484bb7eee5594f4ac3070bbd215eb33e4c11a235b2dd34889e4b64125c84aa81

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fbab94a17bd4b74e68d9af33d55eab5.exe
Size

193KB
MD5

6fbab94a17bd4b74e68d9af33d55eab5
SHA1

e07f7a28ef95b6780edc50dfe6e7b6d2638d12e2
SHA256

484bb7eee5594f4ac3070bbd215eb33e4c11a235b2dd34889e4b64125c84aa81
SHA512

162542a3efef825995caacd82eb5a4beb4a3e711f9a075497557b383eac3cb3b9afbc488c73734836501ccc29a3a697038daca6da696d8e6fcb5c8fefcf98c72
SSDEEP

6144:I5O8KnS6h2qJ2c1yxiQAL0VN8pDNuiDeFSK:95SevZMxiGVN8p0iCwK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	dodolook505.exe

Loads dropped DLL 64 IoCs

pid	Process
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
2828	dodolook505.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe
3892	6fbab94a17bd4b74e68d9af33d55eab5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6fbab94a17bd4b74e68d9af33d55eab5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	6fbab94a17bd4b74e68d9af33d55eab5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	6fbab94a17bd4b74e68d9af33d55eab5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	6fbab94a17bd4b74e68d9af33d55eab5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	6fbab94a17bd4b74e68d9af33d55eab5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 2828	3892	6fbab94a17bd4b74e68d9af33d55eab5.exe	86
PID 3892 wrote to memory of 2828	3892	6fbab94a17bd4b74e68d9af33d55eab5.exe	86
PID 3892 wrote to memory of 2828	3892	6fbab94a17bd4b74e68d9af33d55eab5.exe	86

C:\Users\Admin\AppData\Local\Temp\6fbab94a17bd4b74e68d9af33d55eab5.exe
"C:\Users\Admin\AppData\Local\Temp\6fbab94a17bd4b74e68d9af33d55eab5.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\dodolook505.exe
  "C:\Users\Admin\AppData\Local\Temp\dodolook505.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dodolook505.exe

Filesize
164KB

MD5
790bdf8cbe066deb99c587684d347bbb

SHA1
743c3b57d4220be58447388400596dfa69a38884

SHA256
cc8118c01925d66a617f8546f3b447eca74d29ec0207b9ee785bee4624795e21

SHA512
36e11cb57a4c441b4686f7ebc4816a6e863bb90e8d53b8935abb2774e88df19b4888a6a5b8c12311efe24ab255594fd4e103e94052c01d5191a0f9f6e61753a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF1C3.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF1C3.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyF38A.tmp\System.dll

Filesize
9KB

MD5
afd989ef7eec6bf952bedfce541fe236

SHA1
5654b71c5b1089c2cec6381d8da5bd14a14e1a37

SHA256
5e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8

SHA512
f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c

Download Submit