f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
Size

4.1MB
MD5

7d6039e13f707c1588c82057f2d52dc8
SHA1

26f229c1ba526db9e480871ad64312b20298618c
SHA256

f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78
SHA512

a7cea438b05351ce525a743111ed2f87ca135d56b64c6ab88b1c89886be4f1a77620e9711faedabab362c22aecd73d2612fcab496b776406f2f30f2ac4d8c20f
SSDEEP

98304:+R0pI/IQlUoMPdmpSpy4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmd5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2940	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK3\\dobdevec.exe"	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN4\\devbodloc.exe"	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
2940	devbodloc.exe
2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2940	2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe	28
PID 2320 wrote to memory of 2940	2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe	28
PID 2320 wrote to memory of 2940	2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe	28
PID 2320 wrote to memory of 2940	2320	f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe	28

C:\Users\Admin\AppData\Local\Temp\f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe
"C:\Users\Admin\AppData\Local\Temp\f49f1b838e4e6d8c9a885350148d5be4370a586a4b1a3618679edb7afdda7e78.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\UserDotN4\devbodloc.exe
  C:\UserDotN4\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZK3\dobdevec.exe

Filesize
4.1MB

MD5
a895c6e3736b7230a25b372055b899f8

SHA1
f32ecf3292720ed34c5f508adbd13850933a7d2a

SHA256
176905db03b3b1e437776c2e21e8a1a7595f2d23cde9adc0265bd3faec232309

SHA512
669696be7fce8e81b1cd5c2066a5541eac258aee5fc20f0c48682e1afb4dcec8442c87d0c31dd0405988c74f93f3bbaae53a08ddc5f8ef7c563fcb9250ee06ec

Download Submit
C:\UserDotN4\devbodloc.exe

Filesize
4.1MB

MD5
edbb00d36eb8f02ef6ea8b04c29ac9f9

SHA1
e105c1a36f7bd96d6341f31fbb14c75e93a18dff

SHA256
469d1d6578e9dc45169f72646e7ef2ad0ac6457c780970648fd64a66fa2302dc

SHA512
c1322647bb1274712082057189afbe89bae699568a885c616cc1dd51afdf6242af45338d756115b1c6bf89609a41ff476b61b2ac7d7764e5dc80380c72a9ad05

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
5baac261859355822028bacd9d79b5db

SHA1
52d07f53c5c0909bb83761d39adae7b65686da46

SHA256
fa096e009bd71c4642217272eeaaf85012f83ecb5c784c2c0e9021ab9905b774

SHA512
03dd216ec305585317049916f338b4af28386ba39370c3d2be30c561d9dfacd5619175e472d8860a38008ff0d179b6fa6cb430cd8f2915060657dfb5e6a173f4

Download Submit