67223fec7c3482a835f2e108ecdf023a38120e3c9a63ed13ba14042ce4d10dfe

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
Size

2.7MB
MD5

9c3649c98380ec2e10f8d6fc6f6e60b0
SHA1

7cb4dfd238cf46a1f7360a5d8c1e2900e8097412
SHA256

67223fec7c3482a835f2e108ecdf023a38120e3c9a63ed13ba14042ce4d10dfe
SHA512

96bc094a203fd2e819cbcd056613a29eb61c6bc0a2c19c791af2a81f38117d224cf09791a3197448354feb9f1cc9cc146fe74d4fc3f86a8e83e29efc1615d2f1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBI9w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2072	devdobloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8L\\devdobloc.exe"	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZK\\bodxloc.exe"	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2072	devdobloc.exe
1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2072	1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	31
PID 1292 wrote to memory of 2072	1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	31
PID 1292 wrote to memory of 2072	1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	31
PID 1292 wrote to memory of 2072	1292	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	31

C:\Users\Admin\AppData\Local\Temp\9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9c3649c98380ec2e10f8d6fc6f6e60b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Intelproc8L\devdobloc.exe
  C:\Intelproc8L\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxZK\bodxloc.exe

Filesize
2.7MB

MD5
8193f3f4b75719bf393ad4de1d9482fd

SHA1
304483ab6e55720f349bfa7a2f2c8c3b6da968ea

SHA256
c85cc87eaccb28dd6da77845d969c3e4bf409c57acf48406a428cce4b5c33a78

SHA512
6bf6133264e8fed7ef030fa4bd64feb945af26272112b8adb0225192a7dd3818b268f9d94eca1cd9d0285d574e8adb97b70f51d7563d1377e83fd9d7ea950c8b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
b0b4bbb8c9b7eec5e8207572914fd5bf

SHA1
c8455fec8715b6f84f070dd113fd26981d369a18

SHA256
98ffbb7b056ddf995252e405052c797d8cda808a489dbd9717ae7d9e668ae383

SHA512
ea07120db969503fb66bf4d56711833c56939048cebe0ca6f3c80815a412442d243466c4c006b23930e3e6820d5d552d98fd356a3af0474f874dd86380c0c742

Download Submit
\Intelproc8L\devdobloc.exe

Filesize
2.7MB

MD5
5e906a0f066b39dd507f4a4416f5355c

SHA1
658ee1b5534baba289932f53503654467bdbdee3

SHA256
0191bf63f49d84ba50927f0440c138062c503432a8eddca9e47540fa4e37c8e3

SHA512
71590c6e76ef79e42e5ace2746b10e57997cba9721417525769ccb3ad64cecc8995a23843627d4fda9cfd2be6f5de7f3f148a0265e435dd24ada84a98eaa77ba

Download Submit