bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
Size

2.7MB
MD5

ba8da79ff4c0f57018fd29846eed383a
SHA1

be836b2d51d2e96aea4635bca73c3afa297d4def
SHA256

bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5
SHA512

6c8c75e214b9bac0292481e53d3b401599ea9187cf2baa58b0f27ebaa76d12249892473d4e6afefb494314deba824db8917844deacd7a6d40d09ca32081df239
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4680	devdobec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLN\\devdobec.exe"	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCX\\optidevloc.exe"	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
4680	devdobec.exe
4680	devdobec.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 4680	1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	88
PID 1260 wrote to memory of 4680	1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	88
PID 1260 wrote to memory of 4680	1260	bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe	88

C:\Users\Admin\AppData\Local\Temp\bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe
"C:\Users\Admin\AppData\Local\Temp\bd560551f6ee7ad48ad2c0f3200be31e817530249c58ef546b9e7ad1a217eed5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260
- C:\AdobeLN\devdobec.exe
  C:\AdobeLN\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeLN\devdobec.exe

Filesize
2.7MB

MD5
32f2802ab83b047a73dd380de039f51f

SHA1
c333604a0ed91cf13a41bd622005c9557e4b0774

SHA256
fb8d951f138f6a0e864d44244fd8f6165765e8e69b50ede5de64bd4fb16c85ed

SHA512
e149d51e0cdcc5a57eaba0d1fe5ac1743a3c53a5d3a14ebd77b642c28d9abd65a6badb1cd9011b21ec5538d3f9a434d9cd2e4a1848c111523305c2050728e072

Download Submit
C:\MintCX\optidevloc.exe

Filesize
8KB

MD5
b12a7a76f55cb7a71f78c93f1d348bb0

SHA1
c047d6340865e6eee54449c0ab23352a7a6b8951

SHA256
2d0afc4be8be11cf8dc53be35f043330cbe65e48539c27ec895df91a31bc8288

SHA512
698d2bc59711947b99010410bc141e75352fad07e034b06a63d4a4294fde28d7b9210824d23eaaf09ab36b16777ec43af70450b97b22e6753cff86d5c1450f17

Download Submit
C:\MintCX\optidevloc.exe

Filesize
2.7MB

MD5
b6febed613f897b79284c47c858abb4f

SHA1
698863660fe421518d119795df4dd0f0b2178285

SHA256
a6a723a2c0c21e9c6f773085510f198c8a3754bdd04b4468097a5d205f720ec9

SHA512
90ac1f56b7b2075c5b8aeb6fa7b98f55f29f4eda734d43bbc8ce389a30ef6da85044e6e03f71cfa685d4b24f795ed585260629aaee473c8e7c83aaf43e4d3761

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
7334cfbba7f9b27b50982edf91355e0c

SHA1
5cc809ef9bb31866e5e9f5095168250028f42920

SHA256
81a93dc855450bad5a362a01e861f95f1a2562e55207ed4172b610d128522ae0

SHA512
6fc3b294a8dc2a7338696864adf37273c96b1926ce0572d5623b04c01a0afd8dcb5fb470198ed52611e84c548d4a365c570527b2d4139e37c12cbbdfc5d5f052

Download Submit