dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
Size

4.1MB
MD5

d0d18fdba6a157dc7208b559df828380
SHA1

b79fc2a12c391d26f032ef97a006d95dda37ed58
SHA256

dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb
SHA512

4a98e7d691a10e3a7f88cde9430d07ce12232de330b6c2d32d3b8c79994f0a6cf35018b49a79848e44aafe83cb83484e153ab0c8af0413c4244be1a9e0b34a78
SSDEEP

98304:+R0pI/IQlUoMPdmpSp04ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmn5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1740	devbodsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSL\\devbodsys.exe"	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4F\\dobdevec.exe"	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
1740	devbodsys.exe
2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1740	2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe	28
PID 2188 wrote to memory of 1740	2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe	28
PID 2188 wrote to memory of 1740	2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe	28
PID 2188 wrote to memory of 1740	2188	dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe	28

C:\Users\Admin\AppData\Local\Temp\dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe
"C:\Users\Admin\AppData\Local\Temp\dbc926c654e91f3d910423ddaf33a06d72a5fa66d4e13886df05812bb40539fb.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\UserDotSL\devbodsys.exe
  C:\UserDotSL\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB4F\dobdevec.exe

Filesize
4.1MB

MD5
e21dededc72edbe3959f47305cec275d

SHA1
e743bce6c4512a4acfe566553aefcfd5141dc7c5

SHA256
1f7fc1094e40fc80674e1fbe7474880b7051cee672a9b8c677faf48c995e0ade

SHA512
ae75193c594677e8ec5d29826a2071c86ae2470b7852cda6af51b19142348bd0bd7dc97e60ead8bee0434853702ab99a8c600f50897ec96dae05e16e318d92ee

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
88957c2328ea277a1f2662dc45bf4933

SHA1
bb7e4441732af9dd8997b39002d82aed2a20d6cf

SHA256
9f10885faa37172c519797cb38e9aed2482716d442a42083ea8d9ebce038765f

SHA512
6d82065c3723bafe66c62169fdda851c338dd5c88f2b43cb88e882321a52dc1b5cd9338d39a48e48650f8b4eb0bf16a30555b630a5be1e8f72c1610c4a8ef239

Download Submit
\UserDotSL\devbodsys.exe

Filesize
4.1MB

MD5
c112233127bb5ec973d01db6b7f9659f

SHA1
3a8c2bce7912ed810b0d547f8b8b042781dcfc2e

SHA256
109937e28b52b1868fa82e26ea6b656fa190057969247a6475e59b9d1c681a7f

SHA512
8dc1837f7fc0d3d1b070d8ec937936385baad854b94d353ed4742fb659e257f1fa135076990175bcbf1804fddc29613257a328400af745799a0ac16cf4158004

Download Submit