47b1dceb83bb9f203b409810d90d071d916712ccc625735490ec71841d3f4a0c

Analysis

max time kernel
119s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 22:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0edc7b98b794b69193f730e8c80d0d30N.exe
Size

4.1MB
MD5

0edc7b98b794b69193f730e8c80d0d30
SHA1

20d911968a7aec4d1f7aec5bab34c2cac30b8c95
SHA256

47b1dceb83bb9f203b409810d90d071d916712ccc625735490ec71841d3f4a0c
SHA512

8c5b992403e4f90339f9cd2139599a4b3b18cfee049aba210fe2a0c84bc440ae39438a40c6fc8ee1307ba6ad7c1b2b8c3ce3cefe6541e1f57f65ff01e86ef6e3
SSDEEP

98304:+R0pI/IQlUoMPdmpSp/4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3368	xdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7Z\\xdobec.exe"	0edc7b98b794b69193f730e8c80d0d30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintH7\\dobdevloc.exe"	0edc7b98b794b69193f730e8c80d0d30N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3368	xdobec.exe
3368	xdobec.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe
3436	0edc7b98b794b69193f730e8c80d0d30N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3368	3436	0edc7b98b794b69193f730e8c80d0d30N.exe	86
PID 3436 wrote to memory of 3368	3436	0edc7b98b794b69193f730e8c80d0d30N.exe	86
PID 3436 wrote to memory of 3368	3436	0edc7b98b794b69193f730e8c80d0d30N.exe	86

C:\Users\Admin\AppData\Local\Temp\0edc7b98b794b69193f730e8c80d0d30N.exe
"C:\Users\Admin\AppData\Local\Temp\0edc7b98b794b69193f730e8c80d0d30N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Files7Z\xdobec.exe
  C:\Files7Z\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files7Z\xdobec.exe

Filesize
4.1MB

MD5
0733edad930e069b03869cacf32f07b5

SHA1
41a005984d2c1d24de3d30ae951d8beac6ea3a67

SHA256
a2379f8866c32bde123fd51c04c4b7b35ab53571ab55f78e3307bf469275c6d1

SHA512
6581c51d051365a4fc01b0e46e0daaeab2f3d366f3e656bc261e06157e467f70108be55e84f3cb7578e7525b530561da14d74030ad0b232a9c1961405036c9ab

Download Submit
C:\MintH7\dobdevloc.exe

Filesize
4.1MB

MD5
a1d4be69c94e61c57204ea4f50984727

SHA1
c2986b339c2b89cc7d40c985c85cee2f33aad996

SHA256
173094f2e9f45e94462fd3c59f726ccd7f93ea4657637a2c239f10dd5fdc6231

SHA512
14529d3c708f7ea31974791ec02ba41eb79d21824aca7cf620ae42744dc7816deaed2927f6d2c073d11499804a21f58170807360805961181afeb34c0d45c2ba

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
75b615b4eb004b847d8b189ce167ef0a

SHA1
0ba982118b32f045f9e77343bc63e6e4abf2d0de

SHA256
befaed3b43bc658dc49b232f1b74ed435a0019fa6233eb8eae517359ae9d88e3

SHA512
950e331eec3e1d053bdfa6978f3f729d535624176ad991ae705eec806dd63a296222ba0c3196f38058a8e6c0ea5aa04295027ae0f5765f81ec7969cad491be73

Download Submit