4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
Size

2.7MB
MD5

9caacf70daeb6ebdbc1c53eb96762b34
SHA1

a7b1c8c6ea61548e5cc288b237355b3f65bda0fd
SHA256

4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f
SHA512

839824f790444bc63f2e927b90bb692874d1a6852666d6113d0a6d4311780d66fe32788f9602d54cd2ed3a2b50577e19c5cb6ef66bb53c53d3d0d8244758ab12
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpV4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1V\\devdobsys.exe"	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6V\\dobasys.exe"	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2848	devdobsys.exe
1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2848	1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	28
PID 1888 wrote to memory of 2848	1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	28
PID 1888 wrote to memory of 2848	1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	28
PID 1888 wrote to memory of 2848	1888	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	28

C:\Users\Admin\AppData\Local\Temp\4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
"C:\Users\Admin\AppData\Local\Temp\4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Files1V\devdobsys.exe
  C:\Files1V\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB6V\dobasys.exe

Filesize
211KB

MD5
06ecc9e99a04963789afb5902a6c04aa

SHA1
06dd2e450b5d400eed9ab8c60eda36527a0304ba

SHA256
2415b409e744925cab26b4a6f6675778f3f09967d3b079d6c606a2b890b1efff

SHA512
d1ea46af92ed6b19fc16e60f99382077d918b5b3184fe6b751738e9292546269485acceab3a68dd3b35f8c4db02ede7ab665e097702953f2a9a0b377d77d93fa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
579077ec3dc92109989ce7bd04791af1

SHA1
b40a8e91bd5d52cc71ff078a72bcb7ad2362761b

SHA256
4e5d639ec5400ff7a2a9d02798349ef5042575377fee0ca6c3a2de96fbc5e3e5

SHA512
9f1cc72f39c6324db4ce2ffc35d5b6ea1b37c76d1bd00f21276e2e9e917ed37d88c61b4f4e8bed859b4ff377ac6b64e1ff1a9044f689b704ec3176481253934a

Download Submit
\Files1V\devdobsys.exe

Filesize
2.7MB

MD5
604525c88922358c09ca893e0ec021fc

SHA1
231b66f68fededc0b9e7c897ffb7afd1ebb4a938

SHA256
beea09b554f2be2bf9817666bcc85f2a143e5847840c64b68e2ef611a9d6c0f7

SHA512
1d44d14c16acc087f9ee0a58545095c9653273cd86dc10abc9dfd8b8b748c6850f3791960c76938fb4092b846dd674b12c23755f58e730cc90ebcc3151b5b43d

Download Submit