ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
Size

4.1MB
MD5

a9f408bc334cb1ec3a6c1178e6f6d8f3
SHA1

8b4e78dd371be65149ab1d9e4c0f1d0bd598332a
SHA256

ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1
SHA512

f548ace253b1a1578cae9193f869f06951e2950249830085845c489565a53e371e688d5ba7b0ae7d3ec3cf32f3d5aad46177220a527c1cc35764b47a2f97a6c9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpo4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm75n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2848	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNM\\dobdevsys.exe"	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG8\\devbodec.exe"	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
2848	devbodec.exe
2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2848	2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	28
PID 2876 wrote to memory of 2848	2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	28
PID 2876 wrote to memory of 2848	2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	28
PID 2876 wrote to memory of 2848	2876	ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe	28

C:\Users\Admin\AppData\Local\Temp\ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe
"C:\Users\Admin\AppData\Local\Temp\ec217aa1e48eebdab7533403794aff0a94cbd2c81489c1f6da44057a1c3d2ae1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\IntelprocG8\devbodec.exe
  C:\IntelprocG8\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZNM\dobdevsys.exe

Filesize
4.1MB

MD5
77f37e8a3ec00abd8fa1ac4d4ea76acc

SHA1
4f5be5a3a368579803fffff0f71cc743f9e67501

SHA256
96bab426ab51d72a4aa8335852d79c7a9305d93976029f5f6928849d1239e67c

SHA512
1af5dcf58c27cebdda7379a080ff9fa874423e72fa597f1793d31d7df340cc1185c8e94c12292628165e63e02992698bd16a978bcf481cf167dc1a45105ad412

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
210B

MD5
ccced26a5513ca838e8b2b9cfe4dc20d

SHA1
493b303142dcea2f3cccd2c87024ac3f68380a62

SHA256
a2ca2fa2075442f2d0f54c2fdc7ca14abd752402e6e9b99c7f54a216f74006be

SHA512
c95a4f919f516689d7e616370a234722f90f4d710bc07d7db52dedc5332ac7d08e728dae40bb4e112a3558757c0546331946fef03aee0b8caabaab9010b445c3

Download Submit
\IntelprocG8\devbodec.exe

Filesize
4.1MB

MD5
f3d7b0428dc1b9448b96090133d1d344

SHA1
e106c0effed6c07d2331aaae4576bb6b2f4c49c1

SHA256
b2855ee94b1d5886ac667d7543d05f85c2fa34c8db386d020b9e7ed3ed4ff569

SHA512
ac87f65402f7999b1fdcdc7da3380c1206049302d35bce8f3d226df5f2648df658c41f1b7369ed2671c4431df6592138dfd308d8e14e7658a61466220b050bdf

Download Submit