f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
Size

3.1MB
MD5

3e4e96e2d5e0f1544b85afe1a138ad74
SHA1

4710270e170afbfe822aa635aa62f8a75abab153
SHA256

f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6
SHA512

2d186cace7ab782e850a4247c283f2877850992cf34fe380c445733e394ec0e02a309e481d8cd274130844fb87062dad18369ffb22431d778b88a9c07fb2711c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Su+LNfej:+R0pI/IQlUoMPdmpSpc4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2852	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDK\\dobdevsys.exe"	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ9\\xdobsys.exe"	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2852	xdobsys.exe
2852	xdobsys.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2852	2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	94
PID 2112 wrote to memory of 2852	2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	94
PID 2112 wrote to memory of 2852	2112	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	94

C:\Users\Admin\AppData\Local\Temp\f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
"C:\Users\Admin\AppData\Local\Temp\f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\UserDotJ9\xdobsys.exe
  C:\UserDotJ9\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintDK\dobdevsys.exe

Filesize
1.6MB

MD5
a0f509c80427a83c9fff5513287a3456

SHA1
464829162371e80f528cf7e0d84d0be2d96b9215

SHA256
72034e47a4dbfe5282862251344d3c7c503e4d6542c9a7ffbed68c771ea772ea

SHA512
7607feeaea5d6e7bb118bc30abd015e1a0e38259663d2226d455387cb41ee16fb7a55d3eb0d1956dcbaa0c83b01c2e8fe4afccf92519f47f9619238e4b19b0e2

Download Submit
C:\MintDK\dobdevsys.exe

Filesize
2.4MB

MD5
e4d59044acb8ba8e979225abd493cfe3

SHA1
b84004d8238b9d3c1ddbed22a966b4ea9511a986

SHA256
6ff01081d996554dca0b73040d5ef547a3af7cc7e6a383d9146917e9b45dc7d8

SHA512
435e2ba33cbe4f8f052a9a3ff766922077cd19c0e7b2f93aad11023c3dc6f85dbc2c0962fbbb28fee8d7e8e5e00ffd126f349f24dc5f92ec39052437a5699a60

Download Submit
C:\UserDotJ9\xdobsys.exe

Filesize
3.1MB

MD5
941019e8e9a350e52ed06f4a8538ab25

SHA1
19a5ab97ebf0ab2882695fddacd143f2b253fb97

SHA256
7ffe5f70e06bfd8cb4e922f63f4ad3be3a3e3df02e1df37116876d63a240377d

SHA512
59be3a65c6f53d1f4cd7df97b616e8076d1988aa2d83620a8bf68c23c97f53335ccea1bb80482f30c8fcfd7b58b1b209aa176176e31ce47fbb3c21b1c0b47a42

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
a509f0be8580a748dd77bce877ed788e

SHA1
09aa6eb666439a65fcbc50e594aa45ffbcbdd0c8

SHA256
c2b67f1263b83a62352b5089fda29247a91fcc721e86d8c423489b899e9465c8

SHA512
12f77b9fcc6479dc9716a2b2e1f996ccf4922f3bf17619d8f606520ac8a7d478a130cb6b575ab77948ce3d8bc2ee86b80a83c6148ba029b81e5f08db4c43afe8

Download Submit