038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
Size

2.7MB
MD5

ad68e1539676f574bf98960072aa7102
SHA1

df79721d0f842a62ef8d45c57e7228edf6cead35
SHA256

038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b
SHA512

e72790069494054cdd3ab17f58d28f87d0378048f21b86aa7601c6c36d84324037ee7bd0903038ba1386496ed844c8a7c89998a38462fafccf45a6957b6223f0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBYG9w4Sx:+R0pI/IQlUoMPdmpSpl4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	devdobec.exe

Loads dropped DLL 1 IoCs

pid	Process
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7W\\devdobec.exe"	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRT\\optidevsys.exe"	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
2208	devdobec.exe
840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2208	840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	28
PID 840 wrote to memory of 2208	840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	28
PID 840 wrote to memory of 2208	840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	28
PID 840 wrote to memory of 2208	840	038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe	28

C:\Users\Admin\AppData\Local\Temp\038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe
"C:\Users\Admin\AppData\Local\Temp\038d3533bcd856f060f0b13225a795d644b3b5e0b564ea3128753a700d97fd8b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840
- C:\Adobe7W\devdobec.exe
  C:\Adobe7W\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintRT\optidevsys.exe

Filesize
2.7MB

MD5
7fe46c1f1fab8910edb2a6d1d621b92f

SHA1
9bd293c2563d9d7eb48d9c60ce0b133353d434a9

SHA256
efd016a55b7bacdaa4e98ba6fc6ff8e1655619c086824cfa12332c6f15d27d96

SHA512
9b007eff18aae27c6553db40025a4dfba9e9883c6e550f77690130a223161e035250e21f0ecab66559eb5d92d61728611333f30df2559c9242f870f9efa9361e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
0b37c6951b4ef7993ffa74b5a90ededb

SHA1
bb0007eda2be561c0c1cca05bcc8e3cb858f36e8

SHA256
ba7fb9348a0733e633dfefbd0e2935264bb3767341c7e40e164c0c083e045824

SHA512
cfc92cbb129ee95d31089260c37a67d8abd8aa26b9ac67c5c7472e31d84c41b089fb75172667292a0fea1767956463b778138458fa1f4c674b01dd6cd286d59e

Download Submit
\Adobe7W\devdobec.exe

Filesize
2.7MB

MD5
b8c1b2c20774bb7548f367b16ccca5e0

SHA1
5a2d6b87168acbf5a5b6987cfbb5ff1f4c974cd8

SHA256
3decc3213e6a891ee3b509dc484d1268acb5a4d6a3d8247cb468e99970c32430

SHA512
09669d9f3cac488eaaf0c09ef9dafda569d0a621dce6e8758c994e1ba6108bd26e213038adc6096bff6bc84a9b5ade81939182d8e3acccd86ce8cf007837b0a0

Download Submit