cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 04:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
Size

2.7MB
MD5

cea3471faea10cafadff954b398ba0f5
SHA1

7a05bc031285a4d72ff5a12e9f8ce62223ce3349
SHA256

cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867
SHA512

47d067488a7c9ef4a6c9d1496a8fc63414c3fdbd02db144ea4c74072dd3ed7b0b2ed9b12960d728ccaf53a6786eb8cf2e0e9bfa349e414e95308d0732cf8a6b3
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSp+4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2948	xdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJK\\xdobloc.exe"	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZTC\\optixsys.exe"	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
2948	xdobloc.exe
2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2948	2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe	28
PID 2008 wrote to memory of 2948	2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe	28
PID 2008 wrote to memory of 2948	2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe	28
PID 2008 wrote to memory of 2948	2008	cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe	28

C:\Users\Admin\AppData\Local\Temp\cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe
"C:\Users\Admin\AppData\Local\Temp\cbb41745e38ffc430668d91170647729fc9f37deb9e18e984ded3bdf23485867.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2008
- C:\IntelprocJK\xdobloc.exe
  C:\IntelprocJK\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZTC\optixsys.exe

Filesize
2.7MB

MD5
1419a0d0eb050a5c9eeb7258f02e6f5a

SHA1
fe70c306a5448cf794b5ce70a0e311f4785d1292

SHA256
b175ebe8038abb4adbd87ef6d7dee52765863c25468a200553c196b1f8a580c6

SHA512
ec00c52ec4df52d7f977f848bed47122de2f55280a9a50f39281b9f726e413d276887ae67890eccb079475ace84030dc76a0803ea00ad7514ecb68224fdb0169

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
4a034f8dd10731c9878e07e4f8391358

SHA1
19404d3cf3cb2ad19ca2abb528d70260c0d6237a

SHA256
58e5e5d42ddf5a4a663569ce4ee409c8d652d0b4183afee8c8e66c8df2d46f2e

SHA512
850469e50a687f3869fa6a14536aa02687640c2fad2cef581fd012da772da85c3336ba4285e65940c95f44fbc0947067deef336e45e1ef3de340794949122c1b

Download Submit
\IntelprocJK\xdobloc.exe

Filesize
2.7MB

MD5
dcac42fe805b45d41d250a99eaf93915

SHA1
dee2ab8eedcb761d0f80117c38c8a019f0894e36

SHA256
18556da9a9df6392960d590d78a8e7ecd5bb202cc8424b31e4dc9cd024008075

SHA512
0b483c7fbec00196302a8b4f83f9011941d80c599a7027526b70b3f393f67f2dfcebd5ea8cb896940b39d7c19d24f51fe5e1c88789e35de0e7b56bae46fbae8f

Download Submit