fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 04:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
Size

2.7MB
MD5

4b823a24aa0a70d4c28412b7f7570f74
SHA1

a4da6e011db1e23bfed54769c4e8e4658b2ae415
SHA256

fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e
SHA512

6ba1eeeddca9166444f9c646442115933e03581353d1e27c8e2c745c82126230b1fa7c214d70dddbbe05435aadd039f1787c29319c03806cd4fd3f3c554f5a94
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	devdobsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRC\\dobxec.exe"	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvB2\\devdobsys.exe"	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devdobsys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2728	devdobsys.exe
2728	devdobsys.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2728	1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	94
PID 1048 wrote to memory of 2728	1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	94
PID 1048 wrote to memory of 2728	1048	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	94

C:\Users\Admin\AppData\Local\Temp\fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
"C:\Users\Admin\AppData\Local\Temp\fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\SysDrvB2\devdobsys.exe
  C:\SysDrvB2\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3924,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=1016 /prefetch:8
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxRC\dobxec.exe

Filesize
18KB

MD5
87bbb0cdc6362517a23aab8ecfc36f09

SHA1
7c2ecad318e5f51a68f4513009f4a2b6d4f059b3

SHA256
c1d0482df7413b554511bf9bfec3d01587a849c643df2a1c9852fc5a7fb7e29f

SHA512
1e4285ea6019f221c26a3d69e48cc54a80bbb7b41917604123ec2b1bf93c7830c76b25aacc5844af672e5f744e5342fb032931e56a7807f0ba33d553fc7a2781

Download Submit
C:\GalaxRC\dobxec.exe

Filesize
2.7MB

MD5
95c7c19893f72f769be5e15c4d0a43bc

SHA1
c888a20a855328b59b22d3aeeb6f4129b61824d1

SHA256
c7c8f8c14584f36b913fd3663fe12e5309f9980afee4795199580f2f053cddee

SHA512
5e4fef495bc704ed81049b77e7bade30a290f1c85b6450765c158cc51252193ad590d358080495c44da2337580cadd51cbcca96522f53fb696e66cda59327dcb

Download Submit
C:\SysDrvB2\devdobsys.exe

Filesize
2.7MB

MD5
ee520cbe2d66d16edfa2c42b02da699a

SHA1
7c9f5fcc18ef8a5cd272de5d7602c0a5df29c212

SHA256
4e4e00e3cdaff4ce6170f0911b257e1efd7aab0efcefe03bfb95d440182131c5

SHA512
0899bfaab143ac2322864af8db502965ca0f30ec4ffa2d727d014f29b39a09cdac43e798783fecaceec94e7c626ba735a0e2e6bcffc66fc56f9db9f2dae7a2ef

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
52e29dd53dc6e14821b146d83ae05dc7

SHA1
e93abd3e64e137066cd8f3299b8980f069c3b9cd

SHA256
bd0554ccac0e56d9d72fc7a7d3fe713907673f83668798da2d43da5f3866d95e

SHA512
fe89f0476e346a89fdc9e9202143db601e9ad17aeb9f4b9b48a907b0f13d6ad052f661460884dedc0fa8537421b7ec05d956240f809a268890607e4e20d5a6ed

Download Submit