c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
Size

2.7MB
MD5

35782815fd8fb3368fb0d9bdc024985d
SHA1

35e2fad1728abd23586cc28f2ed9cd0d201d2216
SHA256

c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307
SHA512

8601006c3784552c22a6b9ee7bcc46236c44887906981655b340d63521491d2d5bf997d1246d2c0102e3babaff574cf17c68c4d909479d16acf2859f4192480f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBG9w4Sx:+R0pI/IQlUoMPdmpSp44

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3224	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6A\\dobdevloc.exe"	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesE2\\devdobec.exe"	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
3224	devdobec.exe
3224	devdobec.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 3224	636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe	87
PID 636 wrote to memory of 3224	636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe	87
PID 636 wrote to memory of 3224	636	c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe	87

C:\Users\Admin\AppData\Local\Temp\c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe
"C:\Users\Admin\AppData\Local\Temp\c9f2d481b70bacf3fd6ca2ed34482eeb1d2172d108d84b4632287fc4d9fbe307.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:636
- C:\FilesE2\devdobec.exe
  C:\FilesE2\devdobec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesE2\devdobec.exe

Filesize
2.7MB

MD5
4c2f479c3df6bf6160d559f1caf94a71

SHA1
26aaef073c86ad33dbcf70f2cbd981bd704d3a15

SHA256
446bfb5de32706976e81bdcbe86986543a8b08b9a00424d68e0a672c1f877c7d

SHA512
af1069a3ce401386715949cf6ae032d12803eee19c45ecd94396e8c214bafb1817f8dc6e4455b6316dbec452b310910e75a6f432348e4990ffff758efdb65385

Download Submit
C:\KaVB6A\dobdevloc.exe

Filesize
838KB

MD5
1037e139580c0b9cf1c7574e56b8e1bd

SHA1
def4d30c01b4b1e26bb4ec1d84a30c70da9bed01

SHA256
9abd0c8eecfaf6e5ab0de2f13c22ce4caced797375d7ed111057c16928eb5a6a

SHA512
6b0147bf878414b7f8f4aef1ea74a712c5d0f693e0210830030e366ad797c97253c2ea2bc130284b52dc840cd23f6fc1961b7bc827833512cfea09af93d9af6c

Download Submit
C:\KaVB6A\dobdevloc.exe

Filesize
2.7MB

MD5
bbf01ba6a8fea49ca51a78e3989beb8d

SHA1
59b928cb83b53bdeba748465b43eb2ac2c25bd7a

SHA256
191dfc069e887a357e689e460351adcdfd9ab84e26dd53a53a836f202e550ce6

SHA512
e2245c2ab83528dc7b6caf21d28938ee1cfb0c5fa56ae35257fe2294509519e7417411ca1722bc71ca955315bf8b27c4a560eeb3f256f67921282fa1a6b7526b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
1f9b164f5e660c9b6f010f2ff5cdbffb

SHA1
d37b4985cabc11b6ded9658bf00344c667107401

SHA256
4108f125458ff846a1a96218e06c9ba015ef7d51cf0ac993b3874310105decac

SHA512
c7a9508c9522f03ba25e2a9d8831981389bd73d62896351674d8794d5f6e992f6787a0421bfa5c575b6d29c7081abc26a0a4f739afd03ef51c17f55bd96de8ae

Download Submit