62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
Size

4.1MB
MD5

9114be9096cc631feb2527aecfcbb376
SHA1

32266488facfcdba4ae925b67d280d70115e1bb1
SHA256

62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1
SHA512

fd866a63e830b89c1bcf0feb5a48586fd557d6bb0b252c80d5529acb7d587a37c24614d84f140c99f916e33ee4786a20df58d1f0cf82ae5f8a0120f39733dbad
SSDEEP

98304:+R0pI/IQlUoMPdmpSpb4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmM5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKX\\devbodec.exe"	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIN\\bodxloc.exe"	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
2984	devbodec.exe
1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2984	1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe	28
PID 1712 wrote to memory of 2984	1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe	28
PID 1712 wrote to memory of 2984	1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe	28
PID 1712 wrote to memory of 2984	1712	62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe	28

C:\Users\Admin\AppData\Local\Temp\62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe
"C:\Users\Admin\AppData\Local\Temp\62dfbc96f977d5814f479b685e9bf9e6f30534fb8d38c72c9fb013fcaca23be1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712
- C:\SysDrvKX\devbodec.exe
  C:\SysDrvKX\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintIN\bodxloc.exe

Filesize
4.1MB

MD5
89b309fbc638ecebcd3f2f6231350cae

SHA1
8c55ad880ab977a13816e79bcf018cca7b2a40f7

SHA256
efc282bacc1728750202942c48c3b40842b8d2f9be75f341a1ad4c6c657b26b6

SHA512
eb2451932d0b4615ca5c8e0ee7232e3cb74958f65817334a9a0cac9573fc5e624818ee8a55b21c4552c7b05f591765db9d3f800c7123f257862b9e08fc0beebd

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
a4a43f1de8b8f78a14a5dab7df68ec32

SHA1
1cb8be60f31554c504123825be6a660ff2ec7310

SHA256
b30d1052220be6f47ea7599656f5ba6f8029cab68001d24c19bb15548d70ea10

SHA512
5dc6b15b9c054918cee0ec0c178ca745ab0a482253ad7864c96881d237b609ab35a3e4dd2c00b7d5d2b7b8e2cf5a2c319b692da81a2e294689c4eddf8121633c

Download Submit
\SysDrvKX\devbodec.exe

Filesize
4.1MB

MD5
e7c1c3aa6c4ffd3e8eaa07d311adfdc4

SHA1
41237836b42457b69b8a400d4e40e1333358f3af

SHA256
bc393e7fd2934e50b31291f76577649fe23942e3676f5cc0b312c881e54a7a41

SHA512
5158f236a5fec06d75d3b6d0725efec613dd0a809a4e41f14c12ec96312a9b503abec00c0220586ea23cd6c893ce6d27963a78a234e3dce0c0cfbf2b58f24d30

Download Submit