887a8dec2685426b2bc0fe1364671cb9c0e4a76981ba9e5d61835fb4ca90593b

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f009fa4fbf36760aeb5a8ca0d3b21910N.exe
Size

2.7MB
MD5

f009fa4fbf36760aeb5a8ca0d3b21910
SHA1

09bdc6a1e3ab136737f74456199caa692033b568
SHA256

887a8dec2685426b2bc0fe1364671cb9c0e4a76981ba9e5d61835fb4ca90593b
SHA512

93c3d27214feb5af490c126771467e85b15eefb5e5fe887050218e70af60d6445017d40a2443cfaf0c695f6260b0f2ecd25d758a39de609b4cf67b613cbf571f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2232	xdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotD2\\xdobloc.exe"	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBID\\optixec.exe"	f009fa4fbf36760aeb5a8ca0d3b21910N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
2232	xdobloc.exe
2232	xdobloc.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe
592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2232	592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe	97
PID 592 wrote to memory of 2232	592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe	97
PID 592 wrote to memory of 2232	592	f009fa4fbf36760aeb5a8ca0d3b21910N.exe	97

C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe
"C:\Users\Admin\AppData\Local\Temp\f009fa4fbf36760aeb5a8ca0d3b21910N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\UserDotD2\xdobloc.exe
  C:\UserDotD2\xdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4668,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:8
1⤵
PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBID\optixec.exe

Filesize
11KB

MD5
7c04dfcfd9b905bce3928823a75b9ed2

SHA1
30c4e1f6cee58ee0dcc82e08d2ee53eeb63feec0

SHA256
04ee5525fdb52bdfe97480bd9fd5d827a08de5c206eedb6d9079d1791db0829c

SHA512
32d0a23cdaa420a8eeba01748cb048bf89e027e89bb4f0a8ab190531997b67c8a600bad998295186357a77ad137d6c72c1541e48a4980eff6163cffe0bbd9e96

Download Submit
C:\KaVBID\optixec.exe

Filesize
2.7MB

MD5
82ef541df19f207e772ed1809b6da587

SHA1
429ebce9e203a6c651ac37155850145460338a1e

SHA256
5a74032f785c58fb5331e885eed85ce6b9c19c9a42f1212210329668c695e637

SHA512
896865c89edf94385fc70a39ab0c290779e5b987598958cea97961be9a31270d3b69e3176b94e5a0c4e307ed1a94e811723231832982302505b0080d3923d07a

Download Submit
C:\UserDotD2\xdobloc.exe

Filesize
2.7MB

MD5
0fdfbcccac3ce3741d4ef47243704d14

SHA1
da2eab455cc89f0edcabe24f0f4464df97a5dc02

SHA256
1031d6ad3bf935ae0f21b719c0ade508d582883b4853c8e2986ead10ee75b71c

SHA512
68ef4e739caf1ef934a0f90070559c935ce2640d9309937ff6d3b6b10fcbc474a178b99808961cf90d0e982f91ab34e96a60f777891fca1a2a4db9fc1c7b79e9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
19aa82f4f5d91d244e950fe485702b67

SHA1
61cf8e36b64f69de9b88d8e4a8fef6e976601861

SHA256
66d15fd7bb0a36e0f5a135045758ec384c8a4c48f86efae519b9fcc1158da8e4

SHA512
e9d02a4004787fd5848f8910e2b618839917727d10c8cf9ef4c3cba6f62dfd40422b6545d8b031f5a34f40341f3b366f9d6221b17cc0691b3615490169b5ebf5

Download Submit