c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
Size

4.1MB
MD5

55d32bce72fcd5ca66df52a88979f58b
SHA1

3151c43d4f27b7e36ab56e86d1cbb9dc01897b75
SHA256

c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509
SHA512

489ee22ab7edd82c2a2b9e0390baf78722cf3c0ce49ede80ea42291a881a462a9f2827828a2f0652c2e80ad1168e5cbfb24e79a9996f71e2d9479bd32bba1be5
SSDEEP

98304:+R0pI/IQlUoMPdmpSpo4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm/5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2132	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJK\\devdobloc.exe"	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6I\\dobdevloc.exe"	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
2132	devdobloc.exe
2132	devdobloc.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 2132	3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe	82
PID 3960 wrote to memory of 2132	3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe	82
PID 3960 wrote to memory of 2132	3960	c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe	82

C:\Users\Admin\AppData\Local\Temp\c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe
"C:\Users\Admin\AppData\Local\Temp\c35f359a711ac724e0e7743889f27b7c60d701746c9b057795fe037adb60e509.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3960
- C:\IntelprocJK\devdobloc.exe
  C:\IntelprocJK\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocJK\devdobloc.exe

Filesize
4.1MB

MD5
ff6e6b70da58ffc1d9219fc27fb9c3d3

SHA1
5d5f2341cb37f71ac78c27aa8f5e3a62f642354a

SHA256
46993e86646b9ac0cad40cdc16ca9280eea91f780e7c58a873eb46400fe5c257

SHA512
1c407d5b526cd6293ccdbc9ab9eb53c6ba2ce9e71ff4a79af5871f79b6d5e886627cebfb610e443d87c4eb2ff02f964325b7c76f0e59c2179b97f3370dea5e0a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
a9e922fe8bfca093dc7b40a1f7c6a640

SHA1
0b8f25f1326e9f5d0fb2f4c960eec13b4ab7a580

SHA256
93d6b373b95bb4c82f0726ef1626b5be72c23f73e1521704ce316862d7bbf748

SHA512
80a14132d5964b3433b20c346f7627e1ad6ed3969d615d5bcde1e8fe525be547735bbcf2ef9cf8d1259b55e99abec9573fc26d4cfaffdc60032fa979ff697043

Download Submit
C:\Vid6I\dobdevloc.exe

Filesize
15KB

MD5
022db4caa078243a65481a252bdaf382

SHA1
08243b787567a75233c4afe3287681d972636a18

SHA256
360ffc2beeb5f5783310c71f4ff6f223c6e8eb6fe9b65338c693b21f6cce1f3e

SHA512
1e03f722dde3921c04fb7671a5bc5867dc2496048c58d7bbe4113fbd8eccaa8b1b1538f703c8a684c3ed57ffe5bb917230a1778ae1300fb10f7d35d4324a0238

Download Submit