26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-08-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
Size

2.7MB
MD5

1ea58000756dcf8acac702a7e0d50c26
SHA1

ad998f3e95b02d625bc5ebfe45869ce324d3fe11
SHA256

26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9
SHA512

6693e490f9372ec13b9c992cb112783fc294d3f189fac4b1030c8a315098d44301d070a94976186c047e98f0612556753523e8ef2a551c4550a65986e049e47a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSp24

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2436	xdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocXO\\xdobsys.exe"	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTG\\dobxloc.exe"	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobsys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
2436	xdobsys.exe
2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2436	2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	31
PID 2308 wrote to memory of 2436	2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	31
PID 2308 wrote to memory of 2436	2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	31
PID 2308 wrote to memory of 2436	2308	26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe	31

C:\Users\Admin\AppData\Local\Temp\26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe
"C:\Users\Admin\AppData\Local\Temp\26269f8253042f71db6457cd27928554aba74e1210dfd422f04d35b2ebd3d1a9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308
- C:\IntelprocXO\xdobsys.exe
  C:\IntelprocXO\xdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintTG\dobxloc.exe

Filesize
2.7MB

MD5
50ec1aaa0494aba5b2c48a67911e89bd

SHA1
65f5a63ffd2050bbc2f0c519bae96b0d0bb16aaf

SHA256
6cc12f5f2635e00e61572ea9c87c18a3c6726b4777915bdd2e83e0df03b01ea3

SHA512
9f15d391ebc632156f029cbc8b15a6a2c8f6c2090a87a2294f38e7ab13bc978980fe685ac278e717923c203587f51c4099e0ad2e36824bd4933d90fed626f538

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
17f9629badebd0a1ed2fce9a0617cd62

SHA1
497dce13d7009c1b7daa07e0401fe10e95b91d15

SHA256
2cce357ff6ccd59b8fb3f047d12e3498389e470aa2418495f3f6ad50401c282e

SHA512
60e2bf78b68a9558cdb38c1137086e6bbb34d63c1d0ba8f2fa198ed7720dbb457a3cbceea28142573774d36beba8faf7f7a700bdb1192500fc1b143f9db3c2e7

Download Submit
\IntelprocXO\xdobsys.exe

Filesize
2.7MB

MD5
846b914538bd0bd37de4dedd8d0b1146

SHA1
20137982f50c351af41861462c93066b0252eb84

SHA256
07e977d3bd7c6b2a52bc84ff97599fe256aebc718c0647ca41d18023ffb30e69

SHA512
54d912f6ec34a5a16c4ef3b5bf5fd34c368d766f66223cbb8a835e9ec90c1e4379cf2f4162d8c9a8bc03fbae08b48128211ed34cf5895d987c0f48302171d3d2

Download Submit