44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9

Analysis

max time kernel
149s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
Size

4.1MB
MD5

093801dc2cdc097ea4478090e197fcc0
SHA1

db3a1283e1f7b0f8e7c748bd035cf5f81be459ad
SHA256

44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9
SHA512

686afe64da35c1415dc4ce5586da726aeaeee6cf31c46d6a3160a11e67d63b959fb626d8d3de77f2f5efb4044a6bab132c7d86c239900866100b109badbdc10e
SSDEEP

98304:+R0pI/IQlUoMPdmpSp84ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm75n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1548	devdobloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeAT\\devdobloc.exe"	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidKE\\optidevsys.exe"	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
1548	devdobloc.exe
1548	devdobloc.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1548	2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	81
PID 2552 wrote to memory of 1548	2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	81
PID 2552 wrote to memory of 1548	2552	44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe	81

C:\Users\Admin\AppData\Local\Temp\44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe
"C:\Users\Admin\AppData\Local\Temp\44e3419466cd67d0c32e70f795bb6bd10a98e41ce843313014d9d5168b8cfad9.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\AdobeAT\devdobloc.exe
  C:\AdobeAT\devdobloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeAT\devdobloc.exe

Filesize
4.1MB

MD5
63a9f4571840432aa02f3d83fbe3aa96

SHA1
54b84f44d0597ae18d8a0ab59dddc923d6f1bea1

SHA256
f8c55cbf4878365f4b63239aa1b4e5cdabdab31b7c7884a358f5e9a4a1ce52ae

SHA512
6a1102752bf149f9b9adc4c12503ea2ecd452ce30229293543192fb0d8d7c3be5a7abdeeb47c633c8e94495ee93bf1d851bfd6237debfaa4ee6a4788c16b0e15

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
105a486180d4822f2e0967be5265f432

SHA1
be5d7070421a811178b78fed9fe89dba7b698e79

SHA256
94f8bd43296c8c13d6425441f2bce2e9d3a7c590285b9c21e46ffa879d92a82e

SHA512
a046dfb2081dca6f9108dbc8052bb35cbfaaed40e98b798b7cf776359439a600d04c3362587fe1ed8acb2bfe3047e436bceb53af009eab5a0e284ad67b5a2cad

Download Submit
C:\VidKE\optidevsys.exe

Filesize
4.1MB

MD5
3facf8d40603647809379e0ad6120e35

SHA1
9b4d9fc7dff55f5175b69685efd14c5c13de400f

SHA256
19b61e2abf81b804a7e3370a8ea71590ec602e50fb59e4a868981f3a9b9c61d1

SHA512
d38129ca0b38178541a1463edbcd6b78ebd74f43af73b5007f58ec5d28315034f9b0afa79249d756c18cf84a4718f83823b6b557877d5b9d0704d56726c7f692

Download Submit