520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2023, 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
Size

2.6MB
MD5

008bddb8f6aaeb1ba1a98eedc5914b46
SHA1

b54a7b522990ae874b3b7ddf2adf700857e58fac
SHA256

520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02
SHA512

a9c9998c6f390c00062e5da41272821f51e7e361b95faa0a7d39729bd2d19e312285c228ed8a15f1172805d0da7a42ff94171f6f65906a827ff659242fe6567a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4Su:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4440	xdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK4\\xdobec.exe"	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMB\\dobxsys.exe"	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
4440	xdobec.exe
4440	xdobec.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4440	5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	87
PID 5096 wrote to memory of 4440	5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	87
PID 5096 wrote to memory of 4440	5096	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	87

C:\Users\Admin\AppData\Local\Temp\520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
"C:\Users\Admin\AppData\Local\Temp\520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096
- C:\SysDrvK4\xdobec.exe
  C:\SysDrvK4\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxMB\dobxsys.exe

Filesize
2.6MB

MD5
5859d5bb08679e1bdbcf692819d1117e

SHA1
d17a1785cdd6815e8096f081e595dfdc38c9abd3

SHA256
e9fed11a38626119a1b5bbb7c91ab0cb411541e1a67ef0a75a796c3dd458b86c

SHA512
171f35002524577fbc3bd3e3360786c0e165387dfd304ace07860ab1a62d8256922512e22d584d9110341a25257c502be264b9cb133acaf9fa0a4eb68e70713c

Download Submit
C:\GalaxMB\dobxsys.exe

Filesize
2.6MB

MD5
5859d5bb08679e1bdbcf692819d1117e

SHA1
d17a1785cdd6815e8096f081e595dfdc38c9abd3

SHA256
e9fed11a38626119a1b5bbb7c91ab0cb411541e1a67ef0a75a796c3dd458b86c

SHA512
171f35002524577fbc3bd3e3360786c0e165387dfd304ace07860ab1a62d8256922512e22d584d9110341a25257c502be264b9cb133acaf9fa0a4eb68e70713c

Download Submit
C:\SysDrvK4\xdobec.exe

Filesize
2.6MB

MD5
6f631d0a046a0ddf40317abf9ce59b33

SHA1
15551e1e822e88830181f6e45a999e7639c78c54

SHA256
037eceba864988038447741f3cf39c81394220c884e94496a973db54a5bd0375

SHA512
bfc204b41e915d13b5b87f00680f2b97926f5d9aef3b3212a153a9a75513cb9c9943fa2a6cf925718c945738b8dad86661215533c5ed6adaae644c8c7458fe45

Download Submit
C:\SysDrvK4\xdobec.exe

Filesize
2.6MB

MD5
6f631d0a046a0ddf40317abf9ce59b33

SHA1
15551e1e822e88830181f6e45a999e7639c78c54

SHA256
037eceba864988038447741f3cf39c81394220c884e94496a973db54a5bd0375

SHA512
bfc204b41e915d13b5b87f00680f2b97926f5d9aef3b3212a153a9a75513cb9c9943fa2a6cf925718c945738b8dad86661215533c5ed6adaae644c8c7458fe45

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
28fc0896fdd9552fa32b93d6bc75080c

SHA1
181c5179894d746286615f2492a19d324dfe355e

SHA256
697bc159df20e619404984ebc4c4c5d2c9f78c05e91ac0b6148253d524c8db7c

SHA512
fcfc269ef595f24993123d42bf1c622425b5e01da095b59ebac49ba688d14f96999f6396bc01603bdaccd9f73cf22365fadebc63610c3218c2938d731b01a8c5

Download Submit