ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8

Analysis

max time kernel
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
Size

2.7MB
MD5

5dc8d038ba899e75dae08732df2f08d9
SHA1

59049183069ffa35f084209be6b4bf9efaabcbd3
SHA256

ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8
SHA512

e3e27f43b45dfd0471402d85397a31f26e65849e0cc9a6944734e09abfaf87faa51528b37b3899bd5fe2bdb5a2ed0e061231a85cf701ff0a1f361d11c6fb569c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH0\\devdobec.exe"	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCD\\boddevsys.exe"	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2728	devdobec.exe
2728	devdobec.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2728	2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	85
PID 2648 wrote to memory of 2728	2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	85
PID 2648 wrote to memory of 2728	2648	ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe	85

C:\Users\Admin\AppData\Local\Temp\ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe
"C:\Users\Admin\AppData\Local\Temp\ab4e5a3c78fec91b2eba015e419ddd3079a0cde1a915386ccbd794b8f68a92b8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\SysDrvH0\devdobec.exe
  C:\SysDrvH0\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintCD\boddevsys.exe

Filesize
220KB

MD5
23d93d928c12a90357587ff387bccdfc

SHA1
a8bd6612780d385f03ed72accb3f1ed108d44410

SHA256
92145b08641c27c9dddcb21076dbb565d6a6ca480b58e0347c98e9553ed4f9e5

SHA512
46117c6d0142bc78f452a1be06b3622b8fc362001a875263cc9f31a57c4f2e7aaf6cdf2b24088294ba13244cde0c40cf855f2789ea33f7004af2ca2029ae70fa

Download Submit
C:\MintCD\boddevsys.exe

Filesize
2.7MB

MD5
27cbab55b36bf7171fa7a8a7e246f88c

SHA1
d4a8d959117aa61f8aa240d1eb3de270dc53dcc4

SHA256
cfb9180c42267486f289d4691b0fffc7ebb97995fedadaa2e08b3bd5dd24d987

SHA512
dab66005e2a9fd5ec9025845c5dfe37f066b029c407f1082f9545029415dc98b1bcc81760afc0ce8a432b7ac42759f13daa9f02b9f198a189f7c3bb0bf60ae3c

Download Submit
C:\SysDrvH0\devdobec.exe

Filesize
2.7MB

MD5
92369a08e06b9753fa4c883e418802d5

SHA1
e1e103e2f3d939ec499157f4fa7ff726d49cfe2a

SHA256
b434c4cfde1fa5a50156d1c2202690c87aefbaf73ff01dbd9246bab2b422be64

SHA512
4de38df8e6f61d68c0a49d4151c7ce284dc4b68359dd7039c724e5ee02d082f395abd05bc17de16b991ee1b3efffe860090fa35af09f77679b67e53ee425bf92

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
23cbbdaef2325e99062ab8acb878f2eb

SHA1
a2868f0b9b74935331a5abb0ab27fe7d26194c4d

SHA256
b6714cc9ada0c882edc1d5d219331546786d63942bfa19b4696719f06857572b

SHA512
1f87cfdfb79ff5733f009d933e815760304f56963cb11c0bd4c8720afe29f4d8003fc3af7e6443b8ea2246e5995c356d44b74d26fd41b4611de15e12a1e5f556

Download Submit