1073b8b818367ee91dd2832c756fda34ff19abc5cddd66b20327d67f10915f2d

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f61004a46ea798fc299ff54f5cfbe30N.exe
Size

2.7MB
MD5

5f61004a46ea798fc299ff54f5cfbe30
SHA1

05b5dbfbe1c1b5cfa38a0fefbf7a20a7350ad3c6
SHA256

1073b8b818367ee91dd2832c756fda34ff19abc5cddd66b20327d67f10915f2d
SHA512

6256ec53186c259c6081c82de1a1e149544f7378a48407bfeb00470579bb8a559491413cb3793450db5aa64427a8072703fc888863a12d4507ac98edd838b566
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBV9w4Sx:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1432	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot85\\xdobsys.exe"	5f61004a46ea798fc299ff54f5cfbe30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4Z\\dobdevec.exe"	5f61004a46ea798fc299ff54f5cfbe30N.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a :R[bI=_\T_NZ`I@aN_ab]Isysxbod.exe	5f61004a46ea798fc299ff54f5cfbe30N.exe
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1432	xdobsys.exe
1432	xdobsys.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe
1620	5f61004a46ea798fc299ff54f5cfbe30N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1432	1620	5f61004a46ea798fc299ff54f5cfbe30N.exe	86
PID 1620 wrote to memory of 1432	1620	5f61004a46ea798fc299ff54f5cfbe30N.exe	86
PID 1620 wrote to memory of 1432	1620	5f61004a46ea798fc299ff54f5cfbe30N.exe	86

C:\Users\Admin\AppData\Local\Temp\5f61004a46ea798fc299ff54f5cfbe30N.exe
"C:\Users\Admin\AppData\Local\Temp\5f61004a46ea798fc299ff54f5cfbe30N.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\UserDot85\xdobsys.exe
  C:\UserDot85\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ4Z\dobdevec.exe

Filesize
2.7MB

MD5
4e038bd13ced2ccb0d76e95a3f2d2a70

SHA1
63507527e7ccb4d497d25c0fc2e7c86cb10c0695

SHA256
e201a30fb6a6f2fd87e4944bf11a30bd70e27ea4ac3d30230cf23085923fc86c

SHA512
383888aa6fb61d4c21d4227ec345ec5690042f4805cf0cc31f6fa10460fa4947de95e77149c06fadae2dc2d4f4a33c06442da3256c4ca9c6fe6060f0051015e9

Download Submit
C:\UserDot85\xdobsys.exe

Filesize
2.7MB

MD5
3a67b87f84e29502c044884bb478ba47

SHA1
077e28c18f7407bd2137e31a25e01202abadabc7

SHA256
a7e12e748fd72ef51c36a0c1f4145bd1507b8a0a8971a6abd2a97210b9f3f655

SHA512
f7ae47201979183e8edaaabd40516184d26109691480a7b641b0ce4ec85a46b9c4c424ffc381827aa6214a12eb27fe6175a97d23b6985bb16445aabd66cd050c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
f65f447b93ea16267e2a76e3eb8763b4

SHA1
0ba3030acd35eb13df2a8828738d0c0762882b2a

SHA256
b367baa7524b97d509ca8a6c14dcd63a0e8409834b1abb3e13bc520e4df6f426

SHA512
716e3ff7509aa5e690ca46cceb673e740714ec10b90969856037aa4f15df5f72536ea523835a2e6343c795c93228ee8e9bf7a7e1220dcd3bccc243cf5f66c331

Download Submit