5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
Size

3.1MB
MD5

925b22dc1a576ed35fc28c4eca27e4c9
SHA1

965928dfbe59b6f56dcbb337dafc624fcbacfb25
SHA256

5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a
SHA512

b70578bf8592ebc764881c10cc2fb60d3440dadc00e99d501855fa9e15f521d6d437da54891ce0a506a904d060fad87d03fcd07ce9a3f875818783eb2e637485
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB39w4Su+LNfej:+R0pI/IQlUoMPdmpSpD4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2112	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRJ\\devbodloc.exe"	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid36\\optidevsys.exe"	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
2112	devbodloc.exe
348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 2112	348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	30
PID 348 wrote to memory of 2112	348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	30
PID 348 wrote to memory of 2112	348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	30
PID 348 wrote to memory of 2112	348	5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe	30

C:\Users\Admin\AppData\Local\Temp\5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe
"C:\Users\Admin\AppData\Local\Temp\5f4a12aacb7660a1e91040f6d418944dfd32adf9eb5e3035aac9f970cb5ab86a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:348
- C:\AdobeRJ\devbodloc.exe
  C:\AdobeRJ\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
17d4bb30063da35b948b68149df03c40

SHA1
bef1e4611c99bc9d6d42335c5add88f18ef2a52a

SHA256
c55c3905821c1a194ca91b86d5d496e87b4555c3cf7532dec8d32f55a307a615

SHA512
6c0d6c2f224672a916fd7b4ae20ec924d9e342bc4c5f97f4688b8d17c9b8a75438aff421edcf49bf3d2e44c89467ba1f6d78c9e6c5f30ef983b039c08d11d098

Download Submit
C:\Vid36\optidevsys.exe

Filesize
3.1MB

MD5
26d245c8c6eabc2a373613177728f75f

SHA1
3f65d7b9924fb1ebc60155d384bb92bd87af6a75

SHA256
789a2f9890841cee3bbd34ab42b1688b454f76a471aebf866488f5f10db0f06e

SHA512
2ee02e6580bb5b53928d83d1469d5b8eb29077c65fe461a6c7ed6088128065729f8dd3fbdc0c01360f3b0ca98590d2a8c2fcadc63784db4f34bd30508fec3bf4

Download Submit
\AdobeRJ\devbodloc.exe

Filesize
3.1MB

MD5
ab022e9792dca4de5b20d8f955c21784

SHA1
3ee1c3a45db56436955095d00c53fb7500b04cca

SHA256
cf1d2387867fe4ef8f93d48207383c2566d37e3da9bde5a67b18d007544d28c3

SHA512
08a52ce869def451f19e2b670a3cd9d6c0a5f6117fd272cb9a613bfcdef9774dc2066dc72c8487e6ca9fe848d64f01e0f95be59370a2ae9c94382b688b5d73e8

Download Submit