5aec07f48d974d389d709d3c89966c1cb9031bc7db0e2525125598120f2133b9

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
Size

2.7MB
MD5

6bcaa1f9fe8643b0285fbfa0edbc7470
SHA1

e62cca5f1d23823979dfa540ecbc2f6c77f5db3c
SHA256

5aec07f48d974d389d709d3c89966c1cb9031bc7db0e2525125598120f2133b9
SHA512

59ac3c9f40edc0b176c8589d88772babf622b0a462ece7372d90d5f25a6f65ec39d8952be0ac8984c6d3fe83b7aea541b055d3375dbb4234555e2969f54aac1e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBe9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4448	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5V\\xdobsys.exe"	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6Q\\dobdevsys.exe"	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4448	xdobsys.exe
4448	xdobsys.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4448	4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	86
PID 4724 wrote to memory of 4448	4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	86
PID 4724 wrote to memory of 4448	4724	6bcaa1f9fe8643b0285fbfa0edbc7470N.exe	86

C:\Users\Admin\AppData\Local\Temp\6bcaa1f9fe8643b0285fbfa0edbc7470N.exe
"C:\Users\Admin\AppData\Local\Temp\6bcaa1f9fe8643b0285fbfa0edbc7470N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4724
- C:\SysDrv5V\xdobsys.exe
  C:\SysDrv5V\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ6Q\dobdevsys.exe

Filesize
511KB

MD5
aa077847f1c968c03d9e2766298b984e

SHA1
3c5acfeeb054c45b8c9d88f9bd7ed6ae89f09433

SHA256
06331b1535aa18f7b2a42cc3b2982f9b2ec5c0541cfda9c531998e1423e67d1c

SHA512
f3f825c0344ab21119474eac89446f1614657cd9355e868a311bbc5e1abc7eb73f273884185bf9284edf98a0ceb68bb904e727a4dd66664dd605a76bfe9acba6

Download Submit
C:\LabZ6Q\dobdevsys.exe

Filesize
2.7MB

MD5
e9e858460ffc9649f99e063d74661619

SHA1
bc50b6152c14ceee8a89eb7e355f8d79fc822ede

SHA256
69f46124d8b86649c18a4ed409dd7ae55197765e2e2566abff2113eaf1165769

SHA512
e77cdbd4d90699e93685e6a41b6f5d82d92315d6f3a60e622e1d0f9b44de7faffb2e92fa9a6aedc7a19a35e7a63cbcb4ad5c03af7e4c5e76bf70bba58c35df0d

Download Submit
C:\SysDrv5V\xdobsys.exe

Filesize
2.7MB

MD5
ef3e13c7ecb361c856f0419a1dc847ab

SHA1
b120d9c9302d9d92fe335414743e755eb3b068ee

SHA256
d29e761a6d13e45c4a4600e8062bcdff34d4664dd6589b75000c2a7a75eac6f4

SHA512
e5dc62e9d0c6f12db9a3e13382fb722c40bff59d6bc15116fee1c4ee90ee8966984bc97f6b6622461c96daf5c7b5dfb43f22e46513066674b150a8d28c830683

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
d785026a4ec506e82218f06e0705cf6e

SHA1
d2b86639de4ee497198413b4cc9c0f602db8915a

SHA256
a3e0ba35a36dcbced0d43add8262b0277eb96e6efcda3441c365e0947295c7ed

SHA512
1bd2e7eee4604c396d1059166317583becc8d6c1fe28512ad5a4191b0e32c5ba97f326bae419912cbaa58ee2060753bd299a772581b451082940bd87fa2c759e

Download Submit