bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
Size

4.1MB
MD5

89df799cf37fce3f2bbe8951efe90d65
SHA1

d02d92698d97481df3d03f40cd6484155e5352b2
SHA256

bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc
SHA512

91464bbde5c7ac1fd6a222efde9451d1f634764b1f31f44314bb80aa7e41a78436d7f611527dd4053b76d7e17bc25402bf02c26a321cc713bf35c3769e6519fd
SSDEEP

98304:+R0pI/IQlUoMPdmpSpK4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmp5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
916	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQD\\devbodec.exe"	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFZ\\optiasys.exe"	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
916	devbodec.exe
916	devbodec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 916	1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	90
PID 1184 wrote to memory of 916	1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	90
PID 1184 wrote to memory of 916	1184	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	90

C:\Users\Admin\AppData\Local\Temp\bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
"C:\Users\Admin\AppData\Local\Temp\bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1184
- C:\IntelprocQD\devbodec.exe
  C:\IntelprocQD\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3884 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocQD\devbodec.exe

Filesize
4.1MB

MD5
94c2057c321b5b6ddcfd142d024cf5a3

SHA1
ce120f16ceeec802301d5cdf194eb0e7545908c8

SHA256
c6e4da8dd14b6cc3a960e218d683f6723d72e705c050ed2a289563b1c270dba0

SHA512
1677c460f777040bc3658f5453ce06504d81fc1b6611b0f67c27ebf70e8ca93cbf4142765295ff05f4e4579004eaa2ee2892850d8d344beb8d31ed4cc6c2dfac

Download Submit
C:\KaVBFZ\optiasys.exe

Filesize
4.1MB

MD5
a7617f4a6f61eaff805e2e43bc936662

SHA1
195ab81562f52fad9a92b5ec2f535bb6881980da

SHA256
bb69412eb6d8439d89526450738496b61dd586a5ff364580e076a090007af316

SHA512
d071123fdb80957dcea949fc14626444b20f01664e0397fe79526517b70227b02feeae8c0409562c124c1d5af7a69d983cfeb5f21e5b05eb7f1ea22a54da62e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
95a910d087724b61c0187e819007bdc2

SHA1
d208556a0c77bd32164d80d4e7425c41f4e7c457

SHA256
d4987011dfd48b8c6adc73bb1ba4cd4c849ee1b754ca27ff323fcd3ec6394690

SHA512
f27ffde9df1f93555194745868cbf959b9fd177a95e10b63f998b09a845c64dea7b5b06d9ce6f53a126d3d6fd96668f1889043c3705b2a92e2bd7bc8e4b1d117

Download Submit