7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
Size

4.1MB
MD5

36c171d9ae5d9b000a3d497909da29af
SHA1

fffa6328091ad90a8a8c9c1cca50129f08678e7b
SHA256

7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844
SHA512

4454aabee276691b4c1bb28483dd44f4ee5c0f24a8e9c2d77e0eff2cf6c43375a86879a8a69394d2eee869cf58992fc3702598d37c21263cc73e1ecbeea5696d
SSDEEP

98304:+R0pI/IQlUoMPdmpSpL4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmE5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2812	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSU\\devbodec.exe"	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCU\\optixloc.exe"	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
2812	devbodec.exe
2812	devbodec.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2812	1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe	83
PID 1396 wrote to memory of 2812	1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe	83
PID 1396 wrote to memory of 2812	1396	7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe	83

C:\Users\Admin\AppData\Local\Temp\7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe
"C:\Users\Admin\AppData\Local\Temp\7d8ebba80b4868131f6ab203869a49082081258f604a18bf49e2453a98be2844.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1396
- C:\AdobeSU\devbodec.exe
  C:\AdobeSU\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeSU\devbodec.exe

Filesize
4.1MB

MD5
017bae3a69c3e02f4e683b987153918f

SHA1
ffcf9d7a937cfc0d87218d4f0735340b6f1e01be

SHA256
403e9dec122cc805ed009455a9fcf97dde4e438f3dcfc272ec6f6623cae8c4f5

SHA512
1e0e7e400750559fff1ee5c9922b587a830a2fc480dd0f59a23df7c8bbb2d105c92c12bf375f36335e5537d30a45564b5ab5c9409b8ee9be9905956c852eb7b7

Download Submit
C:\KaVBCU\optixloc.exe

Filesize
483KB

MD5
43b685cd11006bffa32e3411826d2374

SHA1
ba6d5431525fe2909e8e3020eef6d20b42c62391

SHA256
1028eadfaaeb2b8868c350f9444da7ef6895503f0dda07effc94aab5bf7bc6a3

SHA512
d7c06b45422657f6d9160155890e4e4dbd300ffde6be97ea6465c71e01123cd488bca6916b9c8b32dc75767756513a8865b3721addcb5394901b51b61366e3d8

Download Submit
C:\KaVBCU\optixloc.exe

Filesize
4.1MB

MD5
87f5439684084f81ec47d212e01df73a

SHA1
3b0ad602ea8abc803bf91e14ce9aeb98cc977616

SHA256
6c4cda37f4f5e128d7d618aa50e068ce6a5a7d4822ab2e930ca6b8241c524fee

SHA512
c26ca6c047ae49ff9ab6695a79818b470f69b94f0fa00f275fc6ff79606a74b0fb1024dc6d6af4cd4abf8355179a26c627f3d8b5f68103f9c991f580b092befe

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
7682ff9668a35b2d109c39799fae9433

SHA1
c6300683aaaab38f9b2eb83c52765e1242a70261

SHA256
951a08e24edfd4905984e830bbd48fdf17a85e68846d3d6685e82658aec3b4ab

SHA512
74852c538c4bded598bdd0daca16354a9886287ec038174cdb3196d0d020b71bf5365ceab43b270d21fef076b425a9385e6352ef0056c5b6c4eeb5ecff481744

Download Submit