2090895b058322b561f61c347d00b485d2bc473cc50002d08b075126fa8d87b0

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17-09-2023 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
Size

2.6MB
MD5

17eb9368fb0590e4b193fabdd9fc3f60
SHA1

52d89a320b5c0e389c352d4d15e83e6912b2a6a2
SHA256

2090895b058322b561f61c347d00b485d2bc473cc50002d08b075126fa8d87b0
SHA512

36482fe7d24daa9dd3cb4dd1e1b2f48316633bc6912f842a40c0e146d42aea3cd5bf50bede200d42ad5580c33e079ab318c19fb2095023e143d08a76fb6d3fcd
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBZ9w4SM:+R0pI/IQlUoMPdmpSpJ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3004	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocA6\\devdobec.exe"	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZB3\\bodasys.exe"	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
3004	devdobec.exe
1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3004	1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe	28
PID 1772 wrote to memory of 3004	1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe	28
PID 1772 wrote to memory of 3004	1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe	28
PID 1772 wrote to memory of 3004	1772	17eb9368fb0590e4b193fabdd9fc3f60_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\17eb9368fb0590e4b193fabdd9fc3f60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\17eb9368fb0590e4b193fabdd9fc3f60_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772
- C:\IntelprocA6\devdobec.exe
  C:\IntelprocA6\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocA6\devdobec.exe

Filesize
2.6MB

MD5
68b060c01f5c8a4b09f65a6e2564b06c

SHA1
7f5398da376c25213b910f37d27952ed0e016034

SHA256
aecc2d0dbd53b823c4b8ed6eaaadca9ce1b2a149ed21736ed27ff1e55a447056

SHA512
1dd42cc69f24e9a638e5adcc1e44f23af7d0b978f97093ccceeeba5c398ca6835e583acc0f7356233379a7c0f250b528b6309afbac06c14e9d2abf92a7e99711

Download Submit
C:\IntelprocA6\devdobec.exe

Filesize
2.6MB

MD5
68b060c01f5c8a4b09f65a6e2564b06c

SHA1
7f5398da376c25213b910f37d27952ed0e016034

SHA256
aecc2d0dbd53b823c4b8ed6eaaadca9ce1b2a149ed21736ed27ff1e55a447056

SHA512
1dd42cc69f24e9a638e5adcc1e44f23af7d0b978f97093ccceeeba5c398ca6835e583acc0f7356233379a7c0f250b528b6309afbac06c14e9d2abf92a7e99711

Download Submit
C:\LabZB3\bodasys.exe

Filesize
2.6MB

MD5
cea23378210b289ea2c96b14da6f9694

SHA1
0ec728692729c0b0a8a78a490fdcf15d2a7b34e4

SHA256
750ee6e8e91cf47a5bb799e85258a03e1ff8edbf9314f05201a92550f3a54152

SHA512
088e4af1bbfd61b9ae45168dd5dc353848406aee74879e6701b9a3befbff1e44d65db3bb708455a997a32e3242eb307dc5c73abbf309a8c1c4c9040b963b11f1

Download Submit
C:\LabZB3\bodasys.exe

Filesize
2.6MB

MD5
cea23378210b289ea2c96b14da6f9694

SHA1
0ec728692729c0b0a8a78a490fdcf15d2a7b34e4

SHA256
750ee6e8e91cf47a5bb799e85258a03e1ff8edbf9314f05201a92550f3a54152

SHA512
088e4af1bbfd61b9ae45168dd5dc353848406aee74879e6701b9a3befbff1e44d65db3bb708455a997a32e3242eb307dc5c73abbf309a8c1c4c9040b963b11f1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
b774d288e9cf2d76b951d59a4e6e228f

SHA1
de952c4ecab8092a128670c253f0f1cc32bd31fc

SHA256
3d11d53df2c8c96d3b3415ef80c5efe2f2eb00ef7439746ea799b3f1b13bf76c

SHA512
8e67c9e02d4e2099bc9ea2ea621e4d051f3847f58060408d9208128d5730849bc55b1066aaf5bdb80f30dad1943d4ebcdce5baa32da9adba064ccbee8317c352

Download Submit
\IntelprocA6\devdobec.exe

Filesize
2.6MB

MD5
68b060c01f5c8a4b09f65a6e2564b06c

SHA1
7f5398da376c25213b910f37d27952ed0e016034

SHA256
aecc2d0dbd53b823c4b8ed6eaaadca9ce1b2a149ed21736ed27ff1e55a447056

SHA512
1dd42cc69f24e9a638e5adcc1e44f23af7d0b978f97093ccceeeba5c398ca6835e583acc0f7356233379a7c0f250b528b6309afbac06c14e9d2abf92a7e99711

Download Submit