8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
Size

3.1MB
MD5

bf904dbc02f50b67348e9321f9ed821a
SHA1

6531b8c41445b7e1c289e631a56129ee451a04b4
SHA256

8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b
SHA512

9a0759b059dfa97f8683c560e9317cbe38d53de379307f1bf0cf945f61f708feaa9cd9fcca6feeb91f1e40afd31037d157da5cb3e766229ea45b057a887545af
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Su+LNfej:+R0pI/IQlUoMPdmpSpY4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3288	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2L\\devdobloc.exe"	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint0H\\dobaec.exe"	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
3288	devdobloc.exe
3288	devdobloc.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3288	656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	92
PID 656 wrote to memory of 3288	656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	92
PID 656 wrote to memory of 3288	656	8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe	92

C:\Users\Admin\AppData\Local\Temp\8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe
"C:\Users\Admin\AppData\Local\Temp\8bbd1cc0fd9160aa5f42b8a27dca134a26d87f078bb73fa4a162ec054b01606b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656
- C:\UserDot2L\devdobloc.exe
  C:\UserDot2L\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint0H\dobaec.exe

Filesize
3.1MB

MD5
5edc40391ccf582fbf619f49bcd58e05

SHA1
b06346736c9ed294591d8cc97fbf75ca9c529209

SHA256
325c0ff45fd65b8b3dcbe5419cb45a25c802c6f836fe15fd99f29ec0498040bd

SHA512
c19e64ac5d4e9da5aa3134a1824a25a27725f50578c9fe426e35a730bc648c9112a840211abe28cf7edeedc5c0af55ea523f8d61117bf43666725a85f79cdeab

Download Submit
C:\UserDot2L\devdobloc.exe

Filesize
3.1MB

MD5
94ab2bf0d0722d1b9b6a6926ffd90ed5

SHA1
a1902838a78bd66feb11e31e12fa13f66b447238

SHA256
8b4fefb596fc195d2903e5685e975e2fcda34e77ca6c4b7f4743672322156889

SHA512
67ea4cd530f45feaad504ea054ecec417a355bd61372536eff2d083ea9c863f6e446ad45f123d7f40df3bcb7c734dbba05060bc32280d1a74071ffd10e2066e5

Download Submit
C:\UserDot2L\devdobloc.exe

Filesize
3.1MB

MD5
94ab2bf0d0722d1b9b6a6926ffd90ed5

SHA1
a1902838a78bd66feb11e31e12fa13f66b447238

SHA256
8b4fefb596fc195d2903e5685e975e2fcda34e77ca6c4b7f4743672322156889

SHA512
67ea4cd530f45feaad504ea054ecec417a355bd61372536eff2d083ea9c863f6e446ad45f123d7f40df3bcb7c734dbba05060bc32280d1a74071ffd10e2066e5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
24fb1ca18ab73f90a0a4166672474dcb

SHA1
83e0be8163d689bb2f33948000601d61f35ef1fa

SHA256
c015e39fded6fc8eced62a0b87b5df9ea60a06cf4705b632a1d3c0d139a10a1d

SHA512
cd2e863178d0a8a8494bd28ed45396a12dbbe8a3edb25128223a0c15781900e46f4d435627bf93c021601fa8e4686ccbd1500b419fb844330c25ac034598a017

Download Submit