d8ec67bd2273a145593101576349db37e709fe7b16a7f529578b7426e045cc29

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
Size

2.7MB
MD5

033ed44a2f1841cce29d91d7ee4909d0
SHA1

23851ff70880505dc2c12a76e0bb0a879c692a9b
SHA256

d8ec67bd2273a145593101576349db37e709fe7b16a7f529578b7426e045cc29
SHA512

d19baf28cfb1f007fedbed7f99dad6ece4604db9c0e2a3e2219c49640313146338ca37f6ee470b7707d5f2f35ef164badf54ae594a0c4191c7f5d42670a49d93
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBR9w4Sx:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2988	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3M\\devdobloc.exe"	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZKV\\dobaloc.exe"	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2988	devdobloc.exe
1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2988	1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	28
PID 1776 wrote to memory of 2988	1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	28
PID 1776 wrote to memory of 2988	1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	28
PID 1776 wrote to memory of 2988	1776	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	28

C:\Users\Admin\AppData\Local\Temp\virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Adobe3M\devdobloc.exe
  C:\Adobe3M\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZKV\dobaloc.exe

Filesize
2.7MB

MD5
37bf09816ee45b492fa2fb5487fcb0c9

SHA1
0c2e3b3f344b9e65e5964409135a70e40724c647

SHA256
1721b61fc5cf6959800808e9fabdc9547ddbb895f84bc064d94e534690eac773

SHA512
e243643f6d6127588c4e7d0b09f9948d00d450955726cc6db6c8b9bba5d715814cb15e0a637fc337071a19ed904df541eb0ec04c50ef9e71c150fafb61af966c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
ccb95718c55a9e8ae20856d5f1826a5b

SHA1
b83df33e6c109f8fa873a750060ad544e04eee3f

SHA256
e93ab9f586e6ffd9c7e807e74c241dd38b888374ebb74e2916d8133cd9e1bf8c

SHA512
7597a811cd703fbf2dcab9e2de3d4d38e33747ea272a0139c795f79fd07de1a1c516003969be16894bc650e57c19e3725396cc29869528863e48d536600f5910

Download Submit
\Adobe3M\devdobloc.exe

Filesize
2.7MB

MD5
f5be6e95e6c3eea9606fa56d6b820099

SHA1
bde25b08085480b98a1627cfd1b927a20f258a99

SHA256
5bd411c5a99dfde99fb51cecc423757b5ad2f8c58f42394c7b2c5b9fd98a1919

SHA512
1c3397450d235e521d7974b0604dac04e0bffaac7148be688ffce3ebb0db6bbb05b205c7ee51fd61feb7565b69bf366a928738269ebb41885c6f9ea437fda0e0

Download Submit