f3004e7d9434d1236876f916dc8c1284bd9a79d75509328c57879f4199db6ee7

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4179f6ff845787c1d207b6a6f6302540N.exe
Size

3.1MB
MD5

4179f6ff845787c1d207b6a6f6302540
SHA1

28e6f2db566261cb232f917d6f3124b5a4d3641f
SHA256

f3004e7d9434d1236876f916dc8c1284bd9a79d75509328c57879f4199db6ee7
SHA512

138859299ffdaedcd95a72bffad828bb1671f81b833e554c93d1911def86859528efdd2099f22a5817f6c6a8cf3bba333add7f925cafb14c91d5a85254883df8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Su+LNfej:+R0pI/IQlUoMPdmpSpS4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2876	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2632	4179f6ff845787c1d207b6a6f6302540N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIW\\devdobec.exe"	4179f6ff845787c1d207b6a6f6302540N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFG\\dobxec.exe"	4179f6ff845787c1d207b6a6f6302540N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe
2876	devdobec.exe
2632	4179f6ff845787c1d207b6a6f6302540N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2876	2632	4179f6ff845787c1d207b6a6f6302540N.exe	30
PID 2632 wrote to memory of 2876	2632	4179f6ff845787c1d207b6a6f6302540N.exe	30
PID 2632 wrote to memory of 2876	2632	4179f6ff845787c1d207b6a6f6302540N.exe	30
PID 2632 wrote to memory of 2876	2632	4179f6ff845787c1d207b6a6f6302540N.exe	30

C:\Users\Admin\AppData\Local\Temp\4179f6ff845787c1d207b6a6f6302540N.exe
"C:\Users\Admin\AppData\Local\Temp\4179f6ff845787c1d207b6a6f6302540N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\AdobeIW\devdobec.exe
  C:\AdobeIW\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
32670c2fd917e2a5dd7b2c99bdc9c8cd

SHA1
f4c1f15ce2934d982c4d9b8599f0c9438875a2f2

SHA256
ed7f480adb3aff31c9b5b5d0fa9df8edd91aa7108d04dbdfb8953a822b433a0f

SHA512
b5eb2e3b95048c16fd517099fbfd1a7bf9faf99d1aa8baf11e2968c1827af0ba47ba0a1f9f50c0dfd7072a6ae44c277e2b496d8f475ba655df053653650e7b60

Download Submit
C:\VidFG\dobxec.exe

Filesize
3.1MB

MD5
a3e4ce374800c82c44749459390d90b7

SHA1
416ba74c091b8d2b41c25086e72f3c8cdabf031a

SHA256
3cf02af75c43ee711ee8c4419d44ee92a8bb8e61f2e3ad0a44a0508e91cb5de5

SHA512
00fa5cba0eafb29385f37af4db957721d80a9a02ee31ae5d8db0496df160d5564da55fbe4edb1ac48991b596e70ea8db4fe67a8a4c479cb3685905ece43329d5

Download Submit
\AdobeIW\devdobec.exe

Filesize
3.1MB

MD5
a5e02e6fa5fb08ec0ea007bfcfd0adf6

SHA1
41093feaeb435eb4bd077084a48db8c1510f69de

SHA256
2a70439f5d60fa57546ca82acf5bcc260fc920d20ca8f54d64a20ab206c40542

SHA512
da6b91fa36fdffb248e1fa9e445576c7624a134c62c6eb398b172e05bb965bbb8bb7704005fe01b008c13e97b2cdbd7a6730f37f13293e0094be4516d15cbea9

Download Submit