aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02-09-2023 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
Size

4.1MB
MD5

70d08acb85bbd3c770f4e010006a946a
SHA1

46c7db46d2682e8373e2e1395ab83b98c07c3a5b
SHA256

aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd
SHA512

4bd03fc49952fa88e756fb8a154434f41deabc522c6a37ca5aa6e0ce23baa2d755489268821eb35b76ab12164f15446ef73e01c789556836fb318dec6f6ef684
SSDEEP

98304:+R0pI/IQlUoMPdmpSpV4ADtnkgvNWlw6aTfN41v9:+R0pIAQhMPdm25n9klRKN41v9

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXQ\\devoptiloc.exe"	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGS\\bodaloc.exe"	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe
2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
2644	devoptiloc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2644	2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe	28
PID 2792 wrote to memory of 2644	2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe	28
PID 2792 wrote to memory of 2644	2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe	28
PID 2792 wrote to memory of 2644	2792	aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe	28

C:\Users\Admin\AppData\Local\Temp\aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe
"C:\Users\Admin\AppData\Local\Temp\aa36cd866a73808525bdcde5e525e4dc1f599ef86c0974358523eb36c2d439bd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\AdobeXQ\devoptiloc.exe
  C:\AdobeXQ\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeXQ\devoptiloc.exe

Filesize
4.1MB

MD5
ac3694b34fd291f345555a57ee00f69c

SHA1
b022d7415a11187a765c02a30edf59356d0e9b4c

SHA256
b5ed8b5a68caef89f43f10a549898c2d4e2aec879c6af8c6410f957c48e1906f

SHA512
f45e4b47234549b57ac900924a1feab634127c8457a0d64147ede59168d48e27045e5c05d800c35c698908a21ffde5ff4a56264f57c08b8516de5e413b9521d0

Download Submit
C:\AdobeXQ\devoptiloc.exe

Filesize
4.1MB

MD5
ac3694b34fd291f345555a57ee00f69c

SHA1
b022d7415a11187a765c02a30edf59356d0e9b4c

SHA256
b5ed8b5a68caef89f43f10a549898c2d4e2aec879c6af8c6410f957c48e1906f

SHA512
f45e4b47234549b57ac900924a1feab634127c8457a0d64147ede59168d48e27045e5c05d800c35c698908a21ffde5ff4a56264f57c08b8516de5e413b9521d0

Download Submit
C:\AdobeXQ\devoptiloc.exe

Filesize
4.1MB

MD5
ac3694b34fd291f345555a57ee00f69c

SHA1
b022d7415a11187a765c02a30edf59356d0e9b4c

SHA256
b5ed8b5a68caef89f43f10a549898c2d4e2aec879c6af8c6410f957c48e1906f

SHA512
f45e4b47234549b57ac900924a1feab634127c8457a0d64147ede59168d48e27045e5c05d800c35c698908a21ffde5ff4a56264f57c08b8516de5e413b9521d0

Download Submit
C:\LabZGS\bodaloc.exe

Filesize
4.1MB

MD5
f0c2964670287df7627c82573108ff33

SHA1
9d15d5a4542300fed30808f111c670d77b3ab348

SHA256
3944704820a73be4fa5a8a71750c629d628668d2439fac8c7def9db8fa55c5b8

SHA512
cd51351ad87a0c85ea664279e7117701c5802597120d423888a234a06d8b9506e19ba3532e46452e474342fce18bfc4224d69b9fd5b984673dcd6aa7122dd3f1

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
582ad9e887730cf10df79da7e11cfae5

SHA1
abbb7485717a991675f215e25ebc995df5abafa6

SHA256
bd2a76773673e06c43aa0a51c93d3057086a792d6769d9fb4f3d5f9c259638e2

SHA512
a879624579d7e55d5c7c3359f5e42865a95e550a09e794368a2636a2781c1ebe51b1099e3d04b14c67702f3ff081f2461f8d86efe43c707ba20676b2cad144a6

Download Submit
\AdobeXQ\devoptiloc.exe

Filesize
4.1MB

MD5
ac3694b34fd291f345555a57ee00f69c

SHA1
b022d7415a11187a765c02a30edf59356d0e9b4c

SHA256
b5ed8b5a68caef89f43f10a549898c2d4e2aec879c6af8c6410f957c48e1906f

SHA512
f45e4b47234549b57ac900924a1feab634127c8457a0d64147ede59168d48e27045e5c05d800c35c698908a21ffde5ff4a56264f57c08b8516de5e413b9521d0

Download Submit