26346d7f4f0a03de6ce65b4c4e9bf5019f30b32f95102c3af2db95e16a08ba6c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 23:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30aed4fdd98c38080e951f65baf19ca0N.exe
Size

2.7MB
MD5

30aed4fdd98c38080e951f65baf19ca0
SHA1

ccc91aeebac80a7a1fd2d1d7388410c57bf60ccb
SHA256

26346d7f4f0a03de6ce65b4c4e9bf5019f30b32f95102c3af2db95e16a08ba6c
SHA512

2a4d7cd591ceee2c7bf227972663e13f3e0d3e2cf9abdbb1b37edf50b7aa1ac3eb6f700dcf07847ac63e60e53a80caacd859e01b203dd94eaaafcb34392309f0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4S+:+R0pI/IQlUoMPdmpSpp4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	30aed4fdd98c38080e951f65baf19ca0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2M\\devdobec.exe"	30aed4fdd98c38080e951f65baf19ca0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLI\\dobasys.exe"	30aed4fdd98c38080e951f65baf19ca0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30aed4fdd98c38080e951f65baf19ca0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFlocadob.exe	30aed4fdd98c38080e951f65baf19ca0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe
2788	devdobec.exe
2196	30aed4fdd98c38080e951f65baf19ca0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2788	2196	30aed4fdd98c38080e951f65baf19ca0N.exe	30
PID 2196 wrote to memory of 2788	2196	30aed4fdd98c38080e951f65baf19ca0N.exe	30
PID 2196 wrote to memory of 2788	2196	30aed4fdd98c38080e951f65baf19ca0N.exe	30
PID 2196 wrote to memory of 2788	2196	30aed4fdd98c38080e951f65baf19ca0N.exe	30

C:\Users\Admin\AppData\Local\Temp\30aed4fdd98c38080e951f65baf19ca0N.exe
"C:\Users\Admin\AppData\Local\Temp\30aed4fdd98c38080e951f65baf19ca0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Adobe2M\devdobec.exe
  C:\Adobe2M\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxLI\dobasys.exe

Filesize
2.7MB

MD5
6e58d82c049b9875606889f9d9bc57dd

SHA1
f052010d36589f376f5fc42f5035e7f136b7f37d

SHA256
ab0aa1e2b746568c407f52fa6107f00884d02934cc3af93a0df6ee57d51daea7

SHA512
802dfc33ace4b094be61d3cfda909e9f47b75ddf38eb540b28c21c4478ac757d2ff95f79a18a93e4f380945323af7de82c7756725d264dcd07c728f0438d1055

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
32a12ee63005588545f3a3ab3c99d35d

SHA1
1a236be4a3142b07d265e691cedd41b546f9e864

SHA256
e46ac18faebf6f28496ba8554b29f5a446e0de93de132979356bec30accc8083

SHA512
b4070d8695f9adca2f118058cbdca6a781494c17fc624c5b4f2397c0a01592f8e62f8f4af8f356fad110add706166c9b6564e8cf01c45437dd001febbece3319

Download Submit
\Adobe2M\devdobec.exe

Filesize
2.7MB

MD5
27ae76f1738963d85ce882dd04ef0811

SHA1
c392696708f0d2cd6e357b394a5964c32f1d0b25

SHA256
b6677fb2d9c1663d88e54fa52b94f903b8fe2a691ee4cda9d982c85463356557

SHA512
29b75ce652c56133597aaddc3a232001be6c5b57a5f8782f19a7cfd6c054c8051a2c4959023bba05a7df761ded121818fa49ac6435fdbb402ee1f19b1cfd8c3f

Download Submit