Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 06:00
Static task
static1
Behavioral task
behavioral1
Sample
3ace6863c81d58befe9ea56bdb58230b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3ace6863c81d58befe9ea56bdb58230b.exe
Resource
win10v2004-20240226-en
General
-
Target
3ace6863c81d58befe9ea56bdb58230b.exe
-
Size
2.7MB
-
MD5
3ace6863c81d58befe9ea56bdb58230b
-
SHA1
bffb460a239735ff0558a1980a6c4ed9d06f30e9
-
SHA256
519f62e5f0b5d7a84c11293dda4cc6b1ca8754da2ae8acbcb071ac3c504df158
-
SHA512
5fc70f284c28e39eaf03572840c1634991b60b0c254d5cd6760a2f0f920169c5bb0ed9a219a328f0babec074a87859e774b1f5c8a588910cb9f659851f2084ee
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpk4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3040 xdobsys.exe -
Loads dropped DLL 1 IoCs
pid Process 2940 3ace6863c81d58befe9ea56bdb58230b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPB\\xdobsys.exe" 3ace6863c81d58befe9ea56bdb58230b.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPX\\bodxloc.exe" 3ace6863c81d58befe9ea56bdb58230b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2940 3ace6863c81d58befe9ea56bdb58230b.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe 3040 xdobsys.exe 2940 3ace6863c81d58befe9ea56bdb58230b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2940 wrote to memory of 3040 2940 3ace6863c81d58befe9ea56bdb58230b.exe 28 PID 2940 wrote to memory of 3040 2940 3ace6863c81d58befe9ea56bdb58230b.exe 28 PID 2940 wrote to memory of 3040 2940 3ace6863c81d58befe9ea56bdb58230b.exe 28 PID 2940 wrote to memory of 3040 2940 3ace6863c81d58befe9ea56bdb58230b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ace6863c81d58befe9ea56bdb58230b.exe"C:\Users\Admin\AppData\Local\Temp\3ace6863c81d58befe9ea56bdb58230b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\IntelprocPB\xdobsys.exeC:\IntelprocPB\xdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD57760498c9e6178c2e30a4cb6336638dd
SHA11049f412f9c052502dad2364a664e21942ef2426
SHA2569789c030dc2b33d11dbbfa1b89c421bcec69d551f3acb45149a0f9aa57e83536
SHA512f81dfc9cb10cf0cbc3db6049d4397b3656ebf252f19dc82caf41abb88e9e59ff9b17e6e700759d4aad0aedb3915491ff59af6ba9f9b42836b33d8716bf18a85b
-
Filesize
203B
MD59fb7a92154e1642b34b16877648c6ae0
SHA1e1b9edc488dd9d0f53e190340952393ac97d1a70
SHA2560584d6af0b0ff3e2bca1d817a22461aca4e1b6ef7a45824fdbef0517c7fd8bb8
SHA512202c4f8080f99c09a13c69422b7e8aff1ec077e435d3a0e951b8bffad52b475b3d5f55b4669f098d362db5e19e09f291a52f5501252fa10ea844568ca733ace0
-
Filesize
2.7MB
MD56d0341370cd3c132bda1067f5b6c7bcc
SHA10e6909a69cfafaa876b387f63dd4cf82b4a65270
SHA256716066a5138491d9d05b2467434374a9252424924b76175d1b2d86f26c1b35d4
SHA5128f7c65527d24f7757d399833d5ae4357c0c32d18c963033fcab6706f8dd2bb19632060e66c1b1fda35b2f836697f908fcfa8b556d35b32f7e1d7394ef0c06ede