f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
Size

3.1MB
MD5

3e4e96e2d5e0f1544b85afe1a138ad74
SHA1

4710270e170afbfe822aa635aa62f8a75abab153
SHA256

f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6
SHA512

2d186cace7ab782e850a4247c283f2877850992cf34fe380c445733e394ec0e02a309e481d8cd274130844fb87062dad18369ffb22431d778b88a9c07fb2711c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Su+LNfej:+R0pI/IQlUoMPdmpSpc4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotI5\\devdobloc.exe"	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWW\\dobxsys.exe"	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
3056	devdobloc.exe
1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3056	1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	28
PID 1620 wrote to memory of 3056	1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	28
PID 1620 wrote to memory of 3056	1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	28
PID 1620 wrote to memory of 3056	1620	f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe	28

C:\Users\Admin\AppData\Local\Temp\f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe
"C:\Users\Admin\AppData\Local\Temp\f1a708d5ebfe4fd138bd1d1976caa0fba00a26f195375e08f26418572bc7c5d6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620
- C:\UserDotI5\devdobloc.exe
  C:\UserDotI5\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZWW\dobxsys.exe

Filesize
3.1MB

MD5
1c333c493a2d4f4ccfa5a2662022afd9

SHA1
94592e4e0be73b7df820225e2f26064696d194a8

SHA256
b96981d3f03026950daf2966a9aa1336c2d16f5242a5985d422b22329aa5bdac

SHA512
8023f84360348ad3ba8e3b29c1ff1494b874b5fef9329cf9b13148baec813b6aee1e0da6bbf1ec0fc12f303ff6e9a4b97c01aff5735d52f3de451f5e59c29758

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
3f633aa2355ea26a6f80d46de7722d08

SHA1
90c0520a3b1073e1f9500f9e274e46de3bd094c1

SHA256
83ee46a662cee86e1bb3dab39917bc467e5fc88acc109ddeef78bd8bdfa9ce62

SHA512
6bc5dc0fa6e19a6c3f3a492a51ae5d07b85fb0ea42961c47ae99e031de04e27f0d53eea8001236299e4e45619d1a205179bfcde553a5affc0f6cf2335d546b62

Download Submit
\UserDotI5\devdobloc.exe

Filesize
3.1MB

MD5
f7b2fcdd9d85f8c2c7389802a77576e6

SHA1
cc5ceafd545ef48c7df2d4cc7ac7ec1af57d3c14

SHA256
94725c52aef4457780fa794ad1d4dba577b42007f59b6742c594d43f9f18ae02

SHA512
f795a157fc43aa5841f68f712669567a0cb08bfac2b45cd6232d9a81258329f48199639d75d859012cf58a28d02734440aa3a2ad4436cff853e246767eba9443

Download Submit