0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
Size

2.7MB
MD5

b98091c8e54390d3e68b7c40f0e4d5ac
SHA1

9258b69395f8135c932a720e8882ae8166e390be
SHA256

0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156
SHA512

f1640f38ed316c30ea5096e01460dc51a8fc3cd8f09470772fc0b6b808b0b999174a730dc5885e17b599e856f754ee988efb12aa0148de62d3c3c2c2520c9620
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBj9w4Sx:+R0pI/IQlUoMPdmpSpf4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1936	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSX\\devoptiec.exe"	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid13\\bodasys.exe"	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
1936	devoptiec.exe
2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1936	2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe	28
PID 2264 wrote to memory of 1936	2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe	28
PID 2264 wrote to memory of 1936	2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe	28
PID 2264 wrote to memory of 1936	2264	0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe	28

C:\Users\Admin\AppData\Local\Temp\0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe
"C:\Users\Admin\AppData\Local\Temp\0a0acad85ec0ca7f6f6cb01c6665a4cfa3455563fdd2f811a9b64156020cf156.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\FilesSX\devoptiec.exe
  C:\FilesSX\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
3da264316048f68212f455f847f34eca

SHA1
19cd6b63baf1bf300ee6521a8b5269971589ddb1

SHA256
6257b0f9c31730ff75cb2c9856ac2981a1554dbae3c7789a5cea8cc165611599

SHA512
8d2f6ea60f414d9e34d314b0ec0cfb9560d541fdca8005c98eeebf2493ef3f69c613cfd1880707f582c60ee9be01566fdaf615ef8628de4ebc910568f0a7322f

Download Submit
C:\Vid13\bodasys.exe

Filesize
2.7MB

MD5
8fc14011aac5be90b125fdfb8ea29131

SHA1
3fd4691c54e8ac76357aa349cfdc7d8fc02b8175

SHA256
063c1dec8ff8236ca8f8806b21e69a50369f9639e49d6e4ef79ff596fda9aa25

SHA512
d60bb36cf8a26a073c95b612c118034e5c763f4b0be79de12c6c66d80d5ee6394499dc510b47d653c3a08ecaae73c4a49f49200b8817c32c43edf6cbf09505e2

Download Submit
\FilesSX\devoptiec.exe

Filesize
2.7MB

MD5
1004cdb61f8bade80f874d878564fc0f

SHA1
a581ccfc495679c548a8f6ac3420ca118844f458

SHA256
8488c7c018207be4da5311d263d8a7f912dd299b8ee828a8120f5590879c2c2f

SHA512
b86ec5f5cdd8371bc21d9a2b487d9b6abaf52aad3361947173cb7f7b980477b1db8c3d400d5c3626e8b80985f4c86eb8829060805cc03a07451ad3c6d8087e0d

Download Submit