300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
Size

3.1MB
MD5

e70e6e4a6b5e648cd1d602fff778c83a
SHA1

fdcefcf2b24257b4f34df55b5d2c7db579432105
SHA256

300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637
SHA512

ac638bfa41a6dac78a441d35e32e8632a0f067b6b4d672a3764b6696ab53a4b3bcc916557ceaaf8ef6773c72aab83c16941776a050a01bdc3c5cd97c195ee5ec
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Su+LNfej:+R0pI/IQlUoMPdmpSpy4JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3076	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ9\\devdobloc.exe"	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXL\\dobdevloc.exe"	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
3076	devdobloc.exe
3076	devdobloc.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3076	2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe	88
PID 2892 wrote to memory of 3076	2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe	88
PID 2892 wrote to memory of 3076	2892	300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe	88

C:\Users\Admin\AppData\Local\Temp\300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe
"C:\Users\Admin\AppData\Local\Temp\300a8a0cfc4c3dd458a48746d2a123d21eaacd37d2a8293b13e0fabd0d12d637.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892
- C:\SysDrvZ9\devdobloc.exe
  C:\SysDrvZ9\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintXL\dobdevloc.exe

Filesize
3.1MB

MD5
8aaa740f3fb624114e64ca9a1de80b59

SHA1
6153b6bdb914610fa7ea9d8c5263a27ba42bcf3e

SHA256
4555463f18d1ce5167ad47666e888ee7d07f99a644b028456c2b11c5fb47684e

SHA512
67838ffde97c029a99dcc4be589c86f0a6453c55307790511f385f38e375cb0ee7df93890ed455eecbb9a1fe5b128c7b584e102b0cb134654bdd804f5d69a36d

Download Submit
C:\SysDrvZ9\devdobloc.exe

Filesize
3.1MB

MD5
1d03c3d78faa2b2d2b3dcf29a07aac31

SHA1
df8a85f06b97132dd8079911adfa6493a758999a

SHA256
c7c298f2f555015c406bbbdf3f839cba50c920b5b9bff566ef479448f5061765

SHA512
7fb94bfa6ca15db83a16e25f6109013241b9cf9e1f2ef547f72aeb95230b956beaca9b2b96e81c53cf1def4e8c3a0c6c55a76bbd80978dda5c545bdc1b423bd1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
339f7ce0b400adf4a3632d00a50ef097

SHA1
c573409c606a7ed75fbe9d67d6cb8e0bf2300e92

SHA256
2f5f86ff4e6e419932ffc598d93d506bf5b4457faabb14eadefc5f7a5d0e8a35

SHA512
fec63bb1a76e1e1573e0511b979f4dae49dc3c91719b112e17dd215fbd01f28669dd681c00953a12cf1facb691e40950820aa14186d310f229398e506a3aa11e

Download Submit