8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
Size

3.1MB
MD5

bf904dbc02f50b67348e9321f9ed821a
SHA1

6531b8c41445b7e1c289e631a56129ee451a04b4
SHA256

8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b
SHA512

9a0759b059dfa97f8683c560e9317cbe38d53de379307f1bf0cf945f61f708feaa9cd9fcca6feeb91f1e40afd31037d157da5cb3e766229ea45b057a887545af
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Su+LNfej:+R0pI/IQlUoMPdmpSpY4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQM\\xdobec.exe"	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBZ\\optixsys.exe"	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
1624	xdobec.exe
904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 1624	904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	28
PID 904 wrote to memory of 1624	904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	28
PID 904 wrote to memory of 1624	904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	28
PID 904 wrote to memory of 1624	904	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	28

C:\Users\Admin\AppData\Local\Temp\8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
"C:\Users\Admin\AppData\Local\Temp\8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\IntelprocQM\xdobec.exe
  C:\IntelprocQM\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxBZ\optixsys.exe

Filesize
3.1MB

MD5
392dc7a4fb7ee4c0040ae7f5146243ca

SHA1
616c57a9036927041f5a73d239c70dc00c7609f7

SHA256
d7fa0be30191b6b6b6cd6496cd3a4474047cb8b80779c1f70ee32f138ac100b3

SHA512
8b81244ed6646de8252c28b82537a66ba0be0bb05e3cbf81ccc2050e2356a40acb8f2ff325d61a4e35cfa0dbf1d912d1281deb5cfbd936d7c61a1118413912a8

Download Submit
C:\GalaxBZ\optixsys.exe

Filesize
3.1MB

MD5
392dc7a4fb7ee4c0040ae7f5146243ca

SHA1
616c57a9036927041f5a73d239c70dc00c7609f7

SHA256
d7fa0be30191b6b6b6cd6496cd3a4474047cb8b80779c1f70ee32f138ac100b3

SHA512
8b81244ed6646de8252c28b82537a66ba0be0bb05e3cbf81ccc2050e2356a40acb8f2ff325d61a4e35cfa0dbf1d912d1281deb5cfbd936d7c61a1118413912a8

Download Submit
C:\IntelprocQM\xdobec.exe

Filesize
3.1MB

MD5
147d37d54100c4b46eb87b6bdf6391b2

SHA1
efdedeb079367b51ef9d3394ce5f04a5083c5c5b

SHA256
2e6439fa6d5d1844b45970b7c066b9a147a28d52b3b5468fce0981c0a33efcc8

SHA512
234dd93dfec8312376c3df8e670bd527f48618400f1a60a70d5c2b8ebc11eb48d4ca267504063b629ae1327a77240785345593ff416aceb0addc6f3da5337397

Download Submit
C:\IntelprocQM\xdobec.exe

Filesize
3.1MB

MD5
147d37d54100c4b46eb87b6bdf6391b2

SHA1
efdedeb079367b51ef9d3394ce5f04a5083c5c5b

SHA256
2e6439fa6d5d1844b45970b7c066b9a147a28d52b3b5468fce0981c0a33efcc8

SHA512
234dd93dfec8312376c3df8e670bd527f48618400f1a60a70d5c2b8ebc11eb48d4ca267504063b629ae1327a77240785345593ff416aceb0addc6f3da5337397

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
c8f2f5d90c2756cd27ebd7313e64f94f

SHA1
036bee93cd8363a977fa25ea76228074bc7054bf

SHA256
860d7a4338eb81531c4b2f803aee33ad335f7d2ba069ae83da69ac86a4f7ebdc

SHA512
70bf42b674d7aae6ad381011ca01535fb0ba81bdc6ef87aadf1dd46dbcfa992f1c415c3825079aea4210e48cca4d1f659de791dc5829d73a68bd30fd3610e122

Download Submit
\IntelprocQM\xdobec.exe

Filesize
3.1MB

MD5
147d37d54100c4b46eb87b6bdf6391b2

SHA1
efdedeb079367b51ef9d3394ce5f04a5083c5c5b

SHA256
2e6439fa6d5d1844b45970b7c066b9a147a28d52b3b5468fce0981c0a33efcc8

SHA512
234dd93dfec8312376c3df8e670bd527f48618400f1a60a70d5c2b8ebc11eb48d4ca267504063b629ae1327a77240785345593ff416aceb0addc6f3da5337397

Download Submit