457f91f9933d8ff8a0d617e63159037210951f5062259e648a1d5c839d5239ec

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 04:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48475fd6e2aaa53f926ff7b6570faf30N.exe
Size

2.7MB
MD5

48475fd6e2aaa53f926ff7b6570faf30
SHA1

9c02e5237e88593e327f31dcfa9b93b473118cb6
SHA256

457f91f9933d8ff8a0d617e63159037210951f5062259e648a1d5c839d5239ec
SHA512

d771840f033c0a084c4448ce41a2a54a42bf2f32276bbb984529eab2e81a2fa6ec8814cd12287d79a3b041f8f9b1ca77ea8c4dd7b7bc087959072f42d78dc295
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4S+:+R0pI/IQlUoMPdmpSpS4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv79\\devdobec.exe"	48475fd6e2aaa53f926ff7b6570faf30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidBO\\bodasys.exe"	48475fd6e2aaa53f926ff7b6570faf30N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2780	devdobec.exe
2780	devdobec.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe
2296	48475fd6e2aaa53f926ff7b6570faf30N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2780	2296	48475fd6e2aaa53f926ff7b6570faf30N.exe	86
PID 2296 wrote to memory of 2780	2296	48475fd6e2aaa53f926ff7b6570faf30N.exe	86
PID 2296 wrote to memory of 2780	2296	48475fd6e2aaa53f926ff7b6570faf30N.exe	86

C:\Users\Admin\AppData\Local\Temp\48475fd6e2aaa53f926ff7b6570faf30N.exe
"C:\Users\Admin\AppData\Local\Temp\48475fd6e2aaa53f926ff7b6570faf30N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2296
- C:\SysDrv79\devdobec.exe
  C:\SysDrv79\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrv79\devdobec.exe

Filesize
2.7MB

MD5
e68c2993d86cc68b7357e08135debd3e

SHA1
0dda40e914f6230ef2f8e54416e275ba49201348

SHA256
42728b74b4563ddcf50cbd15ad9b4676032e87d24a2bed61e7054dae98fd76d6

SHA512
03ff6fb45c872da63c8bf813c7f859e167833b5fc9fae3ccfaba8329587d6833483bae0a6d7a10cb59df44f01b6607729ef3d7561666d5b98e495cdfcbf3d4e0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
073b200b17b33d198d40645d5e171878

SHA1
9c8607a03274f2b5d2f3d21fd999da15949db362

SHA256
e881cfc3c69b9e99cc4be8078f1fcc327a293afede55d7704a271909b4edbee5

SHA512
f84e224f8fa7ec85f72e33d548fb876b4cbc0e0ce319338f6569e0bd3752b5231c378e6d6f2ac1c603a804842c4329a9434a33f392fd15da87b19716ea68648a

Download Submit
C:\VidBO\bodasys.exe

Filesize
424KB

MD5
ca137698d590db51719b49cad8d619d7

SHA1
ef14c2bab5d6bea5e69bfde96b3a6f8dfd998051

SHA256
3ffe6cd829167229fd49887741d98cc05e35b9033900aa5fab9380a4afd7f0c4

SHA512
237c0df9b3e83d6ec61664f99319f6c9b934d6a76c3a99ba4bcd711f450b8cea45fbb564daf10f1165d28830267b268f80d9e57740e4292692faa481b9388e36

Download Submit
C:\VidBO\bodasys.exe

Filesize
2.7MB

MD5
43736670a655f3ed58787f4ffa4aff08

SHA1
f6d6f3fe1444a521393afc6818576aeae860b700

SHA256
6b59bd811defa398227cc3c9aa27a7adb28c963b5de6831e8f5afe1d806406c8

SHA512
f469a24231b102589885c54a3c1a6bba81d6b40aad7214017c87abacb2ebd7e7080398ae26ea5a215b13d6e578aee8493ac06cc4c33ccf1ed68f9e8f41961dc1

Download Submit