a2688f2ff0615ee8b272550985141b010001e953b82fb3ca09ebf88dbd2d57f3

Analysis

max time kernel
119s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ee6d44dc5dfb53682985465dd2cc40N.exe
Size

2.7MB
MD5

41ee6d44dc5dfb53682985465dd2cc40
SHA1

615dc7d0096bd5b487a026d6af7111ae66c1a6d8
SHA256

a2688f2ff0615ee8b272550985141b010001e953b82fb3ca09ebf88dbd2d57f3
SHA512

2205aa337b78ba3b669c73cc20f98acb0e6d517070d3d767dd8ec749b81b97ff1350d29932f2348df2135c7ef9930ceea66d1f925066bcc4f008440be82a2c27
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB89w4S+:+R0pI/IQlUoMPdmpSpO4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4916	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUA\\xdobloc.exe"	41ee6d44dc5dfb53682985465dd2cc40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid86\\optidevsys.exe"	41ee6d44dc5dfb53682985465dd2cc40N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
4916	xdobloc.exe
4916	xdobloc.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe
5096	41ee6d44dc5dfb53682985465dd2cc40N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4916	5096	41ee6d44dc5dfb53682985465dd2cc40N.exe	87
PID 5096 wrote to memory of 4916	5096	41ee6d44dc5dfb53682985465dd2cc40N.exe	87
PID 5096 wrote to memory of 4916	5096	41ee6d44dc5dfb53682985465dd2cc40N.exe	87

C:\Users\Admin\AppData\Local\Temp\41ee6d44dc5dfb53682985465dd2cc40N.exe
"C:\Users\Admin\AppData\Local\Temp\41ee6d44dc5dfb53682985465dd2cc40N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5096
- C:\IntelprocUA\xdobloc.exe
  C:\IntelprocUA\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocUA\xdobloc.exe

Filesize
2.7MB

MD5
34fba15ca552fffee5eeca797be25786

SHA1
25349814045f78e258999a1a50c9acc786a81fc6

SHA256
b5d1129091556e6169bb14ff431bba6318680bdac0a4444f8bde1f8519ea9d2b

SHA512
77937e282a7d0c33ea8b26c475b1a249dc043faaa6540f2ec3cdf47346b4f33b71336b6b139df0b392bdad370f923501d363b88eaac37ac491931c9d71ce2c7f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
261c69c7e07b2eedcc1b80cdcad94d95

SHA1
1a6bbc616027c96f9cd5791180529e837fc69997

SHA256
04e9c032ac6e97149210bfb813f7dfee6d0a4144ef2aee0b9627349a0aa3955e

SHA512
211b01feae69073e49c24621aeb41fa34bf9cf3c3e3f79a21ac717d1081d41b1b25b65710f22bd607be3e5aa1d36b5ecc3adfbba005940eda1891558b578fd54

Download Submit
C:\Vid86\optidevsys.exe

Filesize
115KB

MD5
f05a5bbed71836305c236c85ddead794

SHA1
4f8df43e026a764960f88d620bd11aa117e0ff7b

SHA256
a6cf72dc2eae9247d9037dbc789a38fb332380802fd4f936bf60555a0ffd3d6d

SHA512
bf58084a117e69f818594f95bcf0de923fbc75ff9daf57a0d0a7d2d16f5926c0af9a8bcd465922de2ac824ae43c8a0d3ddbadb0861e2a9de1e3e2555eaa2db97

Download Submit