54ace1c95f75914d0c5a8edf4e653b972b27554a150968d8ebd976422ccc1ebc

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fbe87883fe52a2df62e136fdb4f78b0N.exe
Size

2.7MB
MD5

1fbe87883fe52a2df62e136fdb4f78b0
SHA1

80e7adc046d8f589ca697d1b5a068cb87a6b7321
SHA256

54ace1c95f75914d0c5a8edf4e653b972b27554a150968d8ebd976422ccc1ebc
SHA512

d129bea16cfaddc7992cdfa8cce04ef5e539c26778fee904d844cca34c0c334f2508aeb3a10d6b9bce23f16c65d80e70c04793c43ef3b0b2ac5f925755811207
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc36\\devbodec.exe"	1fbe87883fe52a2df62e136fdb4f78b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1S\\optixloc.exe"	1fbe87883fe52a2df62e136fdb4f78b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe
2728	devbodec.exe
2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2728	2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe	30
PID 2708 wrote to memory of 2728	2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe	30
PID 2708 wrote to memory of 2728	2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe	30
PID 2708 wrote to memory of 2728	2708	1fbe87883fe52a2df62e136fdb4f78b0N.exe	30

C:\Users\Admin\AppData\Local\Temp\1fbe87883fe52a2df62e136fdb4f78b0N.exe
"C:\Users\Admin\AppData\Local\Temp\1fbe87883fe52a2df62e136fdb4f78b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Intelproc36\devbodec.exe
  C:\Intelproc36\devbodec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint1S\optixloc.exe

Filesize
443KB

MD5
dc898493948995d4ed58243ef79255bd

SHA1
79cb57d9a6cb3207b58c48730c630bdfbe50802c

SHA256
4a2585693c8c332313c57496229d3fa3ae0cefa526ba7b0cb4590932d52bdf33

SHA512
cda585212771648fb2a19787f0d41df3216f097dddb70c7ae65658dece98bb6fbf759cb3e82065287a922f2fe86aa80ff661a5d7b8551d267a6573a3f27f9b83

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
712c295c4d4d5ae81f6d80404e15daf1

SHA1
f4106038f1ba2a0b77a6ab773f6a0e7fecd4e1ff

SHA256
4684ab0ddb1adc86dab0c551e5d2c90141cc9506cf37a916856683c831b72579

SHA512
d9800d01de6ead758e3d11eb4a958d3677d70904bdeafdf99bd1216930b26a5d48692496f9609ab573d49bae7b446d62ce46f9e899bd13b4f562a9be2c0e3be7

Download Submit
\Intelproc36\devbodec.exe

Filesize
2.7MB

MD5
cb6b2066ac2424bf0e90e09c5064680e

SHA1
b0c93f81d431c97bd45f8bef0c57683e046da1da

SHA256
c45f366f2ed7e6c85ab4870b6422a11de3758276032eb1fba35fd997c9380ee8

SHA512
1b80ff71975fdc3affbd252cd1ea657af42057c9b43c4c0a675a1fe11b63650546627ecab2181b378f00d382cf2b0ba8057522510a35d68a0aba30f37919e9ae

Download Submit