556382dad1d916e7aec78bcb4a7b97326a971aa9f9f537d0402991a62e77b2f1

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

100467e8e07a5efe3eb2292bad360a10N.exe
Size

2.7MB
MD5

100467e8e07a5efe3eb2292bad360a10
SHA1

aa599e2a6aa63f6ab0833b272689e6ef6b5e7929
SHA256

556382dad1d916e7aec78bcb4a7b97326a971aa9f9f537d0402991a62e77b2f1
SHA512

7824d817c9d4002c80b6f8274cfcc915fae6198c3b88a426c1237bdca5483073e30a0908afce7d9978bce1a180ee7caaf822cd93f38e9e43685727f10b203b78
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBd9w4Sx:+R0pI/IQlUoMPdmpSpl4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1880	xdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2064	100467e8e07a5efe3eb2292bad360a10N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKM\\xdobec.exe"	100467e8e07a5efe3eb2292bad360a10N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidP8\\bodaec.exe"	100467e8e07a5efe3eb2292bad360a10N.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFlocadob.exe	100467e8e07a5efe3eb2292bad360a10N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	100467e8e07a5efe3eb2292bad360a10N.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe
1880	xdobec.exe
2064	100467e8e07a5efe3eb2292bad360a10N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1880	2064	100467e8e07a5efe3eb2292bad360a10N.exe	30
PID 2064 wrote to memory of 1880	2064	100467e8e07a5efe3eb2292bad360a10N.exe	30
PID 2064 wrote to memory of 1880	2064	100467e8e07a5efe3eb2292bad360a10N.exe	30
PID 2064 wrote to memory of 1880	2064	100467e8e07a5efe3eb2292bad360a10N.exe	30

C:\Users\Admin\AppData\Local\Temp\100467e8e07a5efe3eb2292bad360a10N.exe
"C:\Users\Admin\AppData\Local\Temp\100467e8e07a5efe3eb2292bad360a10N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\UserDotKM\xdobec.exe
  C:\UserDotKM\xdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
c8f2ba6654272b21d2a7ea95fad9dd0e

SHA1
c2b25c82aa9b10d790caf6098c6131c9d726a2fd

SHA256
962a1caf3f3fa95277fe57d05352e07172a7b417c74ed98866fefa7ac3e853b5

SHA512
255c19bee8755664cd987b11e01a0a6f887b2e1eb62d12f53614f585a1477b38315356487df6ac1d1351374b24a101f07868dfddc6e325cd5445ecba4d5897c3

Download Submit
C:\VidP8\bodaec.exe

Filesize
2.7MB

MD5
8dd684357e0a07f6d0b61d3c3a941505

SHA1
6256d24b2a79936622f685b7d498fd0f2205f621

SHA256
65613be994d69fbe6322925cfc98780f53d4066b24967699f81c6ee26613b08d

SHA512
a8f4927a02b8be4d932e1cf01bbdcb492c5d47d1613314e96d25f927c71fc6d167a519adb2de4c3d3092380445ba1a043a64e1fdf160d8d98bebdac615d531b6

Download Submit
\UserDotKM\xdobec.exe

Filesize
2.7MB

MD5
eb62d085e2a721cdf58ac75f7b6a00bf

SHA1
352da7690559280ac5a532db9503fc4984c13274

SHA256
125de63dc726cfeeed3f416782ea368fd2469d60aad17d16c095e626b4e825a7

SHA512
95971c9fd3153b6d04164918dd63f777aa0b884840e7102c28ceb65bdde026bf4e93fed03a281276c2a343fa18064f975a65d88a01ada5307bf3a31244e5c85c

Download Submit