9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
Size

2.7MB
MD5

b305119fbfd6be4361f175695b595eba
SHA1

1c344f4ff82c0e9b938772e78d6e64aec8f05cc5
SHA256

9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da
SHA512

8eb171536fd85a8f16158636db29c3f39d9bdc1a0a8dc6514c12482e75de48155ac1511b3aeb4dcb7f146f5dff8c34adeec04dbbd3d888c697002586b6ec3207
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpD4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
820	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG2\\devdobec.exe"	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ72\\bodxsys.exe"	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
820	devdobec.exe
2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 820	2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe	28
PID 2932 wrote to memory of 820	2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe	28
PID 2932 wrote to memory of 820	2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe	28
PID 2932 wrote to memory of 820	2932	9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe	28

C:\Users\Admin\AppData\Local\Temp\9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe
"C:\Users\Admin\AppData\Local\Temp\9f74e3aeb6762f6e1f32721429eed0de28a5c6ca98818e50949bb7410ad412da.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932
- C:\IntelprocG2\devdobec.exe
  C:\IntelprocG2\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ72\bodxsys.exe

Filesize
2.7MB

MD5
ea380ce9a9a654d3054b96ec099ec880

SHA1
c2240b76658287ef1a4964c8c56fe3c4724ae396

SHA256
1951eab57403b227183dd7c20b1929e673d9dfa6b922da070d1acc7ba14bd32c

SHA512
8d520c185cabe5282709fd08eb91dedd62ef9763e35c9edb53899276970b9cad9a575a8b9bf6dd3f29958728af89b08bc448b0c0692b7cd8fee707e18ad20cae

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
07ec8bc64f7d5e9cf6e995bb5aac8c42

SHA1
f90e29c9148cdba9c9b9dd223e5e48ac262d0628

SHA256
13abd5678e672b76a2407c70c9ec3b3e587a0b7ad3875433beddc344b6fda047

SHA512
25e6f88535f9c989e7ece547ef0567c6c27367c9ade8edbb1eeff1e0bf39901ebbb5511614d61987ac93d0bed04a0f1187e583f0e999e642bc42000b3ded4327

Download Submit
\IntelprocG2\devdobec.exe

Filesize
2.7MB

MD5
0d88dc4e015d1510f28d703be5791bda

SHA1
b09fbae64d695f56cc30b0fcaac3afe3b146eb7f

SHA256
8e945e994b8aaaf9970f3da2ac089d81d135468e6ed576aebcc6c045ff9401f3

SHA512
2c5a641f6684c32ae19789a51804c3fa37feb0e152493ff3270ab19ff5aa70523f5f888d77ed664a40b84ca79ee1685438651b24b08eacebe2db1b69b11e8b49

Download Submit