6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
Size

4.1MB
MD5

1aa0e934fb199cd06b1578ba7a55bf3f
SHA1

752bb480a9dcbbb75e4c653765909ed1cfda2a11
SHA256

6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638
SHA512

254fa64303238f333adf03c982382e328545c0dd75ce7a2fe5ba6dac2d2081a1a5deeed3cbb31a77f60264e8cf4b5c8ec00e8161a4386f34c8ce029e7965dfa6
SSDEEP

98304:+R0pI/IQlUoMPdmpSpo4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm75n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4996	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ2\\optiasys.exe"	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPN\\devbodloc.exe"	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
4996	devbodloc.exe
4996	devbodloc.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4996	2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	87
PID 2668 wrote to memory of 4996	2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	87
PID 2668 wrote to memory of 4996	2668	6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe	87

C:\Users\Admin\AppData\Local\Temp\6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe
"C:\Users\Admin\AppData\Local\Temp\6f1b9f68a13601d9ed02aa664565df9b84b300ded54ea4d75a5518c6bfa44638.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2668
- C:\FilesPN\devbodloc.exe
  C:\FilesPN\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesPN\devbodloc.exe

Filesize
4.1MB

MD5
a3110a2d7ec958a179f1615924ad0eab

SHA1
82f10282819573caa57081d98307a2fb08400ddd

SHA256
09af59e83524d06f0651aa96dcd3731f2ad045bd6bfcaf2a5442ba6dd11a8ab9

SHA512
59a34e4538a00b3cb33cdf9bc315a2b64c4c9af629fb1b088def0599d3fcab522dddbdb9c628d3f3da66a95d4a6ef974a93c29b7befd1e71d2f49835db6fa2bd

Download Submit
C:\GalaxQ2\optiasys.exe

Filesize
4.1MB

MD5
85a4a4e23f31b08d6953fc8bc4c321f6

SHA1
902fc6dd0061ca6597efbedb9ec36848b47de66e

SHA256
12f48701b6114f20dd23a1893c6ce9e27ed5e409acafa2360f4bddc230b41088

SHA512
cfa946fc0cb1c3c55d9f75c1960f00ed99ddf3de82feea98eeb7e73a91c96f8e8fb1cd19eadccc652253cfa59ddb2bcdbd60bbd0ca65a86c59dcbc4073713562

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
efb467604272c50bf8600619b49333a8

SHA1
d92f6cf84625120662892653c953a04fc9667d0d

SHA256
c8d9a22e8c3754d19f0912609d4525eb7f906162a1dd1147984cf04a499e8304

SHA512
4d4df069e2368a52865b2d724b7915b47a5feb505b0496166535ee0a771e198cd4e975ce2d7fd4a03e9ce5931101a50f1a40a8bdfe4fe7eb993d670ecbc12972

Download Submit