Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe
Resource
win10v2004-20240508-en
General
-
Target
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe
-
Size
2.7MB
-
MD5
878a5af8462d695bbed227da3cc0cf1d
-
SHA1
0279449e074e65c6ce0e364e4358ef3f9f4c8bb1
-
SHA256
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa
-
SHA512
f529bf632f4f747a83fca8a937a9e7280ad444b8282dcbe7fb36cc76aaf4ea285f6b90bb84a399659f09b70f0b583eb95a427ab4f7fbdab01c23bb968f57af38
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpe4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devbodloc.exepid process 1244 devbodloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWN\\devbodloc.exe" bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint9X\\optialoc.exe" bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exedevbodloc.exepid process 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1244 devbodloc.exe 1244 devbodloc.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exedescription pid process target process PID 1768 wrote to memory of 1244 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devbodloc.exe PID 1768 wrote to memory of 1244 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devbodloc.exe PID 1768 wrote to memory of 1244 1768 bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe devbodloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe"C:\Users\Admin\AppData\Local\Temp\bd9857191bf5d5e8fb91bdf7acafab28a6e06b2388df952b2c800c4b1797a6fa.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\FilesWN\devbodloc.exeC:\FilesWN\devbodloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:81⤵PID:836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FilesWN\devbodloc.exeFilesize
2.7MB
MD50b06d53d4f574f860bc202c6d8302019
SHA1c7781fd30d3e1c1721aad061caf603a76ce7f27b
SHA256088c83a0e5b3459e132626e9055b40a77a79595eacdfd6b84b238d07aee61430
SHA51282ae953e927428f0ea04d53a915c3f3aefd6c4df637a2bfa30f19fd914c14ed8e76bbde5ee1938374fc4bc2c1d37ef1bd805bb268fb0e6803080ee21a266e0cb
-
C:\Mint9X\optialoc.exeFilesize
7KB
MD52a66be02c3c27b489db2b8f5953bfa44
SHA1242635a3ee1d142a92bde39c7a1cc5f12f53958b
SHA25603c57c4403a457ba972b4a8fdf0a50876ef50b8a586b9366482ff3c6b84629f8
SHA5128aaf81d458a35a958dddb5bc34416bc1e466d0c165d37c2b731745a84fe3083d42dafb1a1f3ef64045127ac64eba2d82205268cb3b08604e71997aec0d2ce625
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
204B
MD57492d50b0a9fb2fc684aad209753e2dc
SHA11e80dd0c6a353f0108488376b0911ced2dc503c3
SHA256603969a893741b459a86247a4aa14d5670cfbd4db078cb898dfff0c6dc237a49
SHA512dcb1554411537048f6ee44634cf0c86b4caefbb504f43d701935286d693262d88e1b3435ad657b6430281170225ec1381416bc77f15d669c749979c96c4c4ecb