67223fec7c3482a835f2e108ecdf023a38120e3c9a63ed13ba14042ce4d10dfe

Analysis

max time kernel
119s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 10:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
Size

2.7MB
MD5

9c3649c98380ec2e10f8d6fc6f6e60b0
SHA1

7cb4dfd238cf46a1f7360a5d8c1e2900e8097412
SHA256

67223fec7c3482a835f2e108ecdf023a38120e3c9a63ed13ba14042ce4d10dfe
SHA512

96bc094a203fd2e819cbcd056613a29eb61c6bc0a2c19c791af2a81f38117d224cf09791a3197448354feb9f1cc9cc146fe74d4fc3f86a8e83e29efc1615d2f1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBI9w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
828	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX0\\devdobloc.exe"	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJL\\boddevloc.exe"	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
828	devdobloc.exe
828	devdobloc.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 828	2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	86
PID 2312 wrote to memory of 828	2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	86
PID 2312 wrote to memory of 828	2312	9c3649c98380ec2e10f8d6fc6f6e60b0N.exe	86

C:\Users\Admin\AppData\Local\Temp\9c3649c98380ec2e10f8d6fc6f6e60b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9c3649c98380ec2e10f8d6fc6f6e60b0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
- C:\SysDrvX0\devdobloc.exe
  C:\SysDrvX0\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJL\boddevloc.exe

Filesize
21KB

MD5
88c4193a34bc33ed642c08b873d8f01d

SHA1
09090721da01bb4de69a935354eb91e434b18f1b

SHA256
885ae505ce1d9fe457313dec50b16b13a0467d754c98013814cc7e643b27ce0e

SHA512
bd78e8ee2067c7a441769636d628685fd84921ccd58e82b05257dd862af095dba0fbe9642b38d161c7bad148f749c65592c682bad75a7ad362ae9514d2c6dc50

Download Submit
C:\SysDrvX0\devdobloc.exe

Filesize
2.7MB

MD5
8c9a6f61bd288d2f70c341efecff956a

SHA1
2facabac31e13b1ec5360037f4a5ac7a593f4283

SHA256
9649e895eec04497af4c51a7de8291de35b432ce1e6365fb398a14859f006865

SHA512
a9ddcc29ab6476801ad378f01003a182994ecffef073614f45410032fb9455ca84244583accde84382663098ceca2a3c3d724456f95f87d96438d6f3432cca71

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
73585f44bf1723a4c4673bb49b1050ec

SHA1
b8a57a3a43a039b694c704e5b20815c4cb645e5e

SHA256
9ba8d384583764a4638f148ae03951ade3f4b5a288091f5f934b54df903c039f

SHA512
f8fec8092f15ee4586a27ef41f7efa340c57e3d1fd5729c1fb4d16b15c44af5185c243810a016834622ebf1ae31549dde66db5f141d6d763cac90c1d326ff88c

Download Submit