Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe
Resource
win10v2004-20240426-en
General
-
Target
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe
-
Size
2.7MB
-
MD5
848e8d4f0808a3317a8f9c2f1e9327ee
-
SHA1
21886093b900bd2d384ab4ad05d9746843714d4b
-
SHA256
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47
-
SHA512
29b7b4eebbce08b64a91b86ea72fa92b6328e44997e04dbd07e5ddc19c75a76f4f3674cc2e91f3cf71eda8213a8f1fda7e0e9ac2c7cd985ba08a6124372704a5
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpD4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devbodec.exepid process 2148 devbodec.exe -
Loads dropped DLL 1 IoCs
Processes:
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exepid process 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesG7\\devbodec.exe" bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBS1\\dobdevloc.exe" bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exedevbodec.exepid process 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe 2148 devbodec.exe 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exedescription pid process target process PID 2456 wrote to memory of 2148 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe devbodec.exe PID 2456 wrote to memory of 2148 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe devbodec.exe PID 2456 wrote to memory of 2148 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe devbodec.exe PID 2456 wrote to memory of 2148 2456 bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe devbodec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe"C:\Users\Admin\AppData\Local\Temp\bb6406f34e47e30a9f8ef775727466eb4468e4e3afdd17b91c6aae9652fa7a47.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\FilesG7\devbodec.exeC:\FilesG7\devbodec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\KaVBS1\dobdevloc.exeFilesize
2.7MB
MD5215ef87e1c1b322d22b8bd9a90e7b587
SHA1fa2622c75b8fc9baad5d6833cfa8a89848b91e1d
SHA25693e99446c8755d54ad2f25a6def0f57128b4a9643c62db0aacbba7352cc7c06d
SHA5126b1c7d6a6fcb1383d0d6d6ca7ddccb249adb9292bae3400f2d87b631f7a0fd691c1c71619be3d2233d97bd0a4a061f2384007f74da1b91bddd6d9ca734c776a6
-
C:\Users\Admin\253086396416_6.1_Admin.iniFilesize
207B
MD5766bb29f336d26a3d073b25e1387abe9
SHA11dfc85c980f1331742160e972422d72c8ab70566
SHA2560e01f4aa3006cbd60f803cd20a4819ffeb3d4dc6deea307b0d61f1c93046bbf0
SHA5129cf2d53e1d3073103038b63f8cafbf13f9c532c3cb07cb46b8a8778d8688992f016eec173afdf3315c640e3dd41bbe7b80d8d4f02167a7efee7ee2fb8fb51af5
-
\FilesG7\devbodec.exeFilesize
2.7MB
MD562cadca3cc67d6f1b6f8a7f179614a49
SHA14a560bf1547de5d4ec731ea44993846471abfb82
SHA25604dbfca5ec7e7fbd5953af4eb82ebc6ee6caa9cf2e832a669a05b6ecf4d43462
SHA512a7f193fa8a0fb7f5912d60b9c5f869f608e25958857348f0e830e310bc814daa45c51b748cc232803be54d728964f59b00590d11265b88c17285a6494527c273