5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240708-en
resource tags

arch:x64arch:x86image:win10v2004-20240708-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
Size

3.1MB
MD5

925b22dc1a576ed35fc28c4eca27e4c9
SHA1

965928dfbe59b6f56dcbb337dafc624fcbacfb25
SHA256

5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a
SHA512

b70578bf8592ebc764881c10cc2fb60d3440dadc00e99d501855fa9e15f521d6d437da54891ce0a506a904d060fad87d03fcd07ce9a3f875818783eb2e637485
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB39w4Su+LNfej:+R0pI/IQlUoMPdmpSpD4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3432	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBW\\devdobec.exe"	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGK\\dobdevec.exe"	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
3432	devdobec.exe
3432	devdobec.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3432	4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	83
PID 4244 wrote to memory of 3432	4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	83
PID 4244 wrote to memory of 3432	4244	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	83

C:\Users\Admin\AppData\Local\Temp\5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
"C:\Users\Admin\AppData\Local\Temp\5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244
- C:\FilesBW\devdobec.exe
  C:\FilesBW\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBW\devdobec.exe

Filesize
3.1MB

MD5
071df18294c80e8ace650e28a1925745

SHA1
52dc59afe7ccacdb22dbb1e7ecb7c19509566635

SHA256
9d889e601066357af4681fb19f3b497bc764144546bb4753cb1f2e06ae867ae5

SHA512
899122376e235b1178918d1bd6677e9645658e70b5a12c4231c77ff574f4390e8c5bfc97f4b77092a7b9f4089a5174d977b0fc44ae3f5b96516dce53b6784be8

Download Submit
C:\GalaxGK\dobdevec.exe

Filesize
3.1MB

MD5
cd56fdb974bce3bfb50e102e536e222f

SHA1
6c6edf5213722dde52ab2019c88d2678b8f6727a

SHA256
0b5c801351bdbf9a761ecdb64d8c5c2c699bb5e65a9b49c1786963c2fb8c9fcc

SHA512
65e1c5faac3914d27c937c4cf8367c7db5876d26c28eddf74d1dea5a18e10a76698d2b07f4b98b857d02d4c4db567eec41968ff0af4ab060f77effebf7e26967

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
896348809cc686c3a052af49023ceec4

SHA1
308e2fa66ef8cdc7d7ba02dfb436afba3ed3622e

SHA256
66c839c6f082516205dc4535b3bd718e9dbb996d2665475fc183e91018324f3a

SHA512
175d8beb982dbe1578000ec1fa39f8e8205e7750c3ec9de6d2e95961d2a34c81cfce2f2aab06f39f8b1d17a80a70ac197779e1bad20bdb03de569d9ab92d021d

Download Submit