2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
Size

4.1MB
MD5

c8963a07a8fd2a5e12eb7316d169d973
SHA1

5fa134d5914dac63485888c8607693d2d6fb0f85
SHA256

2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed
SHA512

78189434b44344e4f6426cce1befbed99e851fcce912b4554142bad63b5d234c57e13a8eed6e474d531b1536c64c921ca556aa724544e2f93604cfd77e1e9f86
SSDEEP

98304:+R0pI/IQlUoMPdmpSpO4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm15n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4240	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJJ\\devbodloc.exe"	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBQ\\dobasys.exe"	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
4240	devbodloc.exe
4240	devbodloc.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 4240	996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	87
PID 996 wrote to memory of 4240	996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	87
PID 996 wrote to memory of 4240	996	2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe	87

C:\Users\Admin\AppData\Local\Temp\2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe
"C:\Users\Admin\AppData\Local\Temp\2a391b04771630355db2f1428a658536f58138c61313a22942668a26995341ed.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996
- C:\FilesJJ\devbodloc.exe
  C:\FilesJJ\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesJJ\devbodloc.exe

Filesize
4.1MB

MD5
3afe5132dcd0d619b6e155d12e4ed269

SHA1
1c6c8853284a7646b3763f00559f080610ca88ff

SHA256
a2a403a86df663378084a008570ab52f2c2e4c7bcb62d362d3c5ce96d9d602e1

SHA512
f6d7bf0fa378fb79bf169a51f93d19d3e0cb7ae8a477195b6f2f7d39c2adabc1650c800d83dc7c7f795cf7787e7f77ea4b4a51faf7eb772220b6982295ccd225

Download Submit
C:\MintBQ\dobasys.exe

Filesize
4.1MB

MD5
47f013d2f888befa4f4c338eb47f807d

SHA1
71c7e2934a36fb208baf032dd9d374ef705ba84c

SHA256
8193b6573c64ad28e8b8f788234bb93eec48cb2fcbe2db1cba039131c922678a

SHA512
b1fc37598e246c786892aac1739a38695da4f945f112ce6527c34619eacb65b9e0c177bc5c66823c38edfeca8ed1f23639226bc87a11af044cd5df9beff3257c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
936df1b5036414379daaa1813beefc6d

SHA1
03ae20865fda6fdf923957a0e62bdd1ed14e9fd0

SHA256
6b3d0905a570a5dc99bc6e87d5dc4acb0d9d8a73e3b219583cad13ce59b09b78

SHA512
9da950d065fca7c1167469352e7b0af3d262d57d78b478c4ab1cbecfd7ad5749ee28a8ef794b542841d36937428398375360d7f1ff718442a45833c4e803149e

Download Submit