e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
Size

4.1MB
MD5

11fb2b9a56fe08560d20068205322caf
SHA1

84e3394291b87e12528e0fa296db6941e63ff79d
SHA256

e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f
SHA512

ccaf431538471f4e37800ab2fc3ef3037e681c82f82b88bae74bdb29e3e351c4780f598ae33c6aca06b7e6f849109e44fdcdfeaf62ea7633fcec2975ebe30245
SSDEEP

98304:+R0pI/IQlUoMPdmpSpj4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmU5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	xdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRT\\xdobsys.exe"	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint9B\\optidevsys.exe"	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
3044	xdobsys.exe
2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 3044	2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe	28
PID 2956 wrote to memory of 3044	2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe	28
PID 2956 wrote to memory of 3044	2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe	28
PID 2956 wrote to memory of 3044	2956	e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe	28

C:\Users\Admin\AppData\Local\Temp\e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe
"C:\Users\Admin\AppData\Local\Temp\e68b545af2b7ac43ea251ca000053585c54f81ecc3f1e783ae588ebb60b8113f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956
- C:\UserDotRT\xdobsys.exe
  C:\UserDotRT\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint9B\optidevsys.exe

Filesize
4.1MB

MD5
7ab0425a60bb960ebd6a5b31dd62bad2

SHA1
dbabe729b402f5ea2de5d53832621107553037bb

SHA256
955699f82e633327028c0a418788b383dc9739350310f5f130b055d0356e51c7

SHA512
b848fb81cb92465c6d005d9a2bb5747f6c29ba77555e32b97a9b41e4f6cd8723012afcbd850ed58b0f8849e8dde482570b97aa709102f9b3c175e3624641f4a1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
fcdaed0597779313224f3b357a84492b

SHA1
a861cc0cbf797cb2d8696fea32ee0ecbaed10cb1

SHA256
1425d31260f7a1152a0d088e8ff19a66323502e304f1d5ca72929aa026cd6372

SHA512
2b4610854d0ace20664b2f8939a18a54c556803b8b2664fe21f3284d53a51a1aa20ab71791ca642e04733e4878615a4bd578168e04e847f3fe54012e3568e961

Download Submit
\UserDotRT\xdobsys.exe

Filesize
4.1MB

MD5
7e7d82c1d1c20b4126cb76fcc7855d34

SHA1
f469240938b45c8e76e9352f24fa0c5cf409552e

SHA256
bfb665b2a5527a7153bb824f163b6909ae34d5c9a9513da4780af556c4f1f0be

SHA512
af06a67d06669839f504a547766b73a7cc01395eb077ca86afbe3fcbc3a70b76c8ccaa656b03c200a84873942e8b6442fcc07cc118588d5e7ca819cb55489c85

Download Submit