fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 06:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
Size

2.7MB
MD5

791969dd549ad605d0fcccee1aa1bf48
SHA1

72a2b3c147adcdfb9b7660cc664d2ce10c8baf36
SHA256

fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2
SHA512

3ad9b84557473fddf7a291130c1d8e1ae5dfdb4bb2a7f1a82ba561a6573a7f0666dc77ea44d28798c008c822715d77579fee93a19f22b683b32c90bb043c519d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSp04

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCM\\devbodec.exe"	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJX\\boddevec.exe"	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
2744	devbodec.exe
620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2744	620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe	28
PID 620 wrote to memory of 2744	620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe	28
PID 620 wrote to memory of 2744	620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe	28
PID 620 wrote to memory of 2744	620	fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe	28

C:\Users\Admin\AppData\Local\Temp\fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe
"C:\Users\Admin\AppData\Local\Temp\fd643a2cc81b63fe06c0b0da60812453142f2d3f7f9e721a7c70b974477504d2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620
- C:\FilesCM\devbodec.exe
  C:\FilesCM\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBJX\boddevec.exe

Filesize
2.7MB

MD5
a7ad3bdf27243bddd498183991117814

SHA1
576cc6100c58bb308b90ec1a12dea20e544363dd

SHA256
5dd7a202dd60cc01abde956bd93d6b9255f27a54b3f1e20e6be862eea6320ed8

SHA512
58b45d6e0498340097420e9051e6d3b9ba43d18cfdd2151624dcbd51490b0ce69241bca29c7df1d26d51a76fd09dc8fe7abea555e389086642b9d1abd6194e2d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
3481f5b8a76ab9ab9dc4c03c51f56df9

SHA1
5e5ed80789f026b503d2c065f024984c73b77340

SHA256
7e8f1fc493de263b7b7f039b03adcc38fb90512b31cf585b76baaa726ef91034

SHA512
aebe8fa7def6bcb83d48f177e82c607496d857bd4ceb540f2cfb22ded6227b1e23c017b5fbd00dd20619de83b3957e39d237fd7dc182bca30eee855d367693ac

Download Submit
\FilesCM\devbodec.exe

Filesize
2.7MB

MD5
f0db5ea88d7b861e34099a9cf2a6602b

SHA1
cd9242da4dcbdb797337d4b49d3a00793061875b

SHA256
9bdd325b158e035224b4521281646ec7d28ab61f111dff7284f23d75235b77b5

SHA512
438d9811e9e9b8e2b2ee1808d0dafef4f8a2988ccfbff7592036f76528b8f376faf2c2f06ae7ba7d7043d7c29a9b318240be7e895b326f12dff16935f9ea2f28

Download Submit