af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
Size

2.7MB
MD5

4400ee5f21abd31f7f81c75b8c82a21e
SHA1

d4eb785477099081c64d28307f9b23ac3e1b8409
SHA256

af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692
SHA512

1f15cca7f39947156a7a634087562c1bc77d92cedfc2c43e17b5456dd7060180a08a007f7a9c0445a58f3c1c70850d54893c20eb8302e4d255580273b134dc74
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpY4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4624	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWN\\devbodec.exe"	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP8\\dobasys.exe"	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4624	devbodec.exe
4624	devbodec.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 4624	4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	86
PID 4356 wrote to memory of 4624	4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	86
PID 4356 wrote to memory of 4624	4356	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	86

C:\Users\Admin\AppData\Local\Temp\af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
"C:\Users\Admin\AppData\Local\Temp\af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356
- C:\IntelprocWN\devbodec.exe
  C:\IntelprocWN\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocWN\devbodec.exe

Filesize
2.7MB

MD5
631827b03763557ee7121031c12c5eda

SHA1
e993fd48a260748f8b2f2658ab2318a2d9699fee

SHA256
dc958dd51d723339f86c792850d8cf335b934166bd89cb25f2ee9fa4df332808

SHA512
f486508f7530823603d367de10d1b644944060ea07309f28150a15e47152bb54f0c3ab919a8e8b0daf4b4a46c51b203c8cf25aeb61cdae4ed43b8e25863b18d8

Download Submit
C:\MintP8\dobasys.exe

Filesize
9KB

MD5
f24e8ebe2134fb9105f767ac6a5b13d6

SHA1
d87bd5250acbcd27e4ac07ca739fedccef4a7ee1

SHA256
6448e46123698d117ae1f2cc2ce1754ec43e0f78dc07011770f5412ae8e09e0e

SHA512
22e754e2594bfee3cd7ff1f9288818db280a23d53652603c522cb85c04643b6c9c9725b59dc003037dc80a66b6ac004a61e127276dccc8d1c5122d850af2ff32

Download Submit
C:\MintP8\dobasys.exe

Filesize
2.7MB

MD5
10996a1e3c8db2907c0b52309fcd3174

SHA1
fc30f9e31e21d4a39b6ed5db2110a43fb8d19f0a

SHA256
cfbd177b3cf9a2a74b0a9a3fd6bb126d03373542cd63ab6063d6c8a8b45db952

SHA512
879d555048dd751b37705aaf4b12c4476cc805b3c1cd4541f8bd03710482f1f8cc9300e46c90b26fc5e7a2a8803860902ce1d8ceec4acdc2394031cf11615029

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
4a4f75fa3fde963ca7d2cd908171874b

SHA1
bc6fdcf6cf9d0b5e6d6bac756a87aa7a3d33e48b

SHA256
7ddbb63ef6c45ecf3a0ba1149e864b9c4b6cdecfa0676a40eaa35a194afbf652

SHA512
db6c74093c54fff6a412998c46d2a5c1cac451dc7324b3e00ed3094d71f7cc8e590cd5a23f280f2b3b284bcb8f2e2124d85de53a7097ec31929ab46ee911396b

Download Submit