ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0

Analysis

max time kernel
149s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
Size

2.7MB
MD5

591fd0e3f4ca964792a3549de4247044
SHA1

bc736f62741c4e4f3d4b0a6e387c309719bf14c6
SHA256

ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0
SHA512

e903c7e5255bf47b3f00092c8dc7961e859be08c285e00d6cae359e5e0b1ba872de8879fb74f24021d90209df7a5efa401a3ac96986af8d4e1145c811587aa5e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4S+:+R0pI/IQlUoMPdmpSpi4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	xdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTL\\xdobloc.exe"	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGF\\optiaec.exe"	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
2992	xdobloc.exe
2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2992	2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe	29
PID 2116 wrote to memory of 2992	2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe	29
PID 2116 wrote to memory of 2992	2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe	29
PID 2116 wrote to memory of 2992	2116	ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe	29

C:\Users\Admin\AppData\Local\Temp\ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe
"C:\Users\Admin\AppData\Local\Temp\ae87156fb512a9cfb4d177b4dc543844f18e97919f1d1e60d8fb43b6c368c7e0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\AdobeTL\xdobloc.exe
  C:\AdobeTL\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintGF\optiaec.exe

Filesize
2.7MB

MD5
c5217a3f24ef9717b4142bea7330cbdf

SHA1
432c6437958292f97df7e252eb55b8b674aaab3f

SHA256
ad8377a911da746075106b21e2a3090cf938d38e90138919f2c41349bae611d4

SHA512
37f01d7a66f6fa2458ef74c7f1a712ca48bd8687523474197eaf3da13607baad14c23b514c8b06f7f80c3e35d7befc06c6428ccd1535c6ea9a3dcf9652d6dcd3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
ac40316d5aaa93c957f7f00b59804b1c

SHA1
1082b47e796c45803cd4a22fa8cb8f698068ab02

SHA256
560164537277eedd9b5926029f9a39e9d78118f1f8cfbb3b4e2bea889c976e38

SHA512
cba674a1f22191ce4ca1385808342085c90071b632425e318ffd23107a939352f7b567613d819b39bf68a586b884dee71bcf2e8e38ddfb93dc2d9a57813cf3db

Download Submit
\AdobeTL\xdobloc.exe

Filesize
2.7MB

MD5
1141bd6554e63ea7830c28e99b3d558f

SHA1
e21e55c15cebc127e493e725a73f97a324fd4f3c

SHA256
b3f2c199352664cf6b40adf913abbb4915b383a4422728157f51df51ff17bb55

SHA512
8b65a3cacd853b3097e9c30532a8eca62ca5bfbaef7488820d97d91c781b5776314c2dbc8c3aa25582c86ad159a4b25398bc95f94c3aa37f461c10a644138af1

Download Submit