Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe
Resource
win10v2004-20240508-en
General
-
Target
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe
-
Size
2.7MB
-
MD5
878a5af8462d695bbed227da3cc0cf1d
-
SHA1
0279449e074e65c6ce0e364e4358ef3f9f4c8bb1
-
SHA256
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa
-
SHA512
f529bf632f4f747a83fca8a937a9e7280ad444b8282dcbe7fb36cc76aaf4ea285f6b90bb84a399659f09b70f0b583eb95a427ab4f7fbdab01c23bb968f57af38
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpe4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devdobsys.exepid process 3016 devdobsys.exe -
Loads dropped DLL 1 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exepid process 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRO\\devdobsys.exe" bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7R\\optialoc.exe" bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exedevdobsys.exepid process 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 3016 devdobsys.exe 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exedescription pid process target process PID 2060 wrote to memory of 3016 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devdobsys.exe PID 2060 wrote to memory of 3016 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devdobsys.exe PID 2060 wrote to memory of 3016 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devdobsys.exe PID 2060 wrote to memory of 3016 2060 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devdobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe"C:\Users\Admin\AppData\Local\Temp\bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\IntelprocRO\devdobsys.exeC:\IntelprocRO\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\KaVB7R\optialoc.exeFilesize
2.7MB
MD51aa48be0533ab67d774bc7b4147a4d06
SHA149bb86279889f548dc727be7ba76a42e0d9faf4c
SHA256ed99495f522296f0d2d4b1b1b760f28ca9175b157e09beb68743be73c03c4262
SHA512e9101013695ca031af5afbf374179bd90cc910575243ea4c6e31c810c0979faae92998b45b02a9f153c4a640b26f95f41b02b648120c1a3fd40a67e6782fb601
-
C:\Users\Admin\253086396416_6.1_Admin.iniFilesize
207B
MD54ec5a5842ab9c21f2b5f3e7f648be9c9
SHA1f369a453418eb429a815e46c9d4d3a76babbc2cb
SHA256651c84c7d2316050020688feecae2bb0e02487518c417cc52f7a707611b4ade8
SHA512ecfb88f6b08504e7aad0ccf5401ecf3793e5ea42610c3a49cafeb851173c14b7ffb07411ad26e4539c4d95f9bf73bd35732edda8b1cb42dca5c7e6f9b156dfa5
-
\IntelprocRO\devdobsys.exeFilesize
2.7MB
MD52ae5f5d15d6cec72670865869ce86925
SHA136f6c54bcee241b864ed45ff27cefc0588eb4233
SHA25640133df78f19a69b2142ceeed4c68c7fa5e9220d4d027920f9bca57dea2a0199
SHA512df6964d121e2dc6e824af88534171ee78858e67a25d88d855609c737f17e2f9dcc451bfc350dec141f4eb1c088997c3d6e35af6f2c812994d353bb7f6b5bd867