f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
Size

2.7MB
MD5

101637be78dac80a40b022e5ee2877fd
SHA1

e31cb18fbdd8d74d6eba90e93ad6c82444d1cf80
SHA256

f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322
SHA512

5e5ab7c38d3dc0855b04558fe58bce8acd90d4cdac5df0f11018ef37c2410632822cb7786ad6bdc2fff8a71b217e717ca76cc98e794b0a266fcc82102952a33e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2404	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOI\\devbodec.exe"	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\dobdevsys.exe"	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
2404	devbodec.exe
2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2404	2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	28
PID 2752 wrote to memory of 2404	2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	28
PID 2752 wrote to memory of 2404	2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	28
PID 2752 wrote to memory of 2404	2752	f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe	28

C:\Users\Admin\AppData\Local\Temp\f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe
"C:\Users\Admin\AppData\Local\Temp\f759478397b622d5f89c7624bba227f930973aee84f2b25ada05cb91f34f8322.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752
- C:\AdobeOI\devbodec.exe
  C:\AdobeOI\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax4X\dobdevsys.exe

Filesize
27KB

MD5
fa4154d2ae054a07831af152d619e1c7

SHA1
d0f03cd2385840407a1cb3f3caf803312eb43555

SHA256
f171a86a1c3dde8cb40109ff6885e71e41d04b909f93f1ce13fdc81942bd9b79

SHA512
60f1997584cfea7539d47845c173f15faad4eaeddb5fd5938b88d59d36fe29e6a6d25eb6520a604030b47f89c3a51015c3c71c3c992e804ba4ea59c3e860175f

Download Submit
C:\Galax4X\dobdevsys.exe

Filesize
2.7MB

MD5
fe14c5fd5c5d64eaa1e38392a681fc4a

SHA1
b7604cc432921e68380f2a2dddef9ea2f83b1364

SHA256
1557ecab10a6f7067e197eed53421962fe84f9435018a6640fce7f2dc4fa253e

SHA512
638560c1a6896c80a263eeddc26f86ebda3e1997402c868f16a9b699168dc1bc20e258fdbe92d1e24ef7877256b3452cfe7b439a889f4d37ce5fc94b913ccd97

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
350db414f6c820e8741983b9a43efe7f

SHA1
3a6f0cc33ec15debbac3b9af59ce6553cbce39be

SHA256
99898c233bedbb36c30691ebceca5f2bc64937f8aaa3691b773b6f40a57dab84

SHA512
e7191c1380ba014c5d2eca6531bda73868d28908fdceb3217e6b21a0a24a62db411a6699d2dbe5093146b50d2b7616b4d8a09a59b46909d3f2790c0a2ab3954a

Download Submit
\AdobeOI\devbodec.exe

Filesize
2.7MB

MD5
58a6842ebff32922c0a809c2a82093ff

SHA1
7d67b74ecbe98f0c5771f89622d69a35ef8d4fb8

SHA256
dfd025837e2cbd94fc4508de5b0f3b75e764e8b81cef409ecffba916079d8735

SHA512
e8cb3d6bc41d13f111e0269ddefcdcf8b57c6f7fa080ce36266cde531faaac81706dff618e2878efc6a14373909949783e1334cdc4cf26180e69fc13d25e7b27

Download Submit