15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 22:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
Size

2.7MB
MD5

6413d4f542b8b8e0ebbaf358f6e9e4c0
SHA1

95457db2d8b88456fe65cde45a3b5ea53029121e
SHA256

15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315
SHA512

7bf0fbc46a36dcfa84544ba6ca6baba20c32a009fcd95a00e90bec29387520335e273c9eddfde8aab5bd505a9865bf8414e4d5d7aa921cc0517879849b6b84f2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	xdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAJ\\xdobec.exe"	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNG\\boddevec.exe"	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
1708	xdobec.exe
1708	xdobec.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 1708	4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe	88
PID 4232 wrote to memory of 1708	4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe	88
PID 4232 wrote to memory of 1708	4232	15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe	88

C:\Users\Admin\AppData\Local\Temp\15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe
"C:\Users\Admin\AppData\Local\Temp\15dae537521fde5da981f785d9e709984ac9746fa37afdf2ffe0bd07ca8f5315.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4232
- C:\FilesAJ\xdobec.exe
  C:\FilesAJ\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesAJ\xdobec.exe

Filesize
2.7MB

MD5
d636b26c1775fac3f77c76fd784a8562

SHA1
a373edd09f6cfe23d67efe14e7efdfcb206b48e9

SHA256
c97ab12a2cf6593a1e6df90eabb0ae5f701561a9ffab0a6dbba33da34d24facf

SHA512
87085851d81ed07e3231d341d2f0573a3e0264e3301842b799e5c9b4ced21bdf7d04bb22a937637e8dd63fb713564dd30f278e4f2544b107c64eee3adf5daa96

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
173239bc88e2d7e7c53077851062f578

SHA1
88a20f7e914e02040a21f53bddcf24121b339b0a

SHA256
0d73cfbadfd005149e6ff19448ac55fb089a334c208ad244ce0940fd48bb31d2

SHA512
299bbf889490491a8e02e3f7b6e37f8fa1a91c792e05dd33299a36201fd5eeacdd5b732fad650deb5106fbc4592c840ca65ac32165c3240d3541a310904f9a3f

Download Submit
C:\VidNG\boddevec.exe

Filesize
2.7MB

MD5
807b70c4bd82c01e1d6cc22a685e95f8

SHA1
a26802f0196f5a01f13e489ca6de72c6d3b1a256

SHA256
4f04919002dcd50c493abab1e22dd5d6f11ccf1a930bb149e3191f9c9a1a411a

SHA512
dd1e1797cefa471545ef355f88a860ef41736ddca69092da25d222078a7f3e2b9892eca67b38f29c76d0dcfcdea01f350b2d2b62bed6c8109ba46aa09beafbd9

Download Submit