18fab9097be31427c55fc1661ebf7635caa0e65a17965b01228b8505049a3ce7

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45cf9b38c2abb92e59fb4a2995a91d20N.exe
Size

2.7MB
MD5

45cf9b38c2abb92e59fb4a2995a91d20
SHA1

80ded2ec4435d3a1c6554be6a22ab0b56fc14bbf
SHA256

18fab9097be31427c55fc1661ebf7635caa0e65a17965b01228b8505049a3ce7
SHA512

0a6ec45908e9a9f21fb271e47813e23cfe4f0c3a3fbef1abdc477f8691b2a4cbc7d423e958d6206584808d7c0030218cb56cbeb6e32895cc51bd006781988b0b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4472	devbodec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDO\\devbodec.exe"	45cf9b38c2abb92e59fb4a2995a91d20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSM\\optidevloc.exe"	45cf9b38c2abb92e59fb4a2995a91d20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4472	devbodec.exe
4472	devbodec.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe
4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4472	4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe	86
PID 4588 wrote to memory of 4472	4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe	86
PID 4588 wrote to memory of 4472	4588	45cf9b38c2abb92e59fb4a2995a91d20N.exe	86

C:\Users\Admin\AppData\Local\Temp\45cf9b38c2abb92e59fb4a2995a91d20N.exe
"C:\Users\Admin\AppData\Local\Temp\45cf9b38c2abb92e59fb4a2995a91d20N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4588
- C:\AdobeDO\devbodec.exe
  C:\AdobeDO\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeDO\devbodec.exe

Filesize
2.7MB

MD5
16a65215de109e0469d6d19514c88ded

SHA1
0af3ca1c99ac6b09b2361c2a6f59a94d9b7cd3fd

SHA256
e36c9102103c951103158b9ac193879d2bcdbb26f8130b73e208abbdbfd6d5a4

SHA512
0878752791504195bb228e9ef8d73dddecb0c2886b9d72cc5a3ebeb5728a1c4a04210e75401b369496f25d58351a9fef02457991bec06bc21e2d93bd916847a0

Download Submit
C:\GalaxSM\optidevloc.exe

Filesize
2.7MB

MD5
004f564fac92620863e5db8be9e507ac

SHA1
3c966b57bbc8be4bec2dbbd0e7dfbb3aa6b9fbfe

SHA256
aca865315cba2619a63478824cfe80010632ef396ed01f0b11fe9ba697e5d129

SHA512
88672d0960bff291d2b34efa3d44237aa29b99b7ff4e7a8807d7df7903d04400f14e4b7f3978b0f017c3295a2508055c8b732b3ff3ee785972c410d97d4015cb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
1e560e3bdc6ca2c92bd9b44092f898fb

SHA1
85d879a80ce30f2bc946cf55e0b6d01676fa3c1d

SHA256
4e5a9d1b80e96c61e3d72f7ec59bbd560696cda8f8efa7ce9e18d15fcf081df5

SHA512
d0b28225bf5ca58d72f0c57a73a5e78fdfc397e54af0dca9df7d0c49eacb0cc1473b6d867074cd85255f36215b25a7baafdf8bb0db253aa3dc124bf80c6c7b12

Download Submit