Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe
Resource
win10v2004-20240226-en
General
-
Target
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe
-
Size
2.7MB
-
MD5
9dc8c6baa1b6ecf6bdb561b598af3986
-
SHA1
b4397f53f217ba282c305f7fb7a94f58832a6846
-
SHA256
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9
-
SHA512
469daa5c87ed07a95d9656f3940dc6817a128f64f113b67274cd5f6627be1893b2c01cb158f729268a480d790f178c85b49daaf4074a11086bb031e366075c5c
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4Sx:+R0pI/IQlUoMPdmpSpx4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devdobsys.exepid process 2156 devdobsys.exe -
Loads dropped DLL 1 IoCs
Processes:
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exepid process 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPP\\devdobsys.exe" bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxFZ\\dobdevloc.exe" bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exedevdobsys.exepid process 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe 2156 devdobsys.exe 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exedescription pid process target process PID 1848 wrote to memory of 2156 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe devdobsys.exe PID 1848 wrote to memory of 2156 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe devdobsys.exe PID 1848 wrote to memory of 2156 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe devdobsys.exe PID 1848 wrote to memory of 2156 1848 bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe devdobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe"C:\Users\Admin\AppData\Local\Temp\bde1375791c43560474c980757fc957bf9a8d4b072c840ea40e9df22679a69b9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\UserDotPP\devdobsys.exeC:\UserDotPP\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\GalaxFZ\dobdevloc.exeFilesize
2.7MB
MD5394513d9bd9e316f4224f26bc24d5397
SHA1a8af651506b105faa965549f3d3e915720c3099e
SHA256cf4a84f945b735199c4ec06fdb61173f495ec16902c8103365ae7aa4f84f69d2
SHA5128b65ca8faa5ef082075002fb228bb67b1d22343ad1847d38aab0f2383d0d8ca6fe952172b1bff30edb06d51829b429d0bd109ef0e256787c7c60a2eb5c93de8d
-
C:\Users\Admin\253086396416_6.1_Admin.iniFilesize
206B
MD5d4279729c47f026c2ad400845733630a
SHA113e51044d7ecf96bdcc177b94fe64214a481e4ae
SHA256ae6af6163795a4d944c2d9450d895f51d41d622a84da4d8227fd3ad557b062f7
SHA51261788092ad716a945a9d8fbcbc65fb79ca755fa962b3210456850437fe91c008e45e9e5ed2fe6c9ae488054c3ff4cada8383480d13ff51175cd89fe7eb75d203
-
\UserDotPP\devdobsys.exeFilesize
2.7MB
MD5be91658053b1f6aaf1f58ea8645db748
SHA109b83d857ab19bce99ca02fdc95fd570ce2009d7
SHA25667f65961f8149bfb93e473a9306e53a7307c8a125e68ccb0091a5d1f899d889a
SHA512a6b6f802b700946daad35e62ce92908a643d6c9dc426cd12a2e71e693e04114eacfc0323d8c47b1033dab93e0951ea550ed2acda99dc172a17c278c8a45fc72a