d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 03:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
Size

4.1MB
MD5

f982bff122eceeca4158f69f95e77733
SHA1

39d69df35e8248048076dc018a6bd4d02cd20f21
SHA256

d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260
SHA512

820c75079dc81b1fa08f7f92c32cde72e7ecb9f024ac2adb7568c54acb0c84e11b827083f70cd97c77dad503af4e8a36b465862fccffdd89ce49c17868e8cee3
SSDEEP

98304:+R0pI/IQlUoMPdmpSpl4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmK5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3332	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5L\\devbodsys.exe"	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9Z\\bodaec.exe"	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
3332	devbodsys.exe
3332	devbodsys.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 3332	4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe	88
PID 4732 wrote to memory of 3332	4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe	88
PID 4732 wrote to memory of 3332	4732	d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe	88

C:\Users\Admin\AppData\Local\Temp\d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe
"C:\Users\Admin\AppData\Local\Temp\d1a1fa042b9dad794c1c21d43d4b4af90b4f2a6fb418ddbc6a088199df04f260.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Adobe5L\devbodsys.exe
  C:\Adobe5L\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe5L\devbodsys.exe

Filesize
4.1MB

MD5
c07fdd9bb443d2af1d60c969ca4ca543

SHA1
52dce19c33c6cf72e574e6a84b3b9dc2e9e15043

SHA256
ce191ddcded53c12a74e5e4f207f7283f8dc4c6ff41268c732b94aad33a51500

SHA512
ce6fb640a9e06c1745c2e420be1a2b7dadd39986a14b39fc2f772e1c87f6144945f357bcbd188b07f78d913941655899eca0ad4af85414310dc3df1c3da560a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
6b4b63bc39e3bf1a2e28e85b435f083e

SHA1
d01787f497d631233247149be77131343e2cc47c

SHA256
dfbd9085ccb293f8cb6e8bc8ea4903d3d028f6eeb0aab40565d3215c58a7b3fe

SHA512
c3cbc9a496627318c97756ee3fd438d7f3cbf6e3d9d6a0979f00feb42bcaa48d00ef4f843ba1b36ea1be2f30b8c668251797577c14a61bff095f81f2a3515dc5

Download Submit
C:\Vid9Z\bodaec.exe

Filesize
874KB

MD5
cce3e963795b66af19ab4774a59f3265

SHA1
f093be49c8b3a04cb04d21b35a69fcd79bbe2f52

SHA256
3de98a61bfd65e75e80b87f1ddeb89ff4ef127b2491089ac99015a82cc6bbd81

SHA512
99ccf8ac95d23398f656d82508dc48875ab5eafdcee50fb0286ec88567a60f7b0ff4b7a8530aa8b66b511004d38e36270c3e7e239dd880017e554e8660546cb9

Download Submit
C:\Vid9Z\bodaec.exe

Filesize
4.1MB

MD5
7d88b814e3151725a498828cf44dbae0

SHA1
286aebf043d653f2c2321b8c64707646a67c7272

SHA256
e4ca1cc724d7fda51f1bc79ead8207aef1ca92e47801c3ac79905783b11fe4ad

SHA512
c5de447f541c3186c963164a89ea8018c8a2cc3c22eea989a681495818d9e6f4596a137865bbcbd2479f951ea4aed70328b64cb5c86619529fff5772ee56b252

Download Submit