519f62e5f0b5d7a84c11293dda4cc6b1ca8754da2ae8acbcb071ac3c504df158

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ace6863c81d58befe9ea56bdb58230b.exe
Size

2.7MB
MD5

3ace6863c81d58befe9ea56bdb58230b
SHA1

bffb460a239735ff0558a1980a6c4ed9d06f30e9
SHA256

519f62e5f0b5d7a84c11293dda4cc6b1ca8754da2ae8acbcb071ac3c504df158
SHA512

5fc70f284c28e39eaf03572840c1634991b60b0c254d5cd6760a2f0f920169c5bb0ed9a219a328f0babec074a87859e774b1f5c8a588910cb9f659851f2084ee
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	xdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2940	3ace6863c81d58befe9ea56bdb58230b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPB\\xdobsys.exe"	3ace6863c81d58befe9ea56bdb58230b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPX\\bodxloc.exe"	3ace6863c81d58befe9ea56bdb58230b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	3ace6863c81d58befe9ea56bdb58230b.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe
3040	xdobsys.exe
2940	3ace6863c81d58befe9ea56bdb58230b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3040	2940	3ace6863c81d58befe9ea56bdb58230b.exe	28
PID 2940 wrote to memory of 3040	2940	3ace6863c81d58befe9ea56bdb58230b.exe	28
PID 2940 wrote to memory of 3040	2940	3ace6863c81d58befe9ea56bdb58230b.exe	28
PID 2940 wrote to memory of 3040	2940	3ace6863c81d58befe9ea56bdb58230b.exe	28

C:\Users\Admin\AppData\Local\Temp\3ace6863c81d58befe9ea56bdb58230b.exe
"C:\Users\Admin\AppData\Local\Temp\3ace6863c81d58befe9ea56bdb58230b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\IntelprocPB\xdobsys.exe
  C:\IntelprocPB\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocPB\xdobsys.exe

Filesize
2.7MB

MD5
7760498c9e6178c2e30a4cb6336638dd

SHA1
1049f412f9c052502dad2364a664e21942ef2426

SHA256
9789c030dc2b33d11dbbfa1b89c421bcec69d551f3acb45149a0f9aa57e83536

SHA512
f81dfc9cb10cf0cbc3db6049d4397b3656ebf252f19dc82caf41abb88e9e59ff9b17e6e700759d4aad0aedb3915491ff59af6ba9f9b42836b33d8716bf18a85b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
9fb7a92154e1642b34b16877648c6ae0

SHA1
e1b9edc488dd9d0f53e190340952393ac97d1a70

SHA256
0584d6af0b0ff3e2bca1d817a22461aca4e1b6ef7a45824fdbef0517c7fd8bb8

SHA512
202c4f8080f99c09a13c69422b7e8aff1ec077e435d3a0e951b8bffad52b475b3d5f55b4669f098d362db5e19e09f291a52f5501252fa10ea844568ca733ace0

Download Submit
C:\VidPX\bodxloc.exe

Filesize
2.7MB

MD5
6d0341370cd3c132bda1067f5b6c7bcc

SHA1
0e6909a69cfafaa876b387f63dd4cf82b4a65270

SHA256
716066a5138491d9d05b2467434374a9252424924b76175d1b2d86f26c1b35d4

SHA512
8f7c65527d24f7757d399833d5ae4357c0c32d18c963033fcab6706f8dd2bb19632060e66c1b1fda35b2f836697f908fcfa8b556d35b32f7e1d7394ef0c06ede

Download Submit