862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
Size

3.1MB
MD5

425db1edb91bf0d643214c8d7266ee65
SHA1

a751ef0778d8691e9183afa3713956ab5c15bc5b
SHA256

862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae
SHA512

310b86a6356896a4b815c414349f22122123f44e665438e61d1da36a3264f5b35490d281f3310d59b2a96afcd979fc2a6cf9be9b9175a930bb747d42f6d4914b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Su+LNfej:+R0pI/IQlUoMPdmpSp+4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2268	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv0A\\devbodec.exe"	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ1H\\bodxec.exe"	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
2268	devbodec.exe
2268	devbodec.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2268	4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe	86
PID 4928 wrote to memory of 2268	4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe	86
PID 4928 wrote to memory of 2268	4928	862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe	86

C:\Users\Admin\AppData\Local\Temp\862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe
"C:\Users\Admin\AppData\Local\Temp\862e2fa21107d295702c1488196e45bd51516b8ab850d8be8b5221e1f3d6d4ae.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4928
- C:\SysDrv0A\devbodec.exe
  C:\SysDrv0A\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ1H\bodxec.exe

Filesize
25KB

MD5
a4ffa3f6514967c0a003ff7c14b2f9b7

SHA1
7c838d5e248d0f1b2c4b63e9b8bf7895f9944e8d

SHA256
312867a13d78cf177646dd16617ea389f196941947443d0aa3db5af82df1839e

SHA512
a14e62941a20b35e0225bc6dcf7751240b936274d4a15df5518cb68002e7bcc205d35c2dd8bdab5e23bda17247fc1c5bff8388579b4af8f4084452f56cae8e6c

Download Submit
C:\SysDrv0A\devbodec.exe

Filesize
3.1MB

MD5
29ce3746f48c69d9351ce444fcedb582

SHA1
a84c50ca68f5ed8cb7bae4831299ea8993609674

SHA256
290f95ea1e7206b2e27b98bcb830a94ca3655ca6f2ec9900aa08ca1ba3e27ae7

SHA512
af0b2aabe7c2631e0cce06c2f07f4444bfac24e0f1c6f940b24eac5012a9f220e9973dda31d48af4ec715fdca51cf8a38d9e27b9f2ace59afac42e6f215c00de

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
39e93e5690a995fd77fc8bfc7ecdc43f

SHA1
12a67e34b040c1ced900c6a34909bf99de5ed12c

SHA256
e8fdc8cbd3ea679cfcdae698bf6559e987dfac0084b71c51324403ed7221bdd9

SHA512
9e50c313e818805eab6051ff8b21dad9e291043e93750fc96259e346b404a64c375f62c273fb4d4751818c4d5dea84b6e16c812a75d3c75502a14f0b37d49de2

Download Submit