70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
Size

2.7MB
MD5

de0f36c729fea128763a77d293d90545
SHA1

361579b76cdbd3325b4d3aa6920236ace5962968
SHA256

70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8
SHA512

e7b564e5f4898e531ef9b879104d21a0f92e0856cea5a89d7f06579ca49b3a5491407df2a0891f246a17c528ea5a68b72fb3cf5a3a3adc66e438b8448c25af8a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBo9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1896	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAB\\devbodec.exe"	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUE\\optiaec.exe"	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
1896	devbodec.exe
2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 1896	2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe	28
PID 2832 wrote to memory of 1896	2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe	28
PID 2832 wrote to memory of 1896	2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe	28
PID 2832 wrote to memory of 1896	2832	70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe	28

C:\Users\Admin\AppData\Local\Temp\70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe
"C:\Users\Admin\AppData\Local\Temp\70fd17a983ed828ffbbf70795c7a0601c97cf28a461705d385cfd46649587ec8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832
- C:\UserDotAB\devbodec.exe
  C:\UserDotAB\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintUE\optiaec.exe

Filesize
2.7MB

MD5
adaee1c87c60db84e878d2cc245db804

SHA1
d27eae3a78ac0ec0a73decd79346f590a4f18646

SHA256
f629f534afa2a37af2e9fe59fa9175d5ee1e6cacb327e7d222655747a34c8a24

SHA512
dcf5062d07b25e36831131c6545f699f842eda3ebce421de0f698040001542c9821c1e40a2e3fb6e384e367c5da5ebdccc7fcccbef9ca02f7a47be526c6e78d7

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
2634e3ab0076d2a64d693f8702abd06d

SHA1
54c958cf87f286d637335944891f1320e32f135a

SHA256
b72dd8215824ea01811fec95fe0a728a2f348831aba38bc5fd79f7b565d8c670

SHA512
7bcc78c03fd7a77527598d62549d0df0975b64055eff80d314826348b873b861615be8dc89551734853581e58e9877fb960c05222e94c050ee00f65a8ba6e93b

Download Submit
\UserDotAB\devbodec.exe

Filesize
2.7MB

MD5
babcebab4d8348aafdb31aec8fa69e0c

SHA1
3d874cfe2f946ada39f2172d66b0fb0244317efc

SHA256
c4681c4b621e9b521da169bad45739518fd478e69a6993c9ffd3d85534da82f2

SHA512
5d45b825348c5ea84728558a091902753151ebb8e695a65a8957e245d9fad3c125d6725ab35980b606e0a113a07b62131fb224e670bc911f4a8b9cfa88b75fbb

Download Submit