089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
Size

2.7MB
MD5

9625fc7f9097e6ed05eb2372b78797e6
SHA1

a5f2e61257d905dab4952417dd919e12f98c955e
SHA256

089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e
SHA512

d438e8766f388dd7095364bd7de83e3152c0084512c4cc1ef2498e9c525cc6d956b5545d2a00cb9250415d6ff90e48ad25959e50be87e9837b628ac6e59aa58c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4S+:+R0pI/IQlUoMPdmpSpa4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
904	xbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSB\\xbodec.exe"	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNT\\dobaloc.exe"	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
904	xbodec.exe
2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 904	2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe	28
PID 2364 wrote to memory of 904	2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe	28
PID 2364 wrote to memory of 904	2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe	28
PID 2364 wrote to memory of 904	2364	089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe	28

C:\Users\Admin\AppData\Local\Temp\089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe
"C:\Users\Admin\AppData\Local\Temp\089e0efbe69ca9e9a4b307daa7932ec0f8816638bc8e813e38935d727dcb563e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\AdobeSB\xbodec.exe
  C:\AdobeSB\xbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintNT\dobaloc.exe

Filesize
2.7MB

MD5
44be9082e7b3a36c20b7eca7a850db7d

SHA1
1025c9c8859d44dbbf93f52bc79639758b6183a8

SHA256
e59452aa152c918483595e1f1562fb96b9dac062b82407ad1a7a38ea19f7fbb0

SHA512
e686b919d30baa37c650e65d5f4da4daa688375096e807eabdb13023284446a9b4f0621d73054e7e304d87814d9146c15f6d2d2557dc0b6be779c44bf895c1fd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
cc365f8fb86d8365d35846fc58bbf1ce

SHA1
f24f2c572bc63988337f6ded66284fac94aa0e32

SHA256
890837668ff9c608b5d34d93e074f3bb964bc6203ac6cb77adc3f49d373ef407

SHA512
13eea5dd57a4d4bf1bb8bf27ebeef39fc39e6b8e67562cfd760a87e20d2c5930d4071e3899443d5208cdb60ca95b74932060221ec38f9914b5f725643077200e

Download Submit
\AdobeSB\xbodec.exe

Filesize
2.7MB

MD5
f8cf44a05611c3c11439013dc7f3f842

SHA1
ff57692ab7f245e99c2442d218d87e866d424f4f

SHA256
be06fce3acb20a3cb1816afbaafbba10496b915e6e0ad1d1bca5375b3136ac1d

SHA512
7263e501204f6837e63eed07c2cb59ec0225d4bdc97a7d1a89e4f54dea220b2a8cdf6fd1b77155e472f25ec070df710dc993c074c0bb07ca2b01dda1b8dc6fdb

Download Submit