347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
Size

4.1MB
MD5

b8ed1b3a2bc6791d401ea206e54e3bb5
SHA1

658b531b12b91b5d4f3b07a6126096022f9fb7fe
SHA256

347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375
SHA512

2c2562132467365898623cee0b5e9d625d0354717e9ae6aed438396b576efa1ac39ae07f3716b0a6b65cf23377631d11bd72ea18ad0d6a574ca3574e53638683
SSDEEP

98304:+R0pI/IQlUoMPdmpSpV4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmi5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2844	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNP\\devdobloc.exe"	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRL\\dobaec.exe"	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
2844	devdobloc.exe
2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2844	2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	28
PID 2224 wrote to memory of 2844	2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	28
PID 2224 wrote to memory of 2844	2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	28
PID 2224 wrote to memory of 2844	2224	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	28

C:\Users\Admin\AppData\Local\Temp\347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
"C:\Users\Admin\AppData\Local\Temp\347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\SysDrvNP\devdobloc.exe
  C:\SysDrvNP\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintRL\dobaec.exe

Filesize
4.1MB

MD5
94bfb535c94e15f5bb232354d2d39bd7

SHA1
7f9e3b5c0dfddf14b433e3a22356e2bce3d89fcf

SHA256
252b1d69e9428d6657439bb7288c871ccd39a8b14cbae9738599676f23d2e8bf

SHA512
74cea4d2bb20442cd16be0231fdff4aa542facca3c65b8c9c45db9727970e56020ecba3d519a8c69ab99bf28b0fe3f72f3e7ad9c4242d9cb7b5e95bddf0f65d3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
c37a9b63283c06eec6da10cd104186fc

SHA1
44968293c8022a1c446b08d2e58574c26b5a3b24

SHA256
684a114b40e19129524957e6fa24ca5d1cab883fc79096e1a02882121a833cda

SHA512
0143ccb46410bca58c6466e8846e308d23f5f19ead25ef241c008ab067f21e4217507d2aee085af91109f7a763c92c1521d5d519096a916232e6525557e7454c

Download Submit
\SysDrvNP\devdobloc.exe

Filesize
4.1MB

MD5
9136e53d2fff33a495bc545dc2ab0113

SHA1
4b01f1f7ab5a0c4e41d80943a824f0f17d41d239

SHA256
de508451ed1034e04925b0b93d80025d5dbc2ef48f30e6805aa304da93001a32

SHA512
a151a006183be9ba624dcd213af4830bae2752c205b43d1059cf6462dd4ef819d03129da85ffc0782fb528e46a2929221630c73ebeaf3adea9fa9ad10a244597

Download Submit