1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
Size

2.7MB
MD5

56c964bdb4d839f294a24f9f0e032b93
SHA1

faf9f75e088f0876226b4ff1dc70f6da6d8cbc10
SHA256

1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34
SHA512

22605e6203cbe6dcd95d0229c66ffd748a841994826f6c2f897e6c4883b53a7c9c4b7dc1ff7f8fda85cf76b954b80e5a1bec3e63f6b358ff4c53746c926fb4cf
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBH9w4Sx:+R0pI/IQlUoMPdmpSpD4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1904	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTS\\devdobloc.exe"	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNJ\\dobaec.exe"	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
1904	devdobloc.exe
1904	devdobloc.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1904	4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe	85
PID 4528 wrote to memory of 1904	4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe	85
PID 4528 wrote to memory of 1904	4528	1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe	85

C:\Users\Admin\AppData\Local\Temp\1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe
"C:\Users\Admin\AppData\Local\Temp\1a170fa690daf10b8b0fd8d3a203a16041b6010b602e909b305f3a0a96f82f34.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4528
- C:\AdobeTS\devdobloc.exe
  C:\AdobeTS\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeTS\devdobloc.exe

Filesize
2.7MB

MD5
b3f69fb47a44e89268a55b72dc7111f0

SHA1
4e48976d852b652f67302ba8dbd44b544fdf9658

SHA256
d3bc44ca8736f1f560c416c5b88eed4be01a192b74f2957d7cb49403bd784279

SHA512
0bceb616271ed15332e6ac256751dc896a3b50c8c851a9e64e5356b869db5bf60a49f27371ac80562a57fdbd389df9c99d0248b073fc1077bd013926be8abc3d

Download Submit
C:\MintNJ\dobaec.exe

Filesize
2.3MB

MD5
34e1f330ac893bd57eec2a6bc22af912

SHA1
cbb796dd6448c60334b98c2060a64edcc38b499f

SHA256
01ee68084038c4ebe3911d17c0482b3ebe216ee4e5bde1855014ea11f67f5975

SHA512
d2cc723853a67d6e19a145a93a3bd8af858eed7ab723a6819bc0250f54ef8c427966ed2a23400be1aec11a6663af2ff03d5e32e9eadc7e91c44559ba0c1690c0

Download Submit
C:\MintNJ\dobaec.exe

Filesize
2.7MB

MD5
e5e63a8feeeb10bd0c3e83a8cf8fda04

SHA1
06fea0c8ef0245fc3b8106aad31e3aac2335d719

SHA256
7f6f07ce726947f8985d81be35b4b46d4fe2aa3424e96b81f29293bff925ce47

SHA512
ef5fc7ebbe8d8798cf73e8aba5b32d83c55021931deddc4fc02b043b7d223467767a12c8180376fa91f9eac0736309984c1e7b6263d8cbdc887734282f62345e

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
7e0c53f48a474196fcff00e450a370e1

SHA1
353920d403caf7bec387ae9251e827dcd4a1acc5

SHA256
900f862931e76742432dd12f16c7536fa71b8b23826baf231a1a6ea77e9e0865

SHA512
af5f8affe0f3b19bd0f120885c7dacd44e199de8a3251b613c56619c80ab60aed025bab6c3ec17b5fb7fe83d67082960d1686c3601b7d38478b045feee9b47b7

Download Submit