a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
Size

2.7MB
MD5

cd84368b2868bff14634fa62b4e496a9
SHA1

ad6807fb78228e96b85d34c1c77756759b634944
SHA256

a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1
SHA512

f5cb9ee9e15d894d4e727b8b4bf02728b293bb15926e3d841ae8cfb3b24b372ff315d05b0cfeb4cd97011fd4dfbea021fce68cc86ff8e05f984a63da071fe0e2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpn4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3240	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6T\\xdobloc.exe"	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid14\\boddevloc.exe"	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
3240	xdobloc.exe
3240	xdobloc.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 3240	4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	92
PID 4924 wrote to memory of 3240	4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	92
PID 4924 wrote to memory of 3240	4924	a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe	92

C:\Users\Admin\AppData\Local\Temp\a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe
"C:\Users\Admin\AppData\Local\Temp\a6d428c972e0c6a9b7aefad94b897d82774acb2ca0c241d8d498d21d682351d1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Intelproc6T\xdobloc.exe
  C:\Intelproc6T\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc6T\xdobloc.exe

Filesize
2.7MB

MD5
7937d0da2b2eb9b71fbca51f43234033

SHA1
692180e07dd8a4af6b775e4a5d73cb8c035d441b

SHA256
2df597168ec870a6f2541dfb5b9d0d99463884129e9049408fdbf7ce70b2c6a6

SHA512
f55d8fbe215c823b5dc5fb56d2c49e45b54da115603fcdf501744b1a6871a5e11faed2ed78a67c4c4981ef404088979f9054c9509d28e266c9c62fca8a4d3a42

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
3ebb1320f606ced522debb7a81f2afe5

SHA1
ad84ce672b51b05d7bde96dbdc4b9c1c12b71a3e

SHA256
557fc38f4ff2c7ea3d702abc0c08a684a2b4080b6a89379fbb400f601218457c

SHA512
e7eec767231129520b01ea1eab9666d49c6f043174cb91bbb744aa7c7a372b54abd6de69b84b45fea7d305e7aa40b7002123a62d08652ed329624e4f47276ccf

Download Submit
C:\Vid14\boddevloc.exe

Filesize
2.7MB

MD5
839d7db189a94b06ee83137dd11bc27b

SHA1
5abbaebdbf7b0d7376d797285295a4d4ebaf9b7a

SHA256
07ac6e02697661ae4d5d4106ce07f4e140c430639d94660f4ebbf443edd091b0

SHA512
d45329ec4338bcd7f8ceae7b04fb325c9df2ebf1f0b2e0cd6548c99954651cbe1aedadf0b1494c6b3084e8282521bf8018ea890f57e79973f5fd4362e593c1da

Download Submit