2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
Size

2.7MB
MD5

a0455ba4c5e664963c46bba0bf2bbc75
SHA1

f105fc4f11e0cdd72bae81e0cdde61cda5ea3f3e
SHA256

2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d
SHA512

987900b2dff2961390af651a2cb75a742c74282e47d82386177d78e95be406e7d64c53c4a7f0c26aa7310e9d352c78abe6dad2c424a3d6dc1d6b790f0d967238
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpR4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2204	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN4\\devbodec.exe"	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMC\\boddevsys.exe"	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2204	devbodec.exe
2204	devbodec.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2204	2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	88
PID 2256 wrote to memory of 2204	2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	88
PID 2256 wrote to memory of 2204	2256	2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe	88

C:\Users\Admin\AppData\Local\Temp\2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe
"C:\Users\Admin\AppData\Local\Temp\2e1c09075245108820b8e8892c9c178e8a4663a1a0f20963b5cc789e6b100f2d.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\UserDotN4\devbodec.exe
  C:\UserDotN4\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotN4\devbodec.exe

Filesize
2.7MB

MD5
6425fafd43aab35b7ac02c1c1038e81a

SHA1
0808b915cb92428532308aa471f1efb0152fcc80

SHA256
1c7166e323ea20cc0842d2c44221f7b47df24489c8ca432ea6289b72930a932e

SHA512
9c410a25dd46ec80bc111ca266aecca9812fd85d94fff286cbdf0c15d687b6410179b11637e57a270dbccb2ecbf2c5059808a76f78c490c39ccb86118a51c523

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
a5cb0ce9f0a59d65fa8896b958d9360d

SHA1
b6e440f615e82e880ec3854bbca414c36f972cae

SHA256
c3df7f428b4e025fc3382ebccf3d3c366e342ac317be8c6709ab4bd4e00df861

SHA512
84c2c0b7d04854da2874e46e2a14a8ae8d0b2893633898ac89d907436ee5163c3fcfd350db597d92123567fbdec58061a7b55167fd01d2e62b35c7e390d017ad

Download Submit
C:\VidMC\boddevsys.exe

Filesize
15KB

MD5
bbb72a49d33348f4b9d48c9ff6d0eaff

SHA1
525fb036947110ed4db3b869e50d575a11cfe6de

SHA256
2f142f254f096d13600df226aea208944d068e4f5d3911bbff669bc1ca9552a8

SHA512
ed4dad637f791395d85b207c0132b93916e3c69d08e1abfb6dab67939a18ccc223e20e583f06425d8128b7a08092a316dc29211f3c9639212c56208ebebef3b8

Download Submit