8eccc893c1a289be577af468ac1c7f13a4df2d78c41ee7afe379cf075c97c61a

Analysis

max time kernel
119s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08f23127106e454e6da03e5543164880N.exe
Size

2.7MB
MD5

08f23127106e454e6da03e5543164880
SHA1

15d9d50e70b6369b54b7505fe5ec1ce65aed47f8
SHA256

8eccc893c1a289be577af468ac1c7f13a4df2d78c41ee7afe379cf075c97c61a
SHA512

3679fbc5276378add4527f2c7ebd5683207cca00e99d2ae5f02cb66054fe05f3693acb300c38b856502203f07489c8ca027d53c665272385e06a96b5f37c35b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSpg4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
516	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files6M\\devdobec.exe"	08f23127106e454e6da03e5543164880N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ9U\\bodasys.exe"	08f23127106e454e6da03e5543164880N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe
516	devdobec.exe
516	devdobec.exe
4124	08f23127106e454e6da03e5543164880N.exe
4124	08f23127106e454e6da03e5543164880N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 516	4124	08f23127106e454e6da03e5543164880N.exe	89
PID 4124 wrote to memory of 516	4124	08f23127106e454e6da03e5543164880N.exe	89
PID 4124 wrote to memory of 516	4124	08f23127106e454e6da03e5543164880N.exe	89

C:\Users\Admin\AppData\Local\Temp\08f23127106e454e6da03e5543164880N.exe
"C:\Users\Admin\AppData\Local\Temp\08f23127106e454e6da03e5543164880N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Files6M\devdobec.exe
  C:\Files6M\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files6M\devdobec.exe

Filesize
2.7MB

MD5
5c27fe4a567b2a78a8aa1e27d1dfe377

SHA1
cee68468d7787636ab3997365aff706e1bbaaaef

SHA256
7a33bdcc6ac79247ab0da7931bd0a32eb18ed33b9f07f2c0458d995bb0d949eb

SHA512
7c96746eaba9c8f4afc1604bd45bdf04c89b93e971370531f9d163a04b3f985173ef5b70e5f1c06c4926d6989d06db52bddfd907698797deb65789e3400a7006

Download Submit
C:\LabZ9U\bodasys.exe

Filesize
73KB

MD5
92b61e99bfa2f2b41edfdfba07017cce

SHA1
809acafe80941308e7d2648a9fe9b3fd18bf1753

SHA256
4fa0c926f38a5695421b5957c970cc5a357a539c9a8df2292fa8e9ba7c975e92

SHA512
daa8fbbf0eda7784d67d3630dcc091c211f7a3fd5169ceeae87169042e9319546d3b1f7240d6a7b52e9e31d4e1416940d4da402a0205fb6c13e31fcff2c7cf4f

Download Submit
C:\LabZ9U\bodasys.exe

Filesize
2.7MB

MD5
c2f442c9f35ea51a17988dbd3b24dd6d

SHA1
2a6546811fc03db3ff7d4e3d1f3ae0c5dcf10b3f

SHA256
eb18a6e2b203c8c5a5b661f5d73f1d6dcbd41a26c63079d71bee466f39e3335f

SHA512
e78da753d405e6a50f3a9c07b5df8a2265aeb66be7c01181d25718b952f41d647cebc7446644d217638bb73ee45d6ea03ef3976c739984fd1eda07982507c3e8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
811c3b8ebc189f6def8b10ff17678744

SHA1
5b3382c4975ee7e9f5ae4f9c81c8caa25cc05967

SHA256
fe1d337e9f3a9f5dccbce8b6f9cf32ed0a941f5cdf28b92528084133aac2fd35

SHA512
677a2213c8fd4ce0505d48ae4e9edaf16a81c759611777f1b680e16fa20b79cbcf56aaf801706ef4758a416bb1e7040fbeb2a58b4d558000a00ad97486df13d3

Download Submit