687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
Size

2.7MB
MD5

4af6dc1279c58b32cf3e36e510ca110a
SHA1

4d14a20e6082743cfbb2cd4751ef8cda3b14c0b9
SHA256

687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc
SHA512

07b4b93d46f24d6441cf2ee4d2fae0e8e59e9bc5d99875d797dcce885b39e988fba5a38c211bab7865b2869a59f3c13c39c63f5439bb0f027bddd2d3c7036308
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sx:+R0pI/IQlUoMPdmpSpx4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOI\\devbodec.exe"	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\dobdevsys.exe"	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
2696	devbodec.exe
1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2696	1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe	28
PID 1924 wrote to memory of 2696	1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe	28
PID 1924 wrote to memory of 2696	1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe	28
PID 1924 wrote to memory of 2696	1924	687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe	28

C:\Users\Admin\AppData\Local\Temp\687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe
"C:\Users\Admin\AppData\Local\Temp\687a7bc9b689953a687b23e8b4da5b006c5fb88b9008b7cd00c2a0db3c0170cc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924
- C:\AdobeOI\devbodec.exe
  C:\AdobeOI\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4X\dobdevsys.exe

Filesize
2.7MB

MD5
8d312b7ec21a3deece4840165d8252a3

SHA1
419b41186fa28143af0743b72462c6bf1ab0a9b7

SHA256
a0451e2d8083c11223e0a83491bb8858530b46b89174dfae5f0e0c6a668bd2b4

SHA512
e9919b384676cc2770fe6982821794d3a6ee9389f22ff802ccc55c953c82c99a10e0af3ffa44de03314671109ba98055e5fad67b816b65f4e972af4b80d1c117

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
964fd90a6b72d32c1af9acfa556f8d29

SHA1
14c8b22ab0e2cce6424ff7e92a80e1ea467cb30b

SHA256
e0e6455dc9711303222bef56eb99e12e20eb6e901dc96846e8e01cbadd0a9a4f

SHA512
3bb3746e5b7fd780f6fcdc7c577751abe45e83e8c32fd10689290edd3490187bf703ab63a71e5f2c623268b0fb9e30f0c8b0e77b827c53f62c8d2eec233e24e0

Download Submit
\AdobeOI\devbodec.exe

Filesize
2.7MB

MD5
8acde74c1224a919001315180da16e47

SHA1
90d9dd294350e13478b2a1b91215bdd7b88bca3e

SHA256
9be3e76ecc4232e6e4fe0bc2c75cb4bc98c7d58e11da76e86a271c5e22b7f669

SHA512
5e2e24c987b84237897a0580b8dea57afef16d54e9a483131298e699dd7e100cf1d8418d2666d40093223fd63012b8e7869b1ff692776b8b86286257d1024e1b

Download Submit