fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09-06-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
Size

4.1MB
MD5

9357858421c801345aaf9d153aceab3e
SHA1

bb8f6ce3b9bc22fb0659d7b2102f02fc7b37bf62
SHA256

fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7
SHA512

13525c30e4748caeda15bca7c34a0bf3cf5dc945fa567faa70ec55e409e30b1cd9b52f4eeb8f1c47a94bb03ce0335edf05c8c4599c7645a159c46d550f939564
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm45n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1912	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeU4\\devdobec.exe"	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBH\\dobdevec.exe"	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
1912	devdobec.exe
1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1912	1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe	28
PID 1688 wrote to memory of 1912	1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe	28
PID 1688 wrote to memory of 1912	1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe	28
PID 1688 wrote to memory of 1912	1688	fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe	28

C:\Users\Admin\AppData\Local\Temp\fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe
"C:\Users\Admin\AppData\Local\Temp\fbcaab162e6bc3a137b065a37434ac2f75f0c2d2165956b5788296a682f83ff7.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688
- C:\AdobeU4\devdobec.exe
  C:\AdobeU4\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeU4\devdobec.exe

Filesize
4.1MB

MD5
a6e7b026cb384f0677c20d3d2feefb8a

SHA1
40a938c316613fae875aa9b9e63e01e6816841ff

SHA256
d5d24027605b0bb840092d3fef6e4fafbbc04c41c791790b9b54836ba934c02b

SHA512
49eef00d590bdadaac0945cda5856c71de328616d2534a4f8e9f3a24fea1cdd852fc0bff916bdef8a655309d7c7d6d9122fdb53f6c4f5f910bcf42978590df19

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
5ec57dfed92d56c40a4c07369c4eedc1

SHA1
35f3f7b01d8ea9e09b6c8e212b5f74b8a6ff95b1

SHA256
f327b5ed27c9a9875a9979628ef990218a7fc84a1369d7cb47d3da35f771b6b5

SHA512
9c945b4261d52727dc2c391e5057f8279beb2ec414c6bd53cf918525c24cc5e85ab8c447b3f2ae8a40bcc0891c8d8df97c8cc3a4f6afcce97deadb14999d98f4

Download Submit
C:\VidBH\dobdevec.exe

Filesize
4.1MB

MD5
85d6178cfadfa89b0bea0c47c5343a4c

SHA1
eb2f59f6e4c9e0f98dbd9ad9079bd7a7d6fceab0

SHA256
ba206c20c45e7289b4b6e66c797b63a6203bd875b07e6eacd1012325dbbfe3eb

SHA512
0904dd11424b6e97657b25ff9322d99b5986f1f8702092bcaa3894ea0809191fa8c5eba40667268e947677c9e59dc7e30db73c2ba898e1b4e922f61f43ff220c

Download Submit