fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
Size

4.1MB
MD5

c8670f2c5f589d9e78e987e7b47d3cf6
SHA1

ac0da9a62517fd45ba41893e052783b8e52c379c
SHA256

fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d
SHA512

426f36ca5708eebb8bc0d5082520119d8343121e5b4f56164a904ff2c68456b206b44b1a9160cd4b79745abd3d79f946c204dcae94cad33e3f39f1720c92fae2
SSDEEP

98304:+R0pI/IQlUoMPdmpSpa4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm55n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJ4\\dobdevsys.exe"	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Q\\xdobec.exe"	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
804	xdobec.exe
2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 804	2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe	28
PID 2372 wrote to memory of 804	2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe	28
PID 2372 wrote to memory of 804	2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe	28
PID 2372 wrote to memory of 804	2372	fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe	28

C:\Users\Admin\AppData\Local\Temp\fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe
"C:\Users\Admin\AppData\Local\Temp\fe291eff44ffe65768f074d1ed616b779dc139bff98b8a60fb779f6c9f3b279d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2372
- C:\UserDot8Q\xdobec.exe
  C:\UserDot8Q\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJ4\dobdevsys.exe

Filesize
4.1MB

MD5
16e9346992a2ca29bad822202ae5b93a

SHA1
549379da6e04e5fce7cf9d23e7986be994f2b7bb

SHA256
5d1a32ea9c456ce62fa7de138976d411d3cea1bee1b48f25af21a7a87288e56e

SHA512
f241256f7e54b24908d245cec63286eb9b333660afeccfe1094ee5ae57e6852c17093106a47962817d1e856b4a95885d0c29523d3eb62d0a5f3d8a3f69343d1d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
a1fb1a764bea818329e2decfdd0c2638

SHA1
9b38952eb7de9f5749e441a9335c2d32c18c2546

SHA256
c98ac7cf1331e68388ef155a0a664c4086d94685f75563d8d240feaf95e25350

SHA512
38d84710e20aa47c327169265ed02d6fcea657792dc5ef8c35b576cd15a47f9ae0a2f6e5479870596b28cf0e8998387a22f1f8054fbddea66f2595619c483acc

Download Submit
\UserDot8Q\xdobec.exe

Filesize
4.1MB

MD5
76c4bc9f8e69ad9b698ab0e9e936b90b

SHA1
da798682db220ddbaadffaae2b8996a15b4bb5db

SHA256
43e17f62a56a48230fd2e3ff9991ddffcde7e24e553089e0985c53835b6dcfb6

SHA512
9829e87a4929ccb35320528f16526ab9bbdc431c15fed9aec964931c3f4963344579521fc99b3f8a6b7f136efd8a64b4ac62c7d9506ec5b6ab511f696ffd69b2

Download Submit