f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

General

Target

f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
Size

772KB
MD5

95f60b5b36d63307d83e3f3de9675a1d
SHA1

da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256

f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512

de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
SSDEEP

12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
504	xlobkpb.exe
3720	xlobkpb.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\x\system.pif	xlobkpb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 504 set thread context of 3720	504	xlobkpb.exe	85

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
2156	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
2156	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
504	xlobkpb.exe
504	xlobkpb.exe
3720	xlobkpb.exe
3720	xlobkpb.exe
3720	xlobkpb.exe
3720	xlobkpb.exe
3720	xlobkpb.exe
3720	xlobkpb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	xlobkpb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
504	xlobkpb.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 3788 wrote to memory of 2156	3788	f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe	81
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 504 wrote to memory of 3720	504	xlobkpb.exe	85
PID 3720 wrote to memory of 752	3720	xlobkpb.exe	72
PID 752 wrote to memory of 884	752	svchost.exe	92
PID 752 wrote to memory of 884	752	svchost.exe	92

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:884

C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
"C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
  C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156

C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:504
- C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
  C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SoftwareDistribution\xkefqne

Filesize
654B

MD5
32c22df645efd3290d98f770a4f6f381

SHA1
68c8a185a08a693431a29b817ce0ebf5744b7376

SHA256
d7082b7c7a4c8fac58b286d89291e981e111f8498d416ec06495b5513c83a0e1

SHA512
6c8db1c39e4ea714e28ac6dddff80d9451333eea28b5f302a2d1865c025690ebb34c9bf98eddcf3e0bf3e3c73da446206ac8a384e787fa1d33d9a889fa52b0c1

Download Submit
C:\ProgramData\SoftwareDistribution\xkefqne

Filesize
654B

MD5
32c22df645efd3290d98f770a4f6f381

SHA1
68c8a185a08a693431a29b817ce0ebf5744b7376

SHA256
d7082b7c7a4c8fac58b286d89291e981e111f8498d416ec06495b5513c83a0e1

SHA512
6c8db1c39e4ea714e28ac6dddff80d9451333eea28b5f302a2d1865c025690ebb34c9bf98eddcf3e0bf3e3c73da446206ac8a384e787fa1d33d9a889fa52b0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe

Filesize
772KB

MD5
95f60b5b36d63307d83e3f3de9675a1d

SHA1
da733991d9618b3a3bb5cc503ba0e860f1e8ea29

SHA256
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

SHA512
de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe

Filesize
772KB

MD5
95f60b5b36d63307d83e3f3de9675a1d

SHA1
da733991d9618b3a3bb5cc503ba0e860f1e8ea29

SHA256
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

SHA512
de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe

Filesize
772KB

MD5
95f60b5b36d63307d83e3f3de9675a1d

SHA1
da733991d9618b3a3bb5cc503ba0e860f1e8ea29

SHA256
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674

SHA512
de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff

Download Submit
memory/752-147-0x0000000039840000-0x00000000398B7000-memory.dmp

Filesize
476KB

Download
memory/2156-138-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/2156-137-0x0000000028CF0000-0x0000000028F3B000-memory.dmp

Filesize
2.3MB

Download
memory/2156-136-0x0000000028AD0000-0x0000000028CEA000-memory.dmp

Filesize
2.1MB

Download
memory/2156-134-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3720-146-0x0000000028C70000-0x0000000028EBB000-memory.dmp

Filesize
2.3MB

Download
memory/3788-132-0x0000000000710000-0x0000000000714000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing