8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-04-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
Size

4.1MB
MD5

77db23350422b7624d7a3e2aa25e33b9
SHA1

33dc22a2e9dddc3fb493b62370d7855c0271c079
SHA256

8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed
SHA512

af7ed7867f391f0112c7c3958a2b637b3618881da430ebbfff5e7e411cd05aba363d05671d1557909abe5478711ecb0579262e98bf854197bdb9739bf8694a1d
SSDEEP

98304:+R0pI/IQlUoMPdmpSpi4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmd5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9U\\boddevsys.exe"	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7M\\devdobloc.exe"	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
1664	devdobloc.exe
1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1664	1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe	28
PID 1160 wrote to memory of 1664	1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe	28
PID 1160 wrote to memory of 1664	1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe	28
PID 1160 wrote to memory of 1664	1160	8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe	28

C:\Users\Admin\AppData\Local\Temp\8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe
"C:\Users\Admin\AppData\Local\Temp\8f1fcd2730696a1df8a86e6581717399e7829f736b8a888f519de4305d357fed.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Adobe7M\devdobloc.exe
  C:\Adobe7M\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
e10942c2ac2485993a5f36f6a5e27abc

SHA1
a900bba6547acdad9b5a5eea0873b0739576d698

SHA256
f922369478512eec0f2433bbbc1e9d4cf20a8e2b6ce354a13e35e6583d12820c

SHA512
d173a3f267e284cc1e1fd992920beef1876db5f235ed572867c0adf171d0e5cfe8015f1f345921b116574d569fd25797e34e28f833c1a8504c2982b0e536d21d

Download Submit
C:\Vid9U\boddevsys.exe

Filesize
4.1MB

MD5
be07b8a8f3600b918476ebaa750d810f

SHA1
4bcdb0eeeec72264f5a6b2ad73f10120da05a4df

SHA256
055c9e04c8db5650302a6a78d06ac40f2c0196e929ccfe67bcbc7336f0a2f228

SHA512
e4d4af4985b43198e35149ef052980bef11c280fc1dbc33f016bc382e68e98ce8c13c9319a63507ba11eaef80d6c33beff38919a8855c56839100d83df803992

Download Submit
\Adobe7M\devdobloc.exe

Filesize
4.1MB

MD5
b9f2581c8ecbc5db38306559aa06add9

SHA1
de9c22bb6821ca2aca7068909b6f914a13bc6b5b

SHA256
6888f1e6801c74f5f9430c336e7dcebf61a2e04321f50de99544677b4adfbae8

SHA512
7fe1422312747233b56aaffdb5a57a4bf935452aa2d3485582d764dd0beeb0958ec3e8c6d3f309bfa32a8404a69058285422e76ad658b84eebe7c5c0ef4729c9

Download Submit