ef41da8449ca75dd3500e630b5a054b70577e59d2f7c0a60599feb9074a17bf8

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9197ac62411600660f681912578cf0N.exe
Size

2.7MB
MD5

ed9197ac62411600660f681912578cf0
SHA1

1232042bb6fadc5470308cbc3bdd5a121bb2b1c1
SHA256

ef41da8449ca75dd3500e630b5a054b70577e59d2f7c0a60599feb9074a17bf8
SHA512

5e87ece22a6061b2785a6da0c340641c5b1f7ccd58d618b13d099db71891cc990b6cec9e74ddcc6e87cf36b2c4cb98fc1e9c10ee49434ec0bb562aaaf662c70a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1032	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2692	ed9197ac62411600660f681912578cf0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTW\\boddevsys.exe"	ed9197ac62411600660f681912578cf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvEO\\devdobloc.exe"	ed9197ac62411600660f681912578cf0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	ed9197ac62411600660f681912578cf0N.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe
1032	devdobloc.exe
2692	ed9197ac62411600660f681912578cf0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1032	2692	ed9197ac62411600660f681912578cf0N.exe	31
PID 2692 wrote to memory of 1032	2692	ed9197ac62411600660f681912578cf0N.exe	31
PID 2692 wrote to memory of 1032	2692	ed9197ac62411600660f681912578cf0N.exe	31
PID 2692 wrote to memory of 1032	2692	ed9197ac62411600660f681912578cf0N.exe	31

C:\Users\Admin\AppData\Local\Temp\ed9197ac62411600660f681912578cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\ed9197ac62411600660f681912578cf0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2692
- C:\SysDrvEO\devdobloc.exe
  C:\SysDrvEO\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
6a7bb658c6c6301eece52def2e567069

SHA1
a2cac35932eb148278eb275e39c4ce987d3eea44

SHA256
33b350cb74de3a111302c88810ee0ddbd3fd2faf76df32834d443bdf4d086db3

SHA512
5abd16da7ca4b0fd407a2c2c56652730b11c5c0321d4f52ccc74ec6b23eaf407b82b62ef274b6d4e4d59ccfbe6a12a65635ceb2789ee95e3271bd71b41c1af3f

Download Submit
C:\VidTW\boddevsys.exe

Filesize
2.7MB

MD5
7cc0290e44c858b9dc2e436e4fede9de

SHA1
8c7d3c09e2490e545d62f62e891f23058a41fce1

SHA256
d18c56b06de27a38624eedc608f2d89ce16efeac90c7ffde8921c952a4d2defd

SHA512
2f25cf90267c25c8e164dbbb27ef443e9775392fab416eea33b0811eb65a63bd1071b934c6522c493f694be1bed3df2a5017da4a5ed58c3e8d5ce248ebc6e0ad

Download Submit
\SysDrvEO\devdobloc.exe

Filesize
2.7MB

MD5
8522bb1b394e81859934855cd88e0268

SHA1
80aac8e08825409d1f67c3aad2f08d95c489c0dd

SHA256
01a0cb1884159f04ef3f5618bb65976b018b48fb77578af019a60b514734bbbd

SHA512
3b4df1c067b16c347bd1950cf6eb21c8f61372cbea9137d0dc6f35e7e9c6318aa6a708e03a987abaa2aa56e7d4c031df827adc767966db8e1c52658e790f33cf

Download Submit