99774812c22b29d9a95988f407427a1a779b08ee059430af51e2117d499001b9

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17/09/2023, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0203f0510610150823630fa28980356_JC.exe
Size

4.1MB
MD5

e0203f0510610150823630fa28980356
SHA1

d6a72542b10f9bccb975281dcf2e93a1f7518897
SHA256

99774812c22b29d9a95988f407427a1a779b08ee059430af51e2117d499001b9
SHA512

654c392d72e6b04b7880c1f7fb9a76ea7065674fcb038c44fd02b6381762fc61789c17b55972fb58723963bbd487fe63bc9763bdfcb25892fdde054180bde9d4
SSDEEP

98304:+R0pI/IQlUoMPdmpSpP4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmg5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2512	devdobsys.exe

Loads dropped DLL 1 IoCs

pid	Process
2800	e0203f0510610150823630fa28980356_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEX\\devdobsys.exe"	e0203f0510610150823630fa28980356_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQO\\optiasys.exe"	e0203f0510610150823630fa28980356_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	e0203f0510610150823630fa28980356_JC.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe
2512	devdobsys.exe
2800	e0203f0510610150823630fa28980356_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2512	2800	e0203f0510610150823630fa28980356_JC.exe	28
PID 2800 wrote to memory of 2512	2800	e0203f0510610150823630fa28980356_JC.exe	28
PID 2800 wrote to memory of 2512	2800	e0203f0510610150823630fa28980356_JC.exe	28
PID 2800 wrote to memory of 2512	2800	e0203f0510610150823630fa28980356_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\e0203f0510610150823630fa28980356_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e0203f0510610150823630fa28980356_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
- C:\AdobeEX\devdobsys.exe
  C:\AdobeEX\devdobsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeEX\devdobsys.exe

Filesize
4.1MB

MD5
0c75377a944f533ea6a9d45bb3aef55c

SHA1
f6c0fdf39a62ba2d300a90705f7ff1c1524e06e4

SHA256
5effb5c59aa4c845918bbac94380b7493384fe9c30296b04a17c17d2ecd56cf8

SHA512
3d0ed3da6507cd0ac4c04ac54d82ca62d04a528c1af9db2b60efd031b99741a8b4eb97bc645c36035032b7cd5e3cdcdbaeb7c75b44307a6e10f62d60c9173c40

Download Submit
C:\AdobeEX\devdobsys.exe

Filesize
4.1MB

MD5
0c75377a944f533ea6a9d45bb3aef55c

SHA1
f6c0fdf39a62ba2d300a90705f7ff1c1524e06e4

SHA256
5effb5c59aa4c845918bbac94380b7493384fe9c30296b04a17c17d2ecd56cf8

SHA512
3d0ed3da6507cd0ac4c04ac54d82ca62d04a528c1af9db2b60efd031b99741a8b4eb97bc645c36035032b7cd5e3cdcdbaeb7c75b44307a6e10f62d60c9173c40

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
0ba7275296eb5484d09d1611bace402d

SHA1
c4d65f3160a7bb8c0b2af2a5daa3ea22366c2de7

SHA256
56bd0293100faf72aba0ddadfb51e49d11c95ddb833116ee7f6fb03b45e65238

SHA512
bf9729b830c23293823686e07197d100529fafe16e2e150558ebe53e24928a30f667e341d96c69b583cb5b70599435560105a2c0327f0a81acbd6f31259fc778

Download Submit
C:\VidQO\optiasys.exe

Filesize
193KB

MD5
7ea935551c4c4d952f1c5c0068d69b48

SHA1
acdee02060581c47c76c3a86be337d07ee934300

SHA256
d297cdd199eb4c287081b40f6b2797f95dc6895e1ebc0c13225c197aeb6bc291

SHA512
d84f1fd72e9ef1b49a4041029a7b3e318ecb956ac0f2ab70ed73f8bb955068e6a269fb61faf0ccb67951806a5b039846282d811a00dcfe51bf839ae1dfa4d635

Download Submit
C:\VidQO\optiasys.exe

Filesize
4.1MB

MD5
e6b08b9d4245baddcfd041a3d5e7b5d0

SHA1
9434aec0283360a4a9e813c3437759d1360330a4

SHA256
b82b5257d608b25bfddb6e066da47c2d66f41784bc92dc7f64b7044cd6eb8b26

SHA512
7d6105ebbd6058ecb373c5bd5a034f31c3c760423df96957c18f4ebec309ebfc4244abe36c8347c9ab03ec4ca61dfcb6fb56c6f2dad8052bf465db563d5c92bf

Download Submit
\AdobeEX\devdobsys.exe

Filesize
4.1MB

MD5
0c75377a944f533ea6a9d45bb3aef55c

SHA1
f6c0fdf39a62ba2d300a90705f7ff1c1524e06e4

SHA256
5effb5c59aa4c845918bbac94380b7493384fe9c30296b04a17c17d2ecd56cf8

SHA512
3d0ed3da6507cd0ac4c04ac54d82ca62d04a528c1af9db2b60efd031b99741a8b4eb97bc645c36035032b7cd5e3cdcdbaeb7c75b44307a6e10f62d60c9173c40

Download Submit