0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
Size

2.7MB
MD5

a1912da394e2bde3e98c5958f487fb07
SHA1

600a4ee72b06566fb5cc45e2a33fccd4e49c518f
SHA256

0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c
SHA512

0469248a34a4273b697ca0ffa1863587b0ef17b6ca9fc8a985297c87bd956b23c6e7e6ae2e9b529822c2dc39c2b36e012c374417040c334fc8f278d574721960
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBk9w4Sx:+R0pI/IQlUoMPdmpSpu4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3556	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLR\\xdobloc.exe"	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMT\\optidevsys.exe"	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3556	xdobloc.exe
3556	xdobloc.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 3556	3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	89
PID 3644 wrote to memory of 3556	3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	89
PID 3644 wrote to memory of 3556	3644	0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe	89

C:\Users\Admin\AppData\Local\Temp\0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe
"C:\Users\Admin\AppData\Local\Temp\0325f891cad6e92bfa71c314590864414ef66d4aa1f4dddcab039983617b181c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3644
- C:\FilesLR\xdobloc.exe
  C:\FilesLR\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesLR\xdobloc.exe

Filesize
2.7MB

MD5
e9ca23af665987ce06cd1cf52fd7870a

SHA1
ef02dd8eb4b8c80b1ea9e9b401ffecbab1bf29a5

SHA256
f94b808c8e97c2289a0650f48389540a3e4dbf74a28e4c602d6b3460b5ef0b05

SHA512
20dd45f3a4f43d84441980e95a32c3c9ee0cb51370a7ae2ce48370b3eb915ceeb9d185f23fb3c4b2cf06f127d0e9544249979308b9b05d9f8ddaf27746967e40

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
17810e9734acbefde225bb3306a8a0c6

SHA1
a81739ffc582aabcee689be93ff0d7ed940a243a

SHA256
03d0841083d1a0e188a52a3037d5a4c4f544a813cfe9933573f076861932e98a

SHA512
b94cd1674cb6b3788910f47d9ea3fffb12b8c76e1232bdc27cb3861b73f1a8687a533689d7eb313e51627de95294720d7ab9f4c07579728ae891e0ea8ddcbf0f

Download Submit
C:\VidMT\optidevsys.exe

Filesize
2KB

MD5
75ce4e8c53f9b6806ac1eb9333389f45

SHA1
d1bda301f8ae47d55344588ed4a41c720ce6cc09

SHA256
125b5a9aa572a1070c03f3b83132f9e06b5bb82e5c000611e06a74e30ea4cf15

SHA512
b97e02a2f3b8e866cd1b872e369bf45c8c5a571bba9b4c1cb0798c76dd158e0c2ea0d76112eda77efb805b72b9c6717ef4bb14b7ae168f58c76a56afdf517cc1

Download Submit