bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
Size

2.7MB
MD5

ba8da79ff4c0f57018fd29846eed383a
SHA1

be836b2d51d2e96aea4635bca73c3afa297d4def
SHA256

bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5
SHA512

6c8c75e214b9bac0292481e53d3b401599ea9187cf2baa58b0f27ebaa76d12249892473d4e6afefb494314deba824db8917844deacd7a6d40d09ca32081df239
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2376	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files3C\\xdobec.exe"	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ0Z\\dobaec.exe"	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
2376	xdobec.exe
2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2376	2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	28
PID 2972 wrote to memory of 2376	2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	28
PID 2972 wrote to memory of 2376	2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	28
PID 2972 wrote to memory of 2376	2972	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	28

C:\Users\Admin\AppData\Local\Temp\bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
"C:\Users\Admin\AppData\Local\Temp\bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Files3C\xdobec.exe
  C:\Files3C\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ0Z\dobaec.exe

Filesize
2.7MB

MD5
2b1e70b0960d66315d9878e6cddc7a35

SHA1
878df2d474d2e1cf6e6e08c575c96e915538a336

SHA256
a60a72eba97686a9a4207c919d2204bad106be0d8007311533700fc6e94192ee

SHA512
931d875435741e24ea099765f97bd979296ab9503e385a5bef376d0db55db809688dc2560962b352798fa741d739489bf311085b5cb71a82cc4b1b6e88eb48b8

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
c478f867dcd43862661052b4d09a6298

SHA1
42a5871d72b60045b79476fb2e13c2ef1e5c900f

SHA256
4ded21f008525ea6a6ce86bddeaca0e7ed4d9a9019a750bc35397572360508c7

SHA512
7a134dc3259326fb1665ccb0454263d724795179a60eb2582be35c2cc890239c9aa3c899c6dfcc70ec2f645f89b36c7e60964330c9355375b668bce65f911e5e

Download Submit
\Files3C\xdobec.exe

Filesize
2.7MB

MD5
ce78761b0bae63abbcd2feb5d91757b1

SHA1
78ccc5ecd86ebe24c43f8842b318b23a8229f19b

SHA256
839ea1284b58e9c093924d7bac122f9ae8f192c81b96066e0f146df319751309

SHA512
fe8d39279397420dd94f9b7b68952b77b932e35a6331cdc4efbc80c8587a569b712f5511b69f103630096f6186c80deb3d2270f292beb140943adb6761036337

Download Submit