d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
Size

2.7MB
MD5

9a014df85033b176b4600988b1bf68fc
SHA1

25cd582af7c5751ec5aed7777b2899d25f07cf22
SHA256

d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447
SHA512

799bf9236ef83991acb0581b34b64b1ac41ed355dee94665dd872717717b0dc0015ef7a9438a6709cf8268f08fdd6a582193e740a9f9e8d33569a12d77f34a10
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBu9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2220	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIN\\dobaec.exe"	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeW3\\devdobsys.exe"	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
2220	devdobsys.exe
2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2220	2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe	31
PID 2284 wrote to memory of 2220	2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe	31
PID 2284 wrote to memory of 2220	2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe	31
PID 2284 wrote to memory of 2220	2284	d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe	31

C:\Users\Admin\AppData\Local\Temp\d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe
"C:\Users\Admin\AppData\Local\Temp\d334d576a702faba15d2394740a109b6041e727d6db45f29d0a66e38fcd32447.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284
- C:\AdobeW3\devdobsys.exe
  C:\AdobeW3\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxIN\dobaec.exe

Filesize
2.7MB

MD5
36469bdef75fea0f527cf0c8f3ede7a7

SHA1
df8ee8e033c0e06be02aece3737c8aabea67ee01

SHA256
1fbeae7c74c385559cbd691a2e3e220007851e1a12a02a5d6db92fb746a33700

SHA512
910553df147560d16f1cc4d52408b6f91584ddbc1173bc2012c37deaec3224c257fb9b08375d13333ab5614a9a7bc017c1386e2ddaadb87e3c33656f31e8cbd0

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
10809dd267721c8b9697d6638b2ad986

SHA1
da683a2f638bc42f850ad8a2fcfd8d260883f980

SHA256
d7a86e714d1b536703b0122404e07f1af6bdcf0a9c10daa9324171d617dca430

SHA512
ffc7a62d8b9295fbb7673eeb801c9e55c0cc11617a4234ad478f9b95de3276a21c9530df9ed8fb0fbf80f2b797568093a261770b8ecdd03dd1539128b1eafd20

Download Submit
\AdobeW3\devdobsys.exe

Filesize
2.7MB

MD5
9dd4bbfab8df5a88a3deb0e4b9a59096

SHA1
af2144659800abbede3f4a93b09b1b021ab7bbfa

SHA256
e37cb99874a45104ab1d7e470fa82914bd25d2142b110682d3f6f23267e60892

SHA512
5a6a7fdd4c9226fb9228880de42c1fd6dc239dc0d969e71fc6498b32811262748eff387adb8055555858ac82b3193125a599c9ebcc6c2c78e33e9283e18d26e7

Download Submit