4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
Size

2.7MB
MD5

9caacf70daeb6ebdbc1c53eb96762b34
SHA1

a7b1c8c6ea61548e5cc288b237355b3f65bda0fd
SHA256

4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f
SHA512

839824f790444bc63f2e927b90bb692874d1a6852666d6113d0a6d4311780d66fe32788f9602d54cd2ed3a2b50577e19c5cb6ef66bb53c53d3d0d8244758ab12
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpV4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4092	devoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeI0\\devoptiloc.exe"	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDB\\bodaec.exe"	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
4092	devoptiloc.exe
4092	devoptiloc.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4092	2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	88
PID 2492 wrote to memory of 4092	2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	88
PID 2492 wrote to memory of 4092	2492	4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe	88

C:\Users\Admin\AppData\Local\Temp\4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe
"C:\Users\Admin\AppData\Local\Temp\4aafb7df84df8d1773b79ffefaee2ebf0f0b404800c2ad6be487a793b8aeb97f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492
- C:\AdobeI0\devoptiloc.exe
  C:\AdobeI0\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeI0\devoptiloc.exe

Filesize
2.7MB

MD5
40f8f4b1d4c0f4c6a8de4420328613b0

SHA1
2ea10bec2068253dca011bedee0fc4788c424b40

SHA256
c219446abe23022630ea647072160171c5e728799fc84724215ef038c1d9163c

SHA512
228f688ff2d23177822384882e3900ebe7f2e93036c2ea30e46b685bc4783a2518c16e2ef0624a3436b5617984897ca3c1188bde3b261f5d4f4d82dad87fe449

Download Submit
C:\LabZDB\bodaec.exe

Filesize
2.7MB

MD5
b70a18c80cf6a782c80be21d77b62f65

SHA1
bf1974d81867fcfdbec99ecd5fe110c8989ce3c3

SHA256
c100a5d8909c321b08d47717f2bbc1f988834cec1183708522949c3eb8bbf2f0

SHA512
ca0fbd2b0e928f4816074ed49d0fe23c354646926f1bf61bdfb0eb75099450a6b600400fc126a876070a83fbaafe7e6406bd3f101a32e513b0ee6bbb17550cba

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
780ffe5d3ae37ad7fdfdb1739084eb66

SHA1
68551f844b9900d660e570ad50a1300de8561295

SHA256
c5bb12abfe98cba4f839a61c5eb419ed149beba497921c414a66d55fe562d0bb

SHA512
525c827801ea2e652ae257178962baebbeffc5ec3c309cf4eadbac7b8b46622e1331a143fb34a6d4d4a7c296bd2a74cdcd65b58c93a32c256a9f3083d772ab84

Download Submit