3e4a76daccc65d00f403bcf4c8b691c1e27694581d962b0d8d2f0e2214755426

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e86e4e79e73b650d2974c31d1bc0390N.exe
Size

2.7MB
MD5

8e86e4e79e73b650d2974c31d1bc0390
SHA1

73e99e270bfbe42ec74429122501e391f87c0cf2
SHA256

3e4a76daccc65d00f403bcf4c8b691c1e27694581d962b0d8d2f0e2214755426
SHA512

dc529cb5cea146ca07ad34dbcc815afdf8246acc18028cc029a6445c108e23e71be634d2f00c1bd2062450be67bab61c4836112249658b82ad7eca639bbe950f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB49w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
244	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMS\\devbodec.exe"	8e86e4e79e73b650d2974c31d1bc0390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBDG\\dobaec.exe"	8e86e4e79e73b650d2974c31d1bc0390N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
244	devbodec.exe
244	devbodec.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe
3936	8e86e4e79e73b650d2974c31d1bc0390N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 244	3936	8e86e4e79e73b650d2974c31d1bc0390N.exe	87
PID 3936 wrote to memory of 244	3936	8e86e4e79e73b650d2974c31d1bc0390N.exe	87
PID 3936 wrote to memory of 244	3936	8e86e4e79e73b650d2974c31d1bc0390N.exe	87

C:\Users\Admin\AppData\Local\Temp\8e86e4e79e73b650d2974c31d1bc0390N.exe
"C:\Users\Admin\AppData\Local\Temp\8e86e4e79e73b650d2974c31d1bc0390N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936
- C:\IntelprocMS\devbodec.exe
  C:\IntelprocMS\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocMS\devbodec.exe

Filesize
2.7MB

MD5
403a32948a750affdd22094c1d1ec30a

SHA1
f51c694b95d1ad1f3c336d0ade7652ea6a0732f7

SHA256
1df77e37567d7ae456302fbdf99a18256e3581038e6c7b9a3b516607e5395bab

SHA512
351539e2fcf692aa5c49ea9f0de721c10adc0a5968de1722f0ec0068dd760a1e8d7378868d34d1c9183bf9ed6c107bb4317513f3eae0f48c0813a879b1cf3824

Download Submit
C:\KaVBDG\dobaec.exe

Filesize
2.7MB

MD5
82c932706626d764dbcda428d3516885

SHA1
768b3b20e1802000c19c4afcf1b5aaf8b75b8cc3

SHA256
70b2433aa5e3f6eaf7101e81ca0818c9bd42acb7028239ddb4a3d7afdad75595

SHA512
9045634ea144efa9ccbaa13b4dd742f6a893d4f717db278e3896eb47458ff2ef1b0aa9b27c29aba7812d62942b39d66ba2abbe72d5fda5786e84291f9575c51a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
eb7beb5aabbe9e48de44265d2b9c9ca7

SHA1
b9202217f2b84761926c2e4da52a97d9e436656b

SHA256
b892f8adb177e297125b2008cd2113417aa83664266b90a1e89da6fc7683f1e8

SHA512
78dc95010704752ca3e08e4c44d9b7b78710988772bf03f1cda5ce070a8c7965e27d478760f3dae3907eedcb53c4f4c9ee1b7e5dafe51f1d3e15773d7617f4d1

Download Submit