a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
Size

2.7MB
MD5

cd84368b2868bff14634fa62b4e496a9
SHA1

ad6807fb78228e96b85d34c1c77756759b634944
SHA256

a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1
SHA512

f5cb9ee9e15d894d4e727b8b4bf02728b293bb15926e3d841ae8cfb3b24b372ff315d05b0cfeb4cd97011fd4dfbea021fce68cc86ff8e05f984a63da071fe0e2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpn4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2268	xdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCC\\xdobloc.exe"	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVO\\optixsys.exe"	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
2268	xdobloc.exe
2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2268	2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	28
PID 2936 wrote to memory of 2268	2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	28
PID 2936 wrote to memory of 2268	2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	28
PID 2936 wrote to memory of 2268	2936	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	28

C:\Users\Admin\AppData\Local\Temp\a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
"C:\Users\Admin\AppData\Local\Temp\a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\FilesCC\xdobloc.exe
  C:\FilesCC\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintVO\optixsys.exe

Filesize
2.7MB

MD5
29e868ab6941b18503fc93b7e6a7e2da

SHA1
9e657e5929c5b9f6176cbfb1a51098b38039eec9

SHA256
95add4cff14a71ec8a75b824016d9d022699af54faef5895841987a5da716bc1

SHA512
6558511408a7f09759cd77e657bc4d8d709979a08d2c5a6d42d269b955f20625ccd7bcd0759a75ad4b0755408ec805177c3513b09175802d5af2d477bf28660d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
a8475ba68ba67ad5ee5a99ccb70845da

SHA1
75137e2b49189a834957456e87f68f07141da490

SHA256
d1c5aa5156fe4cdfcb4e6a192c7dc729ae0f279aa4c7548814961fa6f318d844

SHA512
b8ab622f7e8b99353715ea67004d4ffc8a00a81a4e52a77afb3696d980ac1dbe97071868e5a9719faf7467fb92403f5665ee99a1c1653fdd1e5e8052b418755d

Download Submit
\FilesCC\xdobloc.exe

Filesize
2.7MB

MD5
c4f49dd571965435b393f8991bbd90ee

SHA1
59c39b3bf1a4430546a32373bbaa3675d5bceaeb

SHA256
c8b14ff4a9f9786855dfac74f6bfc1c77d563491530a5d922dc4dd431f5f350d

SHA512
5bd4d2e43865da01e0419b1106a4e41419d795c2bb50f1f7b1681a7509af645fa8fc30d2ee74c58aa1743647125bf1d34ddbd915008ec3f14483cc3cd396b0ea

Download Submit