479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
Size

2.7MB
MD5

0b09312f2898c0cd5aa304813435eb4d
SHA1

18f55d6ff76eedce06b87cc4c6c43d1907f938fc
SHA256

479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573
SHA512

7f293fe971dc67fab84da2eb57e71e7acbdd862ec02115955f86652a75954afb822e89d921fe4b3efeea4072b53090221363045e5ea5d941545c23ad1ef42cea
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBl9w4S+:+R0pI/IQlUoMPdmpSpl4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3556	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1U\\devdobsys.exe"	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid61\\bodxsys.exe"	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
3556	devdobsys.exe
3556	devdobsys.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3556	2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe	84
PID 2176 wrote to memory of 3556	2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe	84
PID 2176 wrote to memory of 3556	2176	479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe	84

C:\Users\Admin\AppData\Local\Temp\479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe
"C:\Users\Admin\AppData\Local\Temp\479c1fbfe79efd057547f0f4c266fa68dfe44910a6ede3b89c3c1b8e2a531573.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Files1U\devdobsys.exe
  C:\Files1U\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files1U\devdobsys.exe

Filesize
2.7MB

MD5
ca281f04e3133f29c3f5c724fc24d344

SHA1
fcafe814bd7f5e5024f92b15be3d9e3a789fa72a

SHA256
decbad323c34a656e0ba1f644da3405c9413b1bad1396084288751085742f0bb

SHA512
6c84321faa0fbf23276420615c778d0a1696295389a29b191e7e89263f13dc25eae3d26648a54e988c52ce516a36082f9a72fb8953816fe4f955985b737d2a2d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
ccf2223907300dd9499a988b5dec2859

SHA1
af905effd366edbb2dcc91eba0f0172fb7ab2db1

SHA256
ff0a8c29cf89bf62b39d8964b775e417c73b0335cca5b687f1fff78faab78a0b

SHA512
79f70a074537b3aba03d7b4181a5af057c5700413db4feab1d0c238175ec7a6913eda8fe3c2555e5b7802957b7cca3cdfcefe881d799305f0c82f12c9fbe9a69

Download Submit
C:\Vid61\bodxsys.exe

Filesize
2.7MB

MD5
3d18342d128ca468d5c3b7dcb6202305

SHA1
346299d1d1f7e061fad84a29e4c0d064fbdc2de7

SHA256
e1b16df78bb431c2ddd6d62c9549ea8bf8dbbed31e996c3ee256a34d0d063c82

SHA512
8bc87aa4674714c786f7feab13a9f22bb074f1be59c55b3592b89326dfbe99273c527b32e46a75f408a529a0669072a6028d99a457a754ddcc52d9d102550987

Download Submit