4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
Size

4.1MB
MD5

f2e730e1833d5c1f28eeb06f647e1bd4
SHA1

684449943fc82ce2debb1d58dd9e8f12257dfe57
SHA256

4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770
SHA512

b29f9048ba7a6346889ba027139a5cd60d4af5874033f1eb408cf5178fe2042b75e0e3d1a97ae574b12f34a519508ee378c797ea5ada63c0fa43b6218d1972a9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpi4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm95n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2764	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYQ\\devbodec.exe"	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ9E\\optidevsys.exe"	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
2764	devbodec.exe
1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2764	1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe	28
PID 1660 wrote to memory of 2764	1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe	28
PID 1660 wrote to memory of 2764	1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe	28
PID 1660 wrote to memory of 2764	1660	4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe	28

C:\Users\Admin\AppData\Local\Temp\4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe
"C:\Users\Admin\AppData\Local\Temp\4c3fb44d8667a193d01add2c60cc6f8b9dbaaaf673b16628b0d9ff69c7301770.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\SysDrvYQ\devbodec.exe
  C:\SysDrvYQ\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ9E\optidevsys.exe

Filesize
4.1MB

MD5
e80139e2da4286c20459a55be22a8a45

SHA1
d0a2c5980c8f111d375d453f913fc30a9ba4377e

SHA256
5195f77f652a9ed5334501967011d20a10420c76a6f8ec82de1a0ffa147de164

SHA512
c7fa88952a7b9c3e15d79dad084c94bc4f34fcef955519d6de7fc77844226945af4f9e834d1ec1073b672aac5041254a244b6bea260b89c1901fa1e3b03400c5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
5f30248496e4d95f86a1ba31ea4cbce4

SHA1
6c0ed5b0d9c29a05dc343783e6b2476b51f09d73

SHA256
604ea0c745f356aca1652cf77fd7fc5ee0b75eb140f9595adb8fda54cb81b178

SHA512
e12f59da12d5fb1324c851fda71057635014468ad5f21c69020c6039277eba65fe9f4425e50210205e832703188da8200d88ab4d106bb52a2ef1b22a49bbead7

Download Submit
\SysDrvYQ\devbodec.exe

Filesize
4.1MB

MD5
75dfead1aeb27747e90811f53e7107d4

SHA1
ff9d36e0bd6edef6f786511fec51e465968092c0

SHA256
6e5d06276fa21e090c84192ffce7673ac986aa43328a5d692179210ae31e260e

SHA512
636492886751aa819de1a1b54caa1e72f217bbba61382be737db831cb7f2be34592793595fc5797aa2ed55a1f677e905870f5951bb487f4371978a7bb7c86b45

Download Submit