efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0

Analysis

max time kernel
149s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
Size

2.7MB
MD5

905f7c7f4b620e7b0be478c6dc443688
SHA1

ffd43243eb84edef1935004e12bf06434fb14ff6
SHA256

efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0
SHA512

b08bd96d8808cacb4af3153ec82fa0822fc75ee61c5dcc0d3a70eb430b12a05651f734c7559e92a133899549872f2eb9e6ca8bce3c9cf920efd2996ae7604a5a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4S+:+R0pI/IQlUoMPdmpSp64X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1892	xdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUZ\\xdobsys.exe"	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVJ\\dobxsys.exe"	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
1892	xdobsys.exe
1892	xdobsys.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1892	2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe	90
PID 2680 wrote to memory of 1892	2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe	90
PID 2680 wrote to memory of 1892	2680	efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe	90

C:\Users\Admin\AppData\Local\Temp\efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe
"C:\Users\Admin\AppData\Local\Temp\efef5f2f5d849f0c409092c08c8ad9772e0eb05bde0f9cb123baad8ca4c07ea0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680
- C:\AdobeUZ\xdobsys.exe
  C:\AdobeUZ\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeUZ\xdobsys.exe

Filesize
2.7MB

MD5
b53bcc612852c11034c490b23fd05d59

SHA1
3551a6589c06fce8e95fc08beb6d2e542b994627

SHA256
245c8dddff9ef80613fa87c437925d68a3f64279dfeae023be5a2c97fa38479c

SHA512
b04d9885b18db195e3e1930b4bef80f410d64bc9a287f961cc94a2b3b9f85198eb4f56ecc94cc320509e4ae932c83823891b83cb80597261d1d25046e1963b68

Download Submit
C:\GalaxVJ\dobxsys.exe

Filesize
61KB

MD5
6b78a06736f742df68bf8948d5747d3f

SHA1
605cea493a2e472da49e44d15ad03487ea468110

SHA256
86ff3e608cc12752401ccb796b022a0e52cb13ac232e67b3a66d3d07b4f5727d

SHA512
cf33318d965b1dc96570d7483dbbf7091c7fd386da199d883c81fa24d3a3f68d32599d38c870ff06a4bf9500f3ca97882cdb327f04e197f91a115dee70a846ec

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
79ff2e0b207d246d9b31f94ee9572453

SHA1
50373afbb9d846deb5e7f500a3df7a8b7ce2a6d5

SHA256
421369653d09c3f6e9f45871465419b22c487995412b534f543cb53bf94ff7f9

SHA512
d5b6dfa4aebe3bbfe26db373c061825143118d4cd647ea45cd4109edfd5c2e430352e224b1f7b1b6dcb478cd24f994211a659be8cd7d9c439941d5594ac06b68

Download Submit