b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
Size

2.7MB
MD5

caa6927e48f23b19da29925bfd0af3f5
SHA1

d4a4cec3c207b0629a3c11824f30a660d920fa93
SHA256

b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103
SHA512

be1ff43dad4545edbc554c5561b52946023733ed6bb5521ab1cdc3b69155ba1d9d6ed2490b1b6f77a105cc7ff1dca0368131c1e1ca74e1b5ba6e6218bee8c377
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBx9w4Sx:+R0pI/IQlUoMPdmpSp14

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2984	devbodsys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe18\\devbodsys.exe"	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8U\\optidevsys.exe"	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2984	devbodsys.exe
2984	devbodsys.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2984	2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe	84
PID 2552 wrote to memory of 2984	2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe	84
PID 2552 wrote to memory of 2984	2552	b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe	84

C:\Users\Admin\AppData\Local\Temp\b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe
"C:\Users\Admin\AppData\Local\Temp\b5d30225793682d1211fd96e27b0394ebff59e7aa48f45d1d9df07d99e237103.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Adobe18\devbodsys.exe
  C:\Adobe18\devbodsys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe18\devbodsys.exe

Filesize
2.7MB

MD5
fa2863636f5a4085176976256375b475

SHA1
356611d94ecfa16996dd200565a79fcf40698dd4

SHA256
d1799f950b6f901dff820238cd612d7cac0ad826aaf7191796cd36ae9c25bf0c

SHA512
ce7b4ee838a1c81fd7106cc8534c55075e8dbb4a7c6ea1efa01907778db8627b12ec0b8928867107e7f913ba88d0dd893df6def41129bf363d5b6f1f41488867

Download Submit
C:\LabZ8U\optidevsys.exe

Filesize
2.7MB

MD5
71adfba0ef9220d66a94d5bce52f6833

SHA1
342bf7aae65823a8f7740f6e0ece24ae72a1f02f

SHA256
22573438608fc9a3e330ee4d09de3cc19295404b2c7a826ed729a91e51021ae3

SHA512
aa69f601ff4c2071390f0fbf99345ee17396a149f0c51ef993e7f5cc43ae4f12ca4d1055d4df7ed396aef84ec5d04ae77bcbc1ebcb45d3a11a600da5b5a050e1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
e99b405d663962d733ec6af43c390095

SHA1
d3338292c9e7eee96e69689963465827d9f0ac25

SHA256
8c534568135b3d0565d1f6aa3c32e1887da9b6da72ff3d5d22a85d132897d956

SHA512
dbf12997b8eb4d135b432bc2234a89075b21a0882034cca71e4aea4728dc16a85b98386f33a1c44a3f38d26e55eff0201c42dfc1298c53f18c65f0375aa78ddb

Download Submit