Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
09/06/2024, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe
Resource
win10v2004-20240426-en
General
-
Target
bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe
-
Size
2.7MB
-
MD5
c123689ea8d6e1dc0cca3c454163f1cc
-
SHA1
b5b7f649976f37c35a4a3fd441947ee24a485f77
-
SHA256
bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93
-
SHA512
bb48c921f7bf1c56a327b3964741c461f93eaa632e8024d56348344d10c3448d40916ada5408d157dfe32888116c5c5475871e7ecc6e2db9f07ac38d5fea368f
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBX9w4Sx:+R0pI/IQlUoMPdmpSp/4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2008 xdobec.exe -
Loads dropped DLL 1 IoCs
pid Process 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesIF\\xdobec.exe" bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3P\\bodxsys.exe" bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 2008 xdobec.exe 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2008 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 28 PID 2592 wrote to memory of 2008 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 28 PID 2592 wrote to memory of 2008 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 28 PID 2592 wrote to memory of 2008 2592 bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe"C:\Users\Admin\AppData\Local\Temp\bc53a48e3d0a07e65f95fc13a3ffeadd98dc939d0b5e1041d7cbc101fc915b93.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\FilesIF\xdobec.exeC:\FilesIF\xdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5633643800df8cd88df65d92d6e6a353a
SHA143dd243a3991cc5d7a5e0f5fcf7bcfcc4d5f2821
SHA256a75c8ccde430578d430d4b684340b5e1c035d99a28764d9787d884ab390529bf
SHA5125af3a300c1c73e29bbb6c59168dbb84bac5cccce46fdc19fef34c75428ce0b8212fd14ec560ad6326a99d735aca82155718f19b0b62ddd815b092769af957d1c
-
Filesize
200B
MD52ddcb4f2cf54be0b471b7813275ad35e
SHA11e6cb29c5502f946763739edc4d9547cf9402e2c
SHA256e5ed89fdd064e713e9eba0f94c27bea81f125fd9037e8e003fcc01490d262f9c
SHA512c98767353681a34684afff702686d64ea3a149a1c4f5832242fd6ebcbb7bf0a0f502cdbb17dcf36a3d45bf04b3afaa26b1898723acea23ab9335c56bb0035930
-
Filesize
2.7MB
MD5795e89632055262659f7d12d1c28f580
SHA1940497e35721a0041ea19ccc79a0b85340522492
SHA256f79c441f79d1e12781ed411eea1c08974725651d3655bcd986342ece64330cca
SHA512ed9ac8371fc4c909d98f52d6aee7b542f4ec0fb3ecafb0f0fe9b7540296f24e88afc5b2239069c2a41adb0ba9bc47bdb79a9b850cf3309ee7f90ebb1feefd58a