Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/07/2024, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
847081187c19357b60bfc03f1d9f5750N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
847081187c19357b60bfc03f1d9f5750N.exe
Resource
win10v2004-20240709-en
General
-
Target
847081187c19357b60bfc03f1d9f5750N.exe
-
Size
2.7MB
-
MD5
847081187c19357b60bfc03f1d9f5750
-
SHA1
238a0d33f33721cad445cc3a6d0e20202e88c0e3
-
SHA256
7e8cba672d3510710e94b10f1b6bd3e2b264449cea90a75b7378bf85e631f9ea
-
SHA512
551d9ad16bf02cc1a26f3e59cf4fa7fec942c2081e73f900ae00ff34094041445fd1cc97bf3d4ddf5246141eb3aa46cc8aeb8b7ff77c397e6cbc8b9fdf380cd2
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpb4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2212 devdobec.exe -
Loads dropped DLL 1 IoCs
pid Process 3004 847081187c19357b60bfc03f1d9f5750N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXW\\bodaec.exe" 847081187c19357b60bfc03f1d9f5750N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX0\\devdobec.exe" 847081187c19357b60bfc03f1d9f5750N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 847081187c19357b60bfc03f1d9f5750N.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe 2212 devdobec.exe 3004 847081187c19357b60bfc03f1d9f5750N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2212 3004 847081187c19357b60bfc03f1d9f5750N.exe 29 PID 3004 wrote to memory of 2212 3004 847081187c19357b60bfc03f1d9f5750N.exe 29 PID 3004 wrote to memory of 2212 3004 847081187c19357b60bfc03f1d9f5750N.exe 29 PID 3004 wrote to memory of 2212 3004 847081187c19357b60bfc03f1d9f5750N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\847081187c19357b60bfc03f1d9f5750N.exe"C:\Users\Admin\AppData\Local\Temp\847081187c19357b60bfc03f1d9f5750N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\SysDrvX0\devdobec.exeC:\SysDrvX0\devdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD56133197efb15d73b71a522c46369899c
SHA17a4c0a0904c261a0500474b6e25c1d4820ed9057
SHA2567b3697fc6bc2510c258b8ab7657530bec25f82880ccacdb4ba27b129d9cd62e0
SHA5120bc1af955bdfe4af5da65c8a16eae8fe35fb6ce410db3f802debbe3b6d17ad681b6b88e766ccd8c21efe27ecd8ca77f40d6123210661d42da82e855f85d67e9f
-
Filesize
2.7MB
MD5e4de5ddb8b7d5eeb53a9282a1722747a
SHA1f7978233e74beacaf5d9768a11d2e10f6b7fbb69
SHA256a38a23868e3f8cac42fd8f8f0e779347df44d6f2581402948ab751d5d1acdba8
SHA512572dc049f5be290e14aa34be608db17fc3a1e024538c7fa411e77db287315d7310d7321d82e6e88541a9db4051befbd42dd8f76d5c2680c4bb3dbc3a3987ea25
-
Filesize
2.7MB
MD54cf6795d9b0e5e997f4da6feba50d327
SHA11cd04b0d2b63e5c314e762993d47b80caff5e398
SHA256e676359e06e25c0ff58278937c1fb7219456885857a6a197be46c12cb16c76db
SHA51264c4b6ca99ad20fdf42fe5c9750c05882929d7addb7ebec80ace0b0f2e88ca3c5186a7df407cf5882c84d84a9462ee12190945568fb59b1b4fbfcdddd1acdec1