkpb.exe	85
PID 4908 wrote to memory of 788	4908	xlobkpb.exe	1
PID 788 wrote to memory of 2264	788	svchost.exe	87
PID 788 wrote to memory of 2264	788	svchost.exe	87
PID 788 wrote to memory of 5052	788	svchost.exe	93
PID 788 wrote to memory of 5052	788	svchost.exe	93

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:2264
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:5052

C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
"C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
  C:\Users\Admin\AppData\Local\Temp\8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4064

C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
  C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908

Network

No results found

93.184.220.29:80

322 B
7
93.184.220.29:80

322 B
7
209.197.3.8:80

322 B
7
51.116.253.168:443

322 B
7
104.80.225.205:443

322 B
7
93.184.220.29:80

322 B
7

No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ssh\xkefqne

Filesize
654B

MD5
a2e61a37bfb9f8fbfade4a278b45422a

SHA1
2e0e444bc11483dd39639a717665ca0ca26fd2ff

SHA256
5110acf59e2ecc2aecf0fe01c67920e7ba81578ee0a3c6bf608085ab12e66658

SHA512
13fe7b443dc27c413df11d02959a7f169253f02ab79701022179a2f52df666ffe38c06e514c3a8a12720b7f4f043d191aa595b770b5cfbb3663174817f689673

Download Submit
C:\ProgramData\ssh\xkefqne

Filesize
654B

MD5
a2e61a37bfb9f8fbfade4a278b45422a

SHA1
2e0e444bc11483dd39639a717665ca0ca26fd2ff

SHA256
5110acf59e2ecc2aecf0fe01c67920e7ba81578ee0a3c6bf608085ab12e66658

SHA512
13fe7b443dc27c413df11d02959a7f169253f02ab79701022179a2f52df666ffe38c06e514c3a8a12720b7f4f043d191aa595b770b5cfbb3663174817f689673

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe

Filesize
714KB

MD5
6d83d702fad47bf24a04c4b3e2c9d930

SHA1
e706a46e3bbb821e8f4aec1f3e488be1504b855b

SHA256
8c5385fccd9d705cca3f3e85227db53c67cfe19ae5460b4335bcf39a32c9ff07

SHA512
62cda9516333dfe92d4099f2cc25d8e434ac23abc28dbd522695b200a4a1545473a6a419bd9ac8fadb54283980a82f37d1faa2ab32df92a9d10e74750c58499d

Download Submit
memory/788-147-0x000000000F580000-0x000000000F5F7000-memory.dmp

Filesize
476KB

Download
memory/4064-137-0x0000000028B80000-0x0000000028DCB000-memory.dmp

Filesize
2.3MB

Download
memory/4064-138-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/4064-136-0x0000000028960000-0x0000000028B7A000-memory.dmp

Filesize
2.1MB

Download
memory/4064-133-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4824-134-0x0000000002260000-0x0000000002264000-memory.dmp

Filesize
16KB

Download
memory/4908-146-0x0000000028C70000-0x0000000028EBB000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing