fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
Size

4.1MB
MD5

9b813683e9c38940244cde4701914b7e
SHA1

0cbee4e8a113a7bad4cf2330cba16c600229b52c
SHA256

fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e
SHA512

a8a362cd736d195d26f7a2ccce8fe465951dceb38d45be52a9542fee2162c5ef6b0043f165ccb8ebc1cfb0f8478573f389cfbec5ed925bcca9271a67e70122e8
SSDEEP

98304:+R0pI/IQlUoMPdmpSpO4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmJ5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKU\\devdobloc.exe"	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBL\\optidevsys.exe"	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1680	devdobloc.exe
1680	devdobloc.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1680	1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	91
PID 1916 wrote to memory of 1680	1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	91
PID 1916 wrote to memory of 1680	1916	fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe	91

C:\Users\Admin\AppData\Local\Temp\fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe
"C:\Users\Admin\AppData\Local\Temp\fce1ed5d7860308765e969e6534f319c71b34eaeefc7c24021b37dd8ae0e873e.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916
- C:\UserDotKU\devdobloc.exe
  C:\UserDotKU\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZBL\optidevsys.exe

Filesize
4.1MB

MD5
67cafe9abf25afd9aa433feeef5d3d8a

SHA1
a8cefb5ed1e9b6cd7062e0e58191bc9f8cd9ed60

SHA256
619ff6b2a6225e6e5f893b39cf603765972dee6e267a0d425b1def0603720ded

SHA512
ad92056b120253845de59aefecd444d9e967321cffc6b57f3a7c5b781d82654426bbb6f9dc4b9ca6b378046c3be8cbbfbd2f853b92b88b162809dd5b62092995

Download Submit
C:\UserDotKU\devdobloc.exe

Filesize
4.1MB

MD5
cf18b9ca2a72d7e21dafb9d18bf5afa3

SHA1
8e125f1d2ee856d34c24462dac9716dc85544b65

SHA256
7dfb902fc43c1401a4551f849da59713a0e61347ea605744b76c17d623c1da2d

SHA512
1da4b40d08216a80231790d498a6f27be587130817f8910de4d8f81925ae4c99676beb36a52b9614e7a7705892bda7069a66bd4f5d514f17555b5e8004fbf12f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
650b2154ac569a5709db4fa37a5c5311

SHA1
c2002c5b00f7d6ed03a568a85f00b519113c4081

SHA256
bd7f5b7422dcec0b8213874b889d2a47b3aa27103e4ab29b1dc414d2ce0fe16f

SHA512
7971d417db01c5fb69a81ab1588a9c30de5218b603d4b151c811950fe96412302754e7476096ffd490e9610daed2cfdef24fe8290a255ab2c3895a8a1458c650

Download Submit