Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:29
Static task
static1
Behavioral task
behavioral1
Sample
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe
Resource
win10v2004-20240508-en
General
-
Target
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe
-
Size
2.7MB
-
MD5
1e82ef583d875429e3022dc9e16fbfef
-
SHA1
d7e31fe9dd2806796078355e88c19b759e4b288c
-
SHA256
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497
-
SHA512
6f2dca48899851efce3d79bbd5d522eeb08a1218c5c9f6eeb72118dbda5dbd17860d8519e5eed7b64911badafd6d6dd6f41c1b199eefb352cdcbfc4b7c3af3f8
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBM9w4Sx:+R0pI/IQlUoMPdmpSpi4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devdobsys.exepid process 5212 devdobsys.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7A\\devdobsys.exe" bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid62\\boddevsys.exe" bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exedevdobsys.exepid process 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5212 devdobsys.exe 5212 devdobsys.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exedescription pid process target process PID 5796 wrote to memory of 5212 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe devdobsys.exe PID 5796 wrote to memory of 5212 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe devdobsys.exe PID 5796 wrote to memory of 5212 5796 bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe devdobsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe"C:\Users\Admin\AppData\Local\Temp\bacdfc23cd441e75db7bcf8c60a311dede024ff9e081914ae29c9d8cd3ecb497.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5796 -
C:\Adobe7A\devdobsys.exeC:\Adobe7A\devdobsys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Adobe7A\devdobsys.exeFilesize
2.7MB
MD508754fad707366173a3f08bff381f361
SHA128337187f1d58709cd1edcfcb8aa4fafd82c6392
SHA256a669d0d717f19e34ef21a1b707dfe05b2d581cab5b97f1e9fb82bf0303bae709
SHA5124cd80ac2bf58e284872436349a128447ecf6285af7a75fa5e771f88a117b5fe976b69d6d52387e8044f7b5bac635d94851bbef6d515281aaa0744567f82a8e5f
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
204B
MD52ed8d260793c5dc48ed1c881ef45fd15
SHA1852137d9a345a61c979c694a4d69b93be9aff6a5
SHA2567099d288198a6964564cadf91380b6729c33b8449daea3b26454517e6813d224
SHA51297560b069939a07d51476277585468d48beaca9fe52530056bed88ae6f64704bab8ad65f2b4204af69d9a10c758cf40a84a06e83160bd49c47d023d5236aaf19
-
C:\Vid62\boddevsys.exeFilesize
2.7MB
MD536f2385ac14136d9d2795ac6cfd97e1a
SHA19f4b719a50f899f813316e560915ff15f109189e
SHA2569d110f2d6e2f4e996f8e9b911ea72ee6f06e595ce8258a85cc0c093012ed03bb
SHA5120f82210bc6beae1fa0630bd294ddb7384238d821111bb0de5f8749b046cb1f7030445e05e2ad6f623ff821e02a04e7ab43d28e5b5894b371aa25014feff4079f