Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2024 13:18
Static task
static1
Behavioral task
behavioral1
Sample
89f0a8937d38aa6f02fe4d6f1307ff50N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
89f0a8937d38aa6f02fe4d6f1307ff50N.exe
Resource
win10v2004-20240802-en
General
-
Target
89f0a8937d38aa6f02fe4d6f1307ff50N.exe
-
Size
2.7MB
-
MD5
89f0a8937d38aa6f02fe4d6f1307ff50
-
SHA1
66e96d14522742f99cba82e3609182efa553ae71
-
SHA256
94763c324c24b5cefe7e8ba941545c4441ad694c2737c46f74638f87e73a8e74
-
SHA512
76f6263b534e76ed0f01e7feb62d0bc8e57925f7683f09735b7c784b47af7cc19e100174d5131fd7bae1371033a158603848053e40bbdb598ec1b6517d9ea243
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB+9w4S+:+R0pI/IQlUoMPdmpSpQ4X
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 440 xdobec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE6\\xdobec.exe" 89f0a8937d38aa6f02fe4d6f1307ff50N.exe Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQB\\bodxloc.exe" 89f0a8937d38aa6f02fe4d6f1307ff50N.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89f0a8937d38aa6f02fe4d6f1307ff50N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xdobec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 440 xdobec.exe 440 xdobec.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 916 wrote to memory of 440 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 88 PID 916 wrote to memory of 440 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 88 PID 916 wrote to memory of 440 916 89f0a8937d38aa6f02fe4d6f1307ff50N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\89f0a8937d38aa6f02fe4d6f1307ff50N.exe"C:\Users\Admin\AppData\Local\Temp\89f0a8937d38aa6f02fe4d6f1307ff50N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\IntelprocE6\xdobec.exeC:\IntelprocE6\xdobec.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5e44718aaaa0dd8dff948042384ca08c8
SHA144ab09f29f5d676b0d52a961760d36722846364e
SHA256c8c2132aa49b1b0788c6c89b4c6168a344db1366e0c214ffef0874a2f5d6ebcb
SHA512faf33358bc41ec7a3a2828ff6d5c8f00902f65740cbfa51f6d4df419f08d7c0f047dabdbc7b5240acd8faaefd9cad4a116fb4b9c78db07e847040675d9e0e332
-
Filesize
2.7MB
MD52dc7b43f81aea04e8296f961543c1078
SHA14519f5e56db26890abb4a1335d18307e7d2eb671
SHA2569ec290ed5e1195a3a537aa7dbec90d722adabad0dae92d1a6924e56d44d17df4
SHA5120b4f7e0f51919869bf8365b1ef0188de1c10ff21a07c988481526ec0ff724c02b660553fb0239d18f7f4f812627b967c6d1a674f58cce36e660365c85a81de03
-
Filesize
205B
MD5b23f28e26365d2dfc2bd1612307b1110
SHA157a84234363a9fccbd3dc9e74712f43b135446a9
SHA256de915c80fa281ecfd17c62d3b3c2abdf6b3d7315b3806b40d8add5794d8be541
SHA5128da5027140336c7645e02beacaa6d2fb52278538fe5d0de38b5f4674b0da040342423c399c309b4bdabb9702b8c114084d756d46a9cc36ea459c8e8aa8a1d1fd