f76e4d8f343a9af5e001cd4a5e53b9fed3927aa78835a5475bcd5589945fccfd

Analysis

max time kernel
119s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2020ab78454a57d508b645482ee6a130N.exe
Size

2.7MB
MD5

2020ab78454a57d508b645482ee6a130
SHA1

893ae98eb1944a7de5569199796254123b717541
SHA256

f76e4d8f343a9af5e001cd4a5e53b9fed3927aa78835a5475bcd5589945fccfd
SHA512

1270ce5a2205373c3092ee5e82fc2623807db42d9627848ecb2f4593bbd25d668e37be56e8fc1f80ac454789dd443af531a19b1e29c7d2b2fd9594021dd75a64
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpN4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	devbodec.exe

Loads dropped DLL 1 IoCs

pid	Process
2612	2020ab78454a57d508b645482ee6a130N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6E\\optidevsys.exe"	2020ab78454a57d508b645482ee6a130N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesL8\\devbodec.exe"	2020ab78454a57d508b645482ee6a130N.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin$ 88)<)$7)516\$1+:7;7.<$16,7?;$<):<�-6=$:7\:)5;$<):<=8$sysdevdob.exe	2020ab78454a57d508b645482ee6a130N.exe
File created	C:\Users\Admin$ 88)<)$7)516\$1+:7;7.<$16,7?;$<):<�-6=$:7\:)5;$<):<=8$sysdevdob.exe	devbodec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	2020ab78454a57d508b645482ee6a130N.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe
2736	devbodec.exe
2612	2020ab78454a57d508b645482ee6a130N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2736	2612	2020ab78454a57d508b645482ee6a130N.exe	30
PID 2612 wrote to memory of 2736	2612	2020ab78454a57d508b645482ee6a130N.exe	30
PID 2612 wrote to memory of 2736	2612	2020ab78454a57d508b645482ee6a130N.exe	30
PID 2612 wrote to memory of 2736	2612	2020ab78454a57d508b645482ee6a130N.exe	30

C:\Users\Admin\AppData\Local\Temp\2020ab78454a57d508b645482ee6a130N.exe
"C:\Users\Admin\AppData\Local\Temp\2020ab78454a57d508b645482ee6a130N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612
- C:\FilesL8\devbodec.exe
  C:\FilesL8\devbodec.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB6E\optidevsys.exe

Filesize
2.7MB

MD5
f10930d3cabb1d65457e5e8b9a798029

SHA1
95f4afe2b0dd422971623436f801a21abc886f3f

SHA256
1bd0d58ae8eb867e806b6b06d6726cadc5ff23b99a4d29425bda5abbd7daa305

SHA512
ce7261df6dfbd25d467c278e2511d3d6a55a659606010e8ab3c72b1eb6c6dea45cee158850bce1b134c12f60ab75a15c0f2659d738514ca50eac99931439932d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
550294db391ee5d339228960974388f7

SHA1
b5f5e327c20c8783d4b2f92dfde3d00fd6cfdc96

SHA256
a93f0256b36096edb1cf71bdf8ef86549ece80526acf8c0fdb36e71c5451a10f

SHA512
bf094328fa3d3e1681d21b90f2c5f2f89f0d11c0220bd6a9bf9dbaed4d7994b93c582556f0de2c16b846d00e62e1aaddf039e431e0527435cef9ab21b2c0cbde

Download Submit
\FilesL8\devbodec.exe

Filesize
2.7MB

MD5
7b5be06f9a23a07facb6c14b7b672bcd

SHA1
c3fcaae2dbd26f8392df786c4f0b39e2220d95a1

SHA256
b570f8c156a2cffe1556fe08cb8eec8a4f708f2d652c86cc08f4e866b0caf82b

SHA512
9f00b4ef19ad3bb2a7ac09af6779ffc917d52c204a3a21217302b10ee948f223186edb220c4c09740b18e1486d483186a2bc09d5aefa9301ce1a819612aced99

Download Submit