10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
Size

4.1MB
MD5

4650eefb57da816bedd351a1fd6040a2
SHA1

914249e795ef96b546d0499382466413e85bcd53
SHA256

10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0
SHA512

a0bd0b6b537b32bdf0fc2c94a15169e2998ff0bc1b411b4f8f83c929c893df22a1abca8240dff1f3556beec5ed0ea119d581e9daae2ab51d0f3aab56895c9bfb
SSDEEP

98304:+R0pI/IQlUoMPdmpSpu4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmx5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3896	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKR\\devbodsys.exe"	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1V\\dobxec.exe"	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
3896	devbodsys.exe
3896	devbodsys.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 3896	2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe	89
PID 2492 wrote to memory of 3896	2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe	89
PID 2492 wrote to memory of 3896	2492	10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe	89

C:\Users\Admin\AppData\Local\Temp\10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe
"C:\Users\Admin\AppData\Local\Temp\10972bce149ef9540057477d5bd0a34ede1558178c8536c48fdfd94304adb5a0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492
- C:\SysDrvKR\devbodsys.exe
  C:\SysDrvKR\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB1V\dobxec.exe

Filesize
1.5MB

MD5
d667136db1957c8f324eb298217ab1d5

SHA1
0b0d3a4000a43f62f628b24c6baee46c00b6b9c4

SHA256
5da23652ec52db4976b0aeec2e511e8a92ff8a4099598e2a7466f04246d47b94

SHA512
803b7ecba5f467fa62d166c1e32b5b14466c9934f0803836b4f077aacb8901d04ddd8b7d2f53df0b1e2c34ceb2be95b2b3a843b51d65c186193ea52e515a9f5a

Download Submit
C:\SysDrvKR\devbodsys.exe

Filesize
4.1MB

MD5
e0a9f66fb947b294fb92ba2c86e2f12e

SHA1
0ba77b108a88fee46fae5dd5a957c8e84b5fc65d

SHA256
54dda2f5bdab03c3e8336612624835a88b34ae029bfe8de0d9926d2149aa47c5

SHA512
94badfc40fd87afa209f1f3b0925bf08f35aa0a13260acbc4eaf10c151980c8ea8f12d328dd20a9ab90c17a9db19aa21a74e10209980cc17fd6a141b92c09f72

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
e805f73e59a75519ee18c949b758a916

SHA1
85fdddb2db532add6e7ee59206acd90765c96693

SHA256
c5a4861b768c9ba6c4cc8c6629b2142148ce78be70305b4ca7d7c279a689a7a9

SHA512
a631a9d75913af13732f8d59b22204b89bcbdbc2d7f71e5064fb9533154bb24f43a74e1f5d040bb7b7460443c0208000272a09ac629c1c2e869554712619e058

Download Submit