36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
Size

2.7MB
MD5

d2596e75b23c4fe6e7e414e05d9f899b
SHA1

d7def34d76a3bda8104dc227f9df03b2d60e02ff
SHA256

36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865
SHA512

a56b04319e03d917cf0a1950c7675eb95d46056253dfa3fef28c1215d2132d2cd82fe7fab04a2fe9aa87fca9a2ae659b0db9c8c53cb1490999d6a2ed151bbb7f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpq4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2552	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocNU\\devdobloc.exe"	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidM6\\bodxec.exe"	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
2552	devdobloc.exe
2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2552	2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	28
PID 2896 wrote to memory of 2552	2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	28
PID 2896 wrote to memory of 2552	2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	28
PID 2896 wrote to memory of 2552	2896	36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe	28

C:\Users\Admin\AppData\Local\Temp\36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe
"C:\Users\Admin\AppData\Local\Temp\36bc68f3349ea83401a4209425d509a8feacd4c0e26a3bc3263c1ede2c230865.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896
- C:\IntelprocNU\devdobloc.exe
  C:\IntelprocNU\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
03b7f7523be352095159d82364645a6c

SHA1
edd82a1cc21202522ffd67ba1555b69113b35a3a

SHA256
9adc10b0d3b856206071e08a1b8b4513bbf6e1c3853a59dca6b143a29b9da53f

SHA512
4a1a84c40e0183552c1a3b1b63327ba8e51d5965c3ed025fc02280729f7a908ac057ae631e32201eea0098920b4c1d1c1681205d76aaec605a5c50bb790ab3f2

Download Submit
C:\VidM6\bodxec.exe

Filesize
221KB

MD5
008877e416d98e561c3393ed5fef3b1e

SHA1
324f2acdb57536a57329b2851eb96cb60c8b1d94

SHA256
828e61065242ca2fba059aab63c84ec224d7a7315c80342c9d576a21016f4cba

SHA512
4181fd0bd509471650551cc0e93ca02318bfadd7341bbeae3a748e20cc0c6d1cb8ba86bb36ba339eb0eeb75e7abc6644d63340fbfd37ff8336fa492b058259ea

Download Submit
\IntelprocNU\devdobloc.exe

Filesize
2.7MB

MD5
cdf9028bbebd57c2e8e647fdd2aaf610

SHA1
dd8bb0f6ce1cf3bbe5d3a9bb298552e0f750c423

SHA256
ca260927b6b3cd4a749db04b13ae932a93473ac54ea0908ad4800678ada5dd02

SHA512
b1b8d9744551afb11373b7f7585fe7383171b4e106ca47aca69e644564c84eadf7e032ada2ae4dbd2cd7434f595c65e54bd978be63ed6b3a0a2050a8edb88cfd

Download Submit