e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0

General

Target

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
Size

184KB
MD5

2a9ec970f2c6e9b7ef9f3f982e994529
SHA1

4e23e9d2b8911cf88f6876aa677be571524ab0dd
SHA256

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0
SHA512

64e5a176d081f81929de245ccbca0386eecb2a6faeb5f3b6f1e49c4341aec9deedd36efbc801d59af8f1f840dfce35be934aa8083802202ea7690483388e3aa0
SSDEEP

3072:1WiRMlXL6KvWeRl6Knvmb7/D26DKcAA6vQOm34lK5/si+yS3A:t2X5VREKnvmb7/D26DKcV67m34E5/skj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.execxdor.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cxdor.exe

Executes dropped EXE 1 IoCs

Processes:

cxdor.exe

pid process

2108 cxdor.exe

pid	process
2108	cxdor.exe

Loads dropped DLL 2 IoCs

Processes:

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe

pid	process
1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cxdor.exee3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /J"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /V"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /r"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /f"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /x"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /D"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /j"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /c"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /R"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /l"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /g"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /W"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /O"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /e"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /b"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /Y"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /L"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /i"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /T"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /Q"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /u"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /v"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /a"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /q"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /k"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /h"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /K"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /I"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /B"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /z"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /H"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /m"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /P"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /w"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /o"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /M"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /S"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /F"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /U"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /t"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /A"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /N"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /d"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /o"	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /C"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /p"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /y"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /X"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /E"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /Z"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /G"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /s"	cxdor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\cxdor = "C:\\Users\\Admin\\cxdor.exe /n"	cxdor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.execxdor.exe

pid	process
1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe
2108	cxdor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.execxdor.exe

pid process

1548 e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
2108 cxdor.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe

description	pid	process	target process
PID 1548 wrote to memory of 2108	1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe	cxdor.exe
PID 1548 wrote to memory of 2108	1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe	cxdor.exe
PID 1548 wrote to memory of 2108	1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe	cxdor.exe
PID 1548 wrote to memory of 2108	1548	e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe	cxdor.exe

C:\Users\Admin\AppData\Local\Temp\e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe
"C:\Users\Admin\AppData\Local\Temp\e3444374663bf90ac5b0ba44e31db3a4b56131ff949ba1aa9b57888644916ce0.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\cxdor.exe
"C:\Users\Admin\cxdor.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\cxdor.exe
Filesize
128KB

MD5
b0f4d6593e5c7faaebad1bacfa30ec01

SHA1
fae7eedef41fd72af62d129667e0c29be175a751

SHA256
7596b180132331c2b869fa324dbc05d3551af7207c9f301438bbef63b78be835

SHA512
8eb6362514996e5b08def033a84f37308d00722d37e1951fd2430a3831a3d5b6fc111abd701f02045bb64537e84f81a276c0c2f708fc52fd63ccbf332241c84f

Download Submit
C:\Users\Admin\cxdor.exe
Filesize
184KB

MD5
01adcd592a1794d7487e5f389ab9d4d0

SHA1
c39627bc20aae1119876f93a633df2453866e3b9

SHA256
1209dddeb593467dfca7bb1180b6ed9bfa0d40d80945e896c66e53fb249d4b96

SHA512
090bd3278214d4d12fee5531a58a915545739ff21c2b3bcf4cd6006ba944121a64d62566816be48f9cc7de41bef9b54af3a9b5df7c302b089579eac28edd2631

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads