08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 18:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
Size

4.1MB
MD5

8fc89c8d6143995c2ecd615dd02657c6
SHA1

487419c5f643624b0fe03f060ffd382a69bb49e3
SHA256

08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5
SHA512

9cda4bc1b9eed5d54b3c8d173f07473afe9a637c43264896eb3081f044330d6db6cf5320640d668407f3496b5c48cfd39f3bf8fc4a8f9f69eab0b5b7e62f2c7f
SSDEEP

98304:+R0pI/IQlUoMPdmpSpZ4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmG5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5044	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeB1\\devoptiec.exe"	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8Z\\bodxec.exe"	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
5044	devoptiec.exe
5044	devoptiec.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 5044	4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	85
PID 4784 wrote to memory of 5044	4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	85
PID 4784 wrote to memory of 5044	4784	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	85

C:\Users\Admin\AppData\Local\Temp\08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
"C:\Users\Admin\AppData\Local\Temp\08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784
- C:\AdobeB1\devoptiec.exe
  C:\AdobeB1\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeB1\devoptiec.exe

Filesize
4.1MB

MD5
c93537e30e97c1fea92823d40c6aa41c

SHA1
68608aecf9848c85d6b2cc681cc3ba5176539c73

SHA256
d768536118b9392284d8fef11d23fff6923c0f0ed461869312ef7f8a52dd9926

SHA512
0e24f7d2a8714c6ee9aa16ab019bd922580bd1464f2fb4d506a26c269203cdd7d2af803f74c1019996facb1a8efdcba5dfa7ddb23f79868431e6ff8ec2885870

Download Submit
C:\KaVB8Z\bodxec.exe

Filesize
4KB

MD5
8eb2b86d56c013adbcd0b59d7e011880

SHA1
9b7f8fbb657667bab646452f48a1348653e81d45

SHA256
51d699bdd3b8d14f372ba605ae8f322f9959039c6c6b29c39093d7fc670bb4cf

SHA512
3a426dc07f6f46f499b36769e2137da9d589f16bd4cdfbbe6b28b02e5e4adb04cdfb8a021f5e2591100e81c24f3e87ef8f767c5736721391fb8906ce287ae05d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
cc2e1e57d739ebb0b5ecfc307106235e

SHA1
9e8d58d21e195832ad4e3fe47efb6943f90ab82a

SHA256
41fd5edff84062598d53ef6847cbc1138dbd46592a017c4b9c36e78868e9ea9c

SHA512
0cc53b8bdef7b43c590dfffbd1c9bd67c928484d817a2801722e5a0777431dbd8f626be11764434347030836a4438dbee656f62207ead7f11f171ff96e278fbe

Download Submit