db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
Size

4.1MB
MD5

f9f7392efca4832e5a1f1ce6fdc74daa
SHA1

6a782ebfd563d67ea6d346e27ec2e6a7f8eeeac7
SHA256

db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a
SHA512

9d24344c1fd3f47b034a01e60417558589cc5f07d0cdf0d7368cd31eb6b9b596a5d0d833426868673486cf327bbacfff98ef599ea14db5e6efb15de41414d3bc
SSDEEP

98304:+R0pI/IQlUoMPdmpSp24ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmd5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4824	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7K\\xdobloc.exe"	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMN\\boddevloc.exe"	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
4824	xdobloc.exe
4824	xdobloc.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 4824	348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	93
PID 348 wrote to memory of 4824	348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	93
PID 348 wrote to memory of 4824	348	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	93

C:\Users\Admin\AppData\Local\Temp\db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
"C:\Users\Admin\AppData\Local\Temp\db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:348
- C:\SysDrv7K\xdobloc.exe
  C:\SysDrv7K\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZMN\boddevloc.exe

Filesize
4.1MB

MD5
0275b50f171268f5b575657a58fe0097

SHA1
c80187427a58afc8f2e9661bac137f34e6557a04

SHA256
427d193388723faef0242465fdf760ba7d5ec6673e4f2e4a3c7115376e2e77f6

SHA512
efe2a5809e9e8a6383bbff75cc9d7337ce4d663fcd51f936610c0e7461b905956b54c091967c45d09ca5735880e2acf938f160dd245ccfb7cae44aa3deb5ed38

Download Submit
C:\SysDrv7K\xdobloc.exe

Filesize
3.1MB

MD5
daab4393493fcb002ea5c44a9f9f1a2e

SHA1
f8c7b9b9b74832a5aa2c50269ec631fc7dbc6bf8

SHA256
3108d6eb89f16172f9280ce2f8315c478df0aac98a1961f5de59e35c90f2c34f

SHA512
6494a332196cc4276032b45603a7d91742d2973ed8b5394aa04d9ed8fef13e671c88c7a2370f31c65b57cd78968c983f916111f1632c796851dfb99d2fdcb359

Download Submit
C:\SysDrv7K\xdobloc.exe

Filesize
512KB

MD5
5b30a8b330159b357f3dd9a783038f8b

SHA1
0023e2db1960aadf2024c7130eedce77d18d55c9

SHA256
b8eb7c23256e687b7d04312dfd296a88e25fe2d50ace4c044bec1906e92f87e6

SHA512
93857f5bf3701ad4a0a2e2407474fc6216ad70585e8b7c3e9dda8d1777b36e5ab8ff0e18266b1df2e66173bf6a456bc6811de45ebba4d7d0a3c4026600fbe45f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
10392de39a3ba8ceb43fabc6ed8ea194

SHA1
9ad824b430579193e9a8e9c7c10c43790989e8b9

SHA256
9bd1a288b3761d0dbb530a1f132a5e53e196f15e2c27c1655c1eb3778ebd5dbf

SHA512
70b8ba7098c88e224ff4f7faf2e8fd8b832527097f99696d5505e3e30e8752fe275e44ab430af6a90aef5dc7dc9b07b1cf94e5cb08e26cdf7ad6f1a8a74af2d8

Download Submit