50916262e479a9405dfe8bc0092dda1ee5e8f7a7f2bcc5e39a8375734796f671

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 00:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
Size

4.1MB
MD5

3e2c9aaee90f1998c748ce6400f42920
SHA1

56d89ee66427c3c5438d7ee9639da9b600b2c6f8
SHA256

50916262e479a9405dfe8bc0092dda1ee5e8f7a7f2bcc5e39a8375734796f671
SHA512

3374091ba2ba8859f9b54d19ff341dc253f19c02310e6ddb4c12b59a1a84e0412a53cc7c31bb9139c4e897b34d0e6e688aa1277d9af0176131fec9bb40fc5a8b
SSDEEP

98304:+R0pI/IQlUoMPdmpSpP4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmY5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3820	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocS0\\xdobsys.exe"	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6B\\dobxsys.exe"	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3820	xdobsys.exe
3820	xdobsys.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 3820	3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe	90
PID 3576 wrote to memory of 3820	3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe	90
PID 3576 wrote to memory of 3820	3576	3e2c9aaee90f1998c748ce6400f42920_NEAS.exe	90

C:\Users\Admin\AppData\Local\Temp\3e2c9aaee90f1998c748ce6400f42920_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\3e2c9aaee90f1998c748ce6400f42920_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576
- C:\IntelprocS0\xdobsys.exe
  C:\IntelprocS0\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocS0\xdobsys.exe

Filesize
4.1MB

MD5
d8e6abfbc9ccab5dd35e425f5bc9f721

SHA1
da25e8f9a32d26ffbfa6996322c6b254d2df5b8a

SHA256
1947162d0f59e2fa2eb970579175dfec729688689eb24527e3dcd05655a2b19e

SHA512
316ac1c8d04b3ee2a313d9f0281e68ed951c59e8b56ff60fee0654285355ecfe73f5e74d5ed7e3f472164206a8c1125cd368db26043c539ae7ac662cb583a23f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
7a58f3246ca741d672e0378d9a97374d

SHA1
2ae8d2ba7f11e03b3283fcfe3d2cfa3ad7b17da3

SHA256
7696cb2c2a240e3eae7675ebe73e1abb7a76122a5a66ec9aa6ff896732974754

SHA512
c36016bbb1ed9c224d95139a3a78157c89883ad02a373cf8c8f9872ae1ff7c250fd3d87669f48f3fc04f4e0f38bb5bda53b243052b660766043fb011de01d2ff

Download Submit
C:\Vid6B\dobxsys.exe

Filesize
4.1MB

MD5
094263a48f96b7913d29bac63afe7bcd

SHA1
691e7bdb8781aaf08b2e962d7bca21877bf38c47

SHA256
cf2ac6a4e5c89a98f028e5cac5abd351e89df33a6e4ba03474f3c016d7c77e0f

SHA512
7bcc1fdcf3914c5365307aded17470bd47818c1cf6489c7d757ef743b588dec3756db1e931eccd2ddd0b7d871e4e2d09cf8a67a3eb09ba7deb6908273f3443fd

Download Submit