d40b9c2dfe63e750b33284eb6051e756c912992ac3ef583f3659d894a80d170e

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320c470e96ec8d92177623c7504036e0N.exe
Size

2.7MB
MD5

320c470e96ec8d92177623c7504036e0
SHA1

739747259a99c20d299a815672e5b9fc8bbcb301
SHA256

d40b9c2dfe63e750b33284eb6051e756c912992ac3ef583f3659d894a80d170e
SHA512

abf0329bf50b5c578dfbbff254e8f27405f7767062472447ed408518a95bab54bfb4822e6b21f96c7df684e09bb86eedda96eda49db95b4bdac696b72d437533
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1924	xdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2404	320c470e96ec8d92177623c7504036e0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLX\\xdobsys.exe"	320c470e96ec8d92177623c7504036e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPB\\optixloc.exe"	320c470e96ec8d92177623c7504036e0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	320c470e96ec8d92177623c7504036e0N.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe
1924	xdobsys.exe
2404	320c470e96ec8d92177623c7504036e0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1924	2404	320c470e96ec8d92177623c7504036e0N.exe	30
PID 2404 wrote to memory of 1924	2404	320c470e96ec8d92177623c7504036e0N.exe	30
PID 2404 wrote to memory of 1924	2404	320c470e96ec8d92177623c7504036e0N.exe	30
PID 2404 wrote to memory of 1924	2404	320c470e96ec8d92177623c7504036e0N.exe	30

C:\Users\Admin\AppData\Local\Temp\320c470e96ec8d92177623c7504036e0N.exe
"C:\Users\Admin\AppData\Local\Temp\320c470e96ec8d92177623c7504036e0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\UserDotLX\xdobsys.exe
  C:\UserDotLX\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBPB\optixloc.exe

Filesize
2.7MB

MD5
8ac97a23740c14a85a905688c48b4138

SHA1
103a37d0726b3d62573c0bd8171ee18b3cd41e99

SHA256
2ae3905aec7722e9031fe1aac3a761c74d31ae7d858fb3563d581c3520e95de1

SHA512
7e6d8626f3cc7330691826e4ea0e0c0696d8470d1b9b5cf820ba9fc010c5dc9670fd08061ab5b72b1feebdb8055fbb6df122670f55e46bffc0d94007f9c31589

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
198B

MD5
a350499ec91ef6235b74bbd02838f1c8

SHA1
bc3ccff6408dd62c2a3eb6f85829b8bee6550c44

SHA256
96416e00f4f3ce91429f85647027cfa2aac828ab696680bb3f9c40590d930a9d

SHA512
a59a8c3128e734c051d20f64740d94d80b617a30a77ab2292fa63879dbdde819b99fc6f3de95b8b6ea599f123c65759172a3dc8ad37f6a9c4a834ca93c944e30

Download Submit
\UserDotLX\xdobsys.exe

Filesize
2.7MB

MD5
84737b9f001fb41d440e4ab8afa35f75

SHA1
414ea97f255b21c041cf2f86c8bc36380f6e2a8d

SHA256
a9c0f916c6668a2e49fb7b37bc85aa82a790fbd2ba5cefd3c801017c0d83dd9a

SHA512
71bbbfbf3a0fddb91e4f0fae6f3d717a44d4ae46382af6baa0c7e9c1db096393a2ad9799bfde65ff761cf79c89c3e42781c438fcbe01aefe0d944265de5385f8

Download Submit