372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
Size

4.1MB
MD5

6c4a143a3f5bf4fe757caaf2f956a487
SHA1

24a9c1e16e014ea66ef74799e6306023eb814d94
SHA256

372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445
SHA512

858aaa1c2f97dfabe231c62d23704bb3b542cf82e90d5cb724a5e683c89dd5b568db6fbaa08c1119ad13d14a27b4fa6869cb4c7c0d7928fd0602b130f226830d
SSDEEP

98304:+R0pI/IQlUoMPdmpSpw4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmT5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR6\\bodxsys.exe"	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesB8\\devdobloc.exe"	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
2736	devdobloc.exe
2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2736	2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe	28
PID 2316 wrote to memory of 2736	2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe	28
PID 2316 wrote to memory of 2736	2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe	28
PID 2316 wrote to memory of 2736	2316	372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe	28

C:\Users\Admin\AppData\Local\Temp\372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe
"C:\Users\Admin\AppData\Local\Temp\372fb266dba02a604bdfca647503dd55d524e76d5c61181a933fc44f34c3d445.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\FilesB8\devdobloc.exe
  C:\FilesB8\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesB8\devdobloc.exe

Filesize
2.8MB

MD5
38a203b0bdbd3ba161f7346b3963a3db

SHA1
eb52b14d41ec88ea6bf9a7baa1258b49f7679dd3

SHA256
368b12d94e8c356c39f0d6ec595622483e91f182c0ada580f18191fd24a34132

SHA512
e2076207f5ad6ab2965fd2d8549f3564c806ca3bb2cf4c5d6fe052d65da998e2cdbafc2bdddb656ef7dbfe81b52ec2f7b5f43fa13d04e83ba2674661863112ec

Download Submit
C:\FilesB8\devdobloc.exe

Filesize
2.0MB

MD5
3139cf394298dfdf1636c64f7d1e9f93

SHA1
c7df87683f20801ea2b9a76ef81f90db905a0e53

SHA256
0ffdb99d32a806f0422e005e34945e5d6674b577745e1915ba2fcd76d19bef60

SHA512
2d98f7692b708c7944207aa1403d62bc7c31d68289f4ddc056d3b88f8f6e6bf6df13b0cbdc820584055487078dd2f3e27c34c1d35556f7c83d1a98c133040e6f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
770fa4adc2efc12730144ead18396584

SHA1
3982476cfecb7a16f68a555bd259855e77654dfb

SHA256
a4289588239dfecb2a4c442e2baa6bac5cc7e88fd3e028d743f6099cfead36e8

SHA512
d9f60b56e37b815034731278972a4b2aac5d593ce913d29d9c516fed2d6d1bd2c5a775a0039e86efdb124f328a2d75998c61a8c6a542b3c3dadc47a8abf5ac18

Download Submit
C:\VidR6\bodxsys.exe

Filesize
1.1MB

MD5
18d209afe7e84138c6e421e7c6fb3378

SHA1
1c2f9d2877f50cae5fba62d51a078586151fb97c

SHA256
553f24bfa8af8482c907f0fa6b6f38856e4cfca536e55bccdc11b7a648a59bfc

SHA512
85ff02a34885cb28edf2f1613336d72ecd02361dfdcacdc2fe673f51badfe054689c30b0b74f9acccb43c408fff9a121bb7b7771f710a1e08514ba0c2c7f1183

Download Submit
C:\VidR6\bodxsys.exe

Filesize
2.1MB

MD5
e714ccf61156b910df6f3ada7a02140d

SHA1
552b34f5e6e1e2ba50731018ab2be15474b9c7cd

SHA256
d4f81401cb9a2c8501ace18ac2b63727fa32af4323db27f609d46801d09146b0

SHA512
6afb6c35e8f6d8d4c3953680677df2542111cce2abd399b255c0ec2154e21e3d99619ca663171f35a3d700b08a7680b0f8c94eb013120ee4f11d7518a8faca3a

Download Submit
\FilesB8\devdobloc.exe

Filesize
2.1MB

MD5
7816bf033be0293246c6d773af9a14fa

SHA1
249e71ac88f766ffbefd67606b8367b16f0b7654

SHA256
e95f030e92dece603bc327c21be21cdbb57d913265a326c19715456440e3a803

SHA512
e7c324b1c8b0910dbc71f42adb32251829436d2114bf70fba7a987757a4d42b27c2537414f64aa4c0ae14e29af3f826bf3c33cb6fea3c2e6a4fa51aca0065dd4

Download Submit