f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
Size

2.7MB
MD5

59826a6b23948cd546c6974fbb87815c
SHA1

1f480d1c270d94a5b55bf0cc1bb6d4b5f83e6aab
SHA256

f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8
SHA512

33e129ff60abc7d941f142b63e52453328918d7a5a9e92ec5fda35ca173b82b48c7cfeb2be07a9f068f9a8b77038bfd738c3bdcfa980897633a85d8914138afa
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sx:+R0pI/IQlUoMPdmpSpd4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHU\\devbodec.exe"	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint94\\optidevsys.exe"	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
2896	devbodec.exe
2896	devbodec.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2896	1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	92
PID 1752 wrote to memory of 2896	1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	92
PID 1752 wrote to memory of 2896	1752	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	92

C:\Users\Admin\AppData\Local\Temp\f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
"C:\Users\Admin\AppData\Local\Temp\f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\UserDotHU\devbodec.exe
  C:\UserDotHU\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint94\optidevsys.exe

Filesize
21KB

MD5
85ac8e8d98995fc09cc8e14b9d872d90

SHA1
adaa24efc93ffdc30c0f3eddaed74ed35e28744b

SHA256
4147383c7efa7821c6cfc8b7a765239587b96326516b35b8a29b5759d56b432d

SHA512
71b1aead94e4cf1bea92e76c1e652cc34c48ae4aa8a1a8f508276c2025ed5821c7ac8d66d8f165cd451ed36fcf9d03a044f936e5ad0acf3d006044ed8f1b1f3f

Download Submit
C:\Mint94\optidevsys.exe

Filesize
2.7MB

MD5
04b69039a7164e42681d01f1bc737b40

SHA1
18905669e3d6037ab5c93b1b260cf450f7e567ca

SHA256
32b81c01c880ad2d3383298cb179a2d35b9c52bf2c95b07b373e4f88e5a3137a

SHA512
d60aef022c9f08bad90533b35ffbc8db4db382abe06dc9e3cf0cdb8257bd115d180e4b7b0ed5d01a3a1b6e5d32032432dde1d5a364ad452d16c1d1e953d1c766

Download Submit
C:\UserDotHU\devbodec.exe

Filesize
2.7MB

MD5
3ebe31e721db58b8ec5357e12548557c

SHA1
cad6533db5776d513cf4f694d0b5ddb0fb9c3997

SHA256
d605699072be817e9a28097d9a1e8dc992a478c58360b5a548f59d6d8e10bd05

SHA512
d32e59c1de09dd743cbdfdd06009ffa2baa41c96a6bf9b8855da7d7a47b66eb0eb8fefac9fc81944737dac38247e2429378d7105a11814e1958fd2452f0e1930

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
209B

MD5
a9beecb4433840661d456b9917180f1a

SHA1
7495af5879687b617d8724ec5ce9b2f91c1c155a

SHA256
65ecef134a801eaa6c153089a999e7f6b08fb72bbd49c852d5cb4df9b0f4d7cd

SHA512
229b08a11605538fe29a80020d87fd7092c72715f1fb52178a5677450661857b9132f636febf1df654a833aa5c88f80e78cb8273e3700d034a7bdb64a5b77dcb

Download Submit