379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
Size

2.7MB
MD5

934e2e7af4dcbcc40c3dda39c5a74d70
SHA1

f481bd71fbab07d9ff223a4de7c1abc497bfad5d
SHA256

379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe
SHA512

9dc7f6f658e2dbd3bd92711dd1c4bfa5babe26adabd7c36025c27f5a158d29e76144c358b31188c580220235085a7b7f941296f09d54b85fb6c2d41fbe83a479
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Sx:+R0pI/IQlUoMPdmpSp/4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	devbodloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7G\\optialoc.exe"	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD3\\devbodloc.exe"	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
3064	devbodloc.exe
3064	devbodloc.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3064	2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe	83
PID 2388 wrote to memory of 3064	2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe	83
PID 2388 wrote to memory of 3064	2388	379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe	83

C:\Users\Admin\AppData\Local\Temp\379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe
"C:\Users\Admin\AppData\Local\Temp\379366a6ca793af845c08e3571f2adc77bc6751e52ac6ee5979c3b0d55ca36fe.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\FilesD3\devbodloc.exe
  C:\FilesD3\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesD3\devbodloc.exe

Filesize
2.7MB

MD5
e5155066a2aa837fadb349d0ecd4b144

SHA1
2e59c66bdde30846621f63b9b623cfba0058de31

SHA256
ac1e68e510c430e9f7c77c21e4ed316e327fe88dd3228a7b6dfc2919f8f9c0de

SHA512
ab3801b3a11061c62cdd39d721a7236e5b31a04f1a4732c96148f886f4406195e388ac2c56d410fba013448ef71cf8ce62c1b1c78cf5d997bdb219ac68649388

Download Submit
C:\Galax7G\optialoc.exe

Filesize
1.2MB

MD5
81eb50615fff3b4353279b3712f7778a

SHA1
712dea200e5574bba9a9ff1c32ac7671751e4d53

SHA256
38e81405576c0c9b6f798af40917e05f5c893233e813d8a7f4abdc6c0f8fc792

SHA512
9f8d23881455f39d39d7f276e6a5068c5dcfecf25c7891f1b7b51e906d4b6feaa89ed1f162d8d8d760d4e7e6f752c6b1828b40d22a22f4a027cfaddc62e58c62

Download Submit
C:\Galax7G\optialoc.exe

Filesize
2.7MB

MD5
bc50bfe7d7e782b94a81345aa7f834fb

SHA1
2897eacb21b03145989014deb71fae83f9524f35

SHA256
f812cb2daa1bf708d6f118e5b4374f6eb7d707e2489f71f4e49b46e9cd3dd0be

SHA512
08b78d5331552b621c06027088e9fdd696f84992a3c6c57eba027c91a780fba13606fe8ae063463b388314a71dd84609e8e06ae6f55fc3374876c3ea36268fcf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
00bb6fe7964fdd4353cd9dff362db5eb

SHA1
1955084f73ed22edced240c75338883201399682

SHA256
eec08303d190b2e18e47b2411e4ebcd78af90479783966e1208c7804249d99c9

SHA512
4c2d1ea31324faefae0489d2b1166d3996f3070b18f7a2eedc24a2ccd903f08a276539236a7d799dd4afb42cecfba1e606c01eadc9a9fb523aab167fbe392afc

Download Submit