f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
Size

2.7MB
MD5

101637be78dac80a40b022e5ee2877fd
SHA1

e31cb18fbdd8d74d6eba90e93ad6c82444d1cf80
SHA256

f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322
SHA512

5e5ab7c38d3dc0855b04558fe58bce8acd90d4cdac5df0f11018ef37c2410632822cb7786ad6bdc2fff8a71b217e717ca76cc98e794b0a266fcc82102952a33e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1380	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocCR\\xdobsys.exe"	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintU2\\dobdevsys.exe"	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
1380	xdobsys.exe
1380	xdobsys.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1380	372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	85
PID 372 wrote to memory of 1380	372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	85
PID 372 wrote to memory of 1380	372	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	85

C:\Users\Admin\AppData\Local\Temp\f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
"C:\Users\Admin\AppData\Local\Temp\f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372
- C:\IntelprocCR\xdobsys.exe
  C:\IntelprocCR\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocCR\xdobsys.exe

Filesize
2.7MB

MD5
8398a396c91ac596d6b26e902a81f8e4

SHA1
890a31d1e91be3cc7955f9f6c0dc7e2a940d8d46

SHA256
b36175c8ee5c5080704a5aa1b6ac51d12706ee84f48a745ff261be8ac43090d2

SHA512
e473d73012cd5573f17b30a901956a3e5938958417933e7e10df660bb60ca930ac75b7b6d122084857d19b82808d155ed5b6685f0f501bc32a237ba102345f6d

Download Submit
C:\MintU2\dobdevsys.exe

Filesize
6KB

MD5
391d87f7dfcdcf695428c50d11e173c8

SHA1
ab8fff10daa93adfc6c017c4bf21b86f4189f84d

SHA256
5c4697c99b2da7db0fca8855f6db02ac53bab7596f8df0142e4698686d92b38a

SHA512
17b5515b565376f6bf76ddde6de5651181ca90f9dae0eeba7bca03fef1a906b06eb1f64466827f089adf928db6f27741a3e81cad034e4e66209c1fe4b1f7f0b9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
44c9d793645efc2df1d4668dd9eb28d3

SHA1
35001ad426cc861287a9be5ee638308d0a4320b0

SHA256
a38027ae0510202cf04b9e2e400bff1bd231caf098bcffee27d224599e25eea3

SHA512
725ed065099bf4468c630ceb45e64376676f010e924e7a45b8a4bb1a1d6f5804eeedc21c43004227e7933db775273107c48c62463baac84c75435798326810e4

Download Submit