5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2

Analysis

max time kernel
150s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
Size

2.7MB
MD5

b63b8a778bf6d9c311b3c0c171a5867f
SHA1

741363ee8214d61ae3fb9d52c545c395ed4ff4c2
SHA256

5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2
SHA512

42a74fcc35ec5a36ebb4abed007ee393ba51d395be122b197fabd151d38e25ac387367b7ae22ee61f95994a8810023a0c31a08d7084c6275dcc9e70f8d6dd8f6
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpX4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2164	xdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ0\\xdobloc.exe"	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJM\\dobdevsys.exe"	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
2164	xdobloc.exe
2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2164	2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe	29
PID 2796 wrote to memory of 2164	2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe	29
PID 2796 wrote to memory of 2164	2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe	29
PID 2796 wrote to memory of 2164	2796	5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe	29

C:\Users\Admin\AppData\Local\Temp\5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe
"C:\Users\Admin\AppData\Local\Temp\5ccb73d28f20444096d07f01da7dc43fbc08469b0a75c6edca793293d65bd3d2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796
- C:\AdobeZ0\xdobloc.exe
  C:\AdobeZ0\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZJM\dobdevsys.exe

Filesize
2.7MB

MD5
0eb43c4023ef23349c871a304ac9b2ce

SHA1
585cdda1304e032525dbd99e7e20534ca789a285

SHA256
2aba621166c7b2a2db0fa05cdcb3fe7dd68a9a7f73a9f89bb59fdc9d2acfbddf

SHA512
05d1e3cfe61cc1a7d99ed8a70cb136a26dc87f1dc448f0d04febf7fa6331f1e08d87c5df6dbddb5bf07ee868d71664b4ff968ce714f2b1ce7d9ad3e969fe179e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
65be9338f51e2f6a6562519561f0e8a2

SHA1
3e8f46e46a5ffbcb7b581418b287a2b8d8f2704b

SHA256
f18635b21072396b050800d72659f64bc81b06b99de73bd80714905114fc9923

SHA512
5a0d61567c582b575af0a655316b7b623b8eefe236582d195978e142cf4e539982f53c92d8299fbda2c0f4b0e1764d003139c6f4a893467f219e79ea1a45b8ac

Download Submit
\AdobeZ0\xdobloc.exe

Filesize
2.7MB

MD5
e43beddd2c4a5414a5e60b2fde18dc5d

SHA1
1e5e6b1691f8b47f76328d5ba12d233fa9ae5841

SHA256
00c2ea1be88ae21ba23999073fd9f55c4c8b69327a0eb08718fe010888466c4b

SHA512
cd71515a7b6bd7f824f7ef059b16f406feadc75ce8d71307817a26a404bb3a5db5f80103cfd7b9272a8d9082503f5aac3203fe201b9bc74efcbea545da2b6e3d

Download Submit