37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
Size

2.7MB
MD5

5a01170c0f52775d0457d02d0c654fbe
SHA1

a20fd9e4bbb4be6bb703e96f4fdd5c9abc8845b7
SHA256

37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316
SHA512

c4b5fbdbda85800a5d8f7ec31189a7779231a33ed788832a1689eba97c7c055fdbd1584aa7f1958f459ef3daf2c1194a45b37191ee4e4493594d9b13e420e40a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSp54

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1904	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesT2\\devbodsys.exe"	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBF\\dobdevloc.exe"	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
1904	devbodsys.exe
1904	devbodsys.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1904	2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	84
PID 2024 wrote to memory of 1904	2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	84
PID 2024 wrote to memory of 1904	2024	37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe	84

C:\Users\Admin\AppData\Local\Temp\37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe
"C:\Users\Admin\AppData\Local\Temp\37f2c00808fbcd5111284410f437be53a5e7c98a87a7b4d164828d63ca2e1316.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\FilesT2\devbodsys.exe
  C:\FilesT2\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesT2\devbodsys.exe

Filesize
2.7MB

MD5
d1dbd40806d742c57e5b66a8616b9a02

SHA1
db7b514c7bf20fc71ed53257b9c47cc81969e4f3

SHA256
e54840b246f91612442306fac46448a8bc3ab48545836ab2790234331e8728bf

SHA512
0557164c0130a03f0add59edda4cc424219dd3fc2a3cc778d51af8de6c5556fcb632d836b6a21a1fc02d55c82def37df0df72def114bbda9a1f4009b05cec651

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
d2472cdfe79469ccc47f9f8c0fd01355

SHA1
fe44bb5584080c10e625c680381de43383f1d9f3

SHA256
05a559841ecd467728d2e4f22c67246a5b454d3b8b97eba19bfdf2cf63a1cc71

SHA512
f27eaec194e62d6222a946baf6a70c104c81d3924a49430a4c4f01859d52b0121a18ef22e4ee65d1a422dc809966a252e0152a50cb2e9c094c1a1855bc6df967

Download Submit
C:\VidBF\dobdevloc.exe

Filesize
2.7MB

MD5
97a252daacc854a2b1ffafa7996f3c45

SHA1
80af1735d26c2205ea42034384a548dca79d5b88

SHA256
a2010841783839883e38d65dcfa3dbfab65735a1885083418938df1acffc9aff

SHA512
261eddeeb3374ac1c725f71bd45a5bf082caac5b8b51555a5a82eca8b53d0824b7533636c92603b4aaee36b8030fa99010f01e06f3b5066af22a3106ca519b9f

Download Submit