37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
Size

2.7MB
MD5

75fe904777fdeb21e6e364f8f64010aa
SHA1

0f30a5f44d8c351b1d758685e7dcbe99cbb2eedf
SHA256

37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972
SHA512

3be7bf2a86b6260c9baaef8a59d6cceabe17f670f87d5c0768c4d6b26b7e6a16d1555fe60d451a4f4edbfcbda157142dca27d78cb75d1bfa9dd986f05c253cc8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpG4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1712	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKG\\devbodec.exe"	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBQ\\dobaec.exe"	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
1712	devbodec.exe
2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 1712	2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe	28
PID 2328 wrote to memory of 1712	2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe	28
PID 2328 wrote to memory of 1712	2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe	28
PID 2328 wrote to memory of 1712	2328	37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe	28

C:\Users\Admin\AppData\Local\Temp\37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe
"C:\Users\Admin\AppData\Local\Temp\37cf0ef38d1a17b60808fcd32a3b0b5dfdc5638990d1554553242aae8dbe1972.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2328
- C:\SysDrvKG\devbodec.exe
  C:\SysDrvKG\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintBQ\dobaec.exe

Filesize
2.7MB

MD5
81c7b76e4e6de35ced2b5f09d6c8e0a0

SHA1
6167732641713ccb1b557abb67bb63391fc4d85b

SHA256
9375784b25148dfafc1d57e3bbeaa1d5d9a9c3956ac0d81f3ce388b8cdd0749d

SHA512
7821257b6adadb3ee9f81b8e34262a613f7120f454023db0f2e840738e817333471ae32a2b2897314be6672a37ac9d5256a38dc63a06745e668dae21e41e2d2d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
999ebd99cfe3e657cfdcd0073525a0e9

SHA1
93d682426b4d0abd2d119a10de5666e4a959ec3f

SHA256
7a9d676b4348c89948a99b322aad6fb508eacfd4d3bb7a61995a95f50fe2c52c

SHA512
cc3b2d7685a71eac857a70f21c8bd6de8a18aa73411a71dff888b7ca3de45d89acabdeedfaa38d9b9c488734821c652cb700b5aff1b4cfe2ccca005b70cd382a

Download Submit
\SysDrvKG\devbodec.exe

Filesize
2.7MB

MD5
618c53db78a1cefebca55b2aba119a75

SHA1
d2fd890be7c9570ef72088bb61bc0742f30eb907

SHA256
6cab96e0ea3c1b1aa662bbcd51ca518eddef815a8e4a144e4e16f93f7e32d4ec

SHA512
79c554b76ab43cd2a6688398a41ca0743d43279c926f648f547899e50a45afc427b58ebeb39871e1db7700ca72e5194d72a0c208d32499d65b14c312bdd19d68

Download Submit