4d1b6346c8bc068c413a20cd8e9f814eb9c0fd94f2526edb271bbbb166feb744

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b45f17b13d799e6c4005d204fe8730N.exe
Size

2.7MB
MD5

59b45f17b13d799e6c4005d204fe8730
SHA1

7bbd074484a03778f4c5a50f0e88ce5bf0e0c222
SHA256

4d1b6346c8bc068c413a20cd8e9f814eb9c0fd94f2526edb271bbbb166feb744
SHA512

88da31497b4f37aaee139168f8a077387057af5a6463f518b14bad9aa4112f24d0f22b221657132a91ed69961a54d4b554478b3d5791917eb74a6ed972d01e58
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4S+:+R0pI/IQlUoMPdmpSp54X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2128	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPD\\devdobec.exe"	59b45f17b13d799e6c4005d204fe8730N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3X\\dobxloc.exe"	59b45f17b13d799e6c4005d204fe8730N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
2128	devdobec.exe
2128	devdobec.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe
828	59b45f17b13d799e6c4005d204fe8730N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 2128	828	59b45f17b13d799e6c4005d204fe8730N.exe	88
PID 828 wrote to memory of 2128	828	59b45f17b13d799e6c4005d204fe8730N.exe	88
PID 828 wrote to memory of 2128	828	59b45f17b13d799e6c4005d204fe8730N.exe	88

C:\Users\Admin\AppData\Local\Temp\59b45f17b13d799e6c4005d204fe8730N.exe
"C:\Users\Admin\AppData\Local\Temp\59b45f17b13d799e6c4005d204fe8730N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:828
- C:\UserDotPD\devdobec.exe
  C:\UserDotPD\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax3X\dobxloc.exe

Filesize
2.7MB

MD5
6f12b2da66490073bf6728ceed2294b0

SHA1
62ca8947738cc97fd55f8c4aeff523b5a19b28cf

SHA256
b934016730729b3e49ebd43fa23ea7dcd7287d8287680ee830df53f329a93620

SHA512
2e2bf347d523d20e70cd9c76c6ffaceab086640a570733d7010d83d07f31bdcbdc404003d0c482364388a27d39882b853d5911ebdf3ceefdff84fd7c109caa1d

Download Submit
C:\UserDotPD\devdobec.exe

Filesize
2.7MB

MD5
2b0ea5613e22ce7b992e585dba6a2259

SHA1
af15a6aa982699c8a5138b8ff240efa3f0444e19

SHA256
7f2c531d0bf658dd1965d49ca3b19c2d59f4b118143fa5eb22c5efd4d59573d3

SHA512
09b3154080c0caa662b4df2c30d03fe212e07834eca87bb8d1b72225ccda08280b830e9ce0f29b7ad2165eed26b6b07c615d99a7a87d98c186140b81299763ff

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
20a40f225c908c80a6a4281586315399

SHA1
45af43d8b9639ecaaedf8d1339530f7e682dc477

SHA256
ba2e365ecbb29cef7bc57dfc2b94ec4609eb58d5914a200767a061884de273c2

SHA512
9a0c053c1507672e74d045285123173fc96aa6b2ef8e3b2f073a4c2095c0bccc3938652149f81589cd76b12583dba3a9179d2d5a815c97f83eb146c36a77453c

Download Submit