9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 23:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
Size

4.1MB
MD5

80d5302de7ca90d618db75eb7dff959e
SHA1

8289e6bfd7fa03a411027322720e74e40a8b7fa4
SHA256

9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809
SHA512

5a3b2bc8fbadbd536f0aef33502391664851d83d08f3a9b9b5f09164c7e4e5ce949cce808888697a4cd57ba044cc928259358c3560e88c637258caf04f8aca3f
SSDEEP

98304:+R0pI/IQlUoMPdmpSpu4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmJ5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4536	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXY\\optixec.exe"	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0N\\devdobloc.exe"	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4536	devdobloc.exe
4536	devdobloc.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4536	4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe	90
PID 4596 wrote to memory of 4536	4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe	90
PID 4596 wrote to memory of 4536	4596	9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe	90

C:\Users\Admin\AppData\Local\Temp\9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe
"C:\Users\Admin\AppData\Local\Temp\9825c7cd3f7a5d87f32733158bb6af019946321a4ce9bd847c4ffd340491d809.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Adobe0N\devdobloc.exe
  C:\Adobe0N\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe0N\devdobloc.exe

Filesize
4.1MB

MD5
bda853eb33fe2cd9ab41b561d8cac9cf

SHA1
923f060ef2494fa828547eaa23b6bf8d296836e4

SHA256
7c944c1637f107d81df19fedc5d24e27440cfe1250ce420b4229e9dec17dd707

SHA512
ae182389eb16447331934af20ac6ec58b66fed62192e52968cbe1bdfa465647f72428e75496d2fdc6d47a0bdc9e243e0f9517176995e6c0800b0f9b91e3ba63d

Download Submit
C:\MintXY\optixec.exe

Filesize
4.1MB

MD5
99367eb995464d993701a4a55014cef4

SHA1
1d082a8cac186f50d3d608efe743a4f5765fde56

SHA256
8f0ad6f0f84568be67c58cd9e236708335db738488b0aba1f1707a95efbf0dea

SHA512
5320aba9360b70841efd379ee82bce630cafd8f3def0cf5a6ee8c665ec10acd4df510e3c10389be0855d57a2ee5c11203c05b7e047a5d6479c53ef2387c207c8

Download Submit
C:\MintXY\optixec.exe

Filesize
3.1MB

MD5
70916b23816967ef85aa26fba7557cfa

SHA1
cfd09591d35f2b1d2dd4f33741351443b5480938

SHA256
c142d29f39e1deca470568761e7f2efc025e4c6e10bdb0b1cc4fcbc978ec9af6

SHA512
81d2fe77ab68f6064c4bdd692355180e20021d6ae5c2345672c1cbe5d14d1e5497eb034c25e91ee5dafd4d9ebfc26812b00c03cdda74f180885e9e65726463cf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
daf1a14e47fb76b329e3ed74312a24e1

SHA1
4c141768a493de630aca7beebf28c83058f1ef63

SHA256
1c6d8b576629f3f02f24d0358b7ed61b598ee3e4b444d5f0742dbea76af61dac

SHA512
f00e4da2091a816695bbdcf77f2308d399976359441a8e2a7f8414701cdd61cc22bfb77c78bfa0113f59d95fec9ac01b1284419c54c28ca65419ef7a12fdc4c9

Download Submit