39f034d4dd9ca8d367d061d3a1270ef826791a667290fd655ff95a2796f5c02c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52651501c0616f78ba07fb2ae0227520N.exe
Size

2.7MB
MD5

52651501c0616f78ba07fb2ae0227520
SHA1

022d99693bccacab214c286836da586412b01e7f
SHA256

39f034d4dd9ca8d367d061d3a1270ef826791a667290fd655ff95a2796f5c02c
SHA512

3733d71c205c53947e39ad6a31314709708f96e78eba43f01b1736db2844c268bc5dbf422b19ef40089266ef57834151ae598dd43294d8fd040bc6ff09bc7dca
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4S+:+R0pI/IQlUoMPdmpSpP4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1648	52651501c0616f78ba07fb2ae0227520N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUN\\devbodloc.exe"	52651501c0616f78ba07fb2ae0227520N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5W\\optiasys.exe"	52651501c0616f78ba07fb2ae0227520N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	52651501c0616f78ba07fb2ae0227520N.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe
2108	devbodloc.exe
1648	52651501c0616f78ba07fb2ae0227520N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2108	1648	52651501c0616f78ba07fb2ae0227520N.exe	31
PID 1648 wrote to memory of 2108	1648	52651501c0616f78ba07fb2ae0227520N.exe	31
PID 1648 wrote to memory of 2108	1648	52651501c0616f78ba07fb2ae0227520N.exe	31
PID 1648 wrote to memory of 2108	1648	52651501c0616f78ba07fb2ae0227520N.exe	31

C:\Users\Admin\AppData\Local\Temp\52651501c0616f78ba07fb2ae0227520N.exe
"C:\Users\Admin\AppData\Local\Temp\52651501c0616f78ba07fb2ae0227520N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\IntelprocUN\devbodloc.exe
  C:\IntelprocUN\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB5W\optiasys.exe

Filesize
2.7MB

MD5
33d6d058d6631b3240e4e52872b84756

SHA1
3251b652a4850ef015745dbc8d9065eb03d93645

SHA256
91a21c6a19a29679c4496b62525fa9f2e57fbf2df5de7e2742dba784255a7788

SHA512
dcefd806190b03e614dee825b49d9c7c2ac06cc86e723709c5a5f9837d4c4da69a53e8063e8a142588864e76486d850b4d83b9f6400fe2337bbfcf9648d02bb6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
82a8407ce6a9d8dcae21f5747581bc85

SHA1
ce97bda0cd2eff7238064d136e3310fcb0825a1f

SHA256
3e771d974981f40b18e66611306a1b3bf246d85af5d1759f0a149768638678a2

SHA512
e35d1ec42b583b0d35197cc9563c9eaa3c0baf74fe83b9dfd4e3f7dc2f07af183cb2791ce0ed0527e79bc5d7a9bdee78bea55dcd3c63bf23a8a5038fe4db716f

Download Submit
\IntelprocUN\devbodloc.exe

Filesize
2.7MB

MD5
0bd24946759920decc8c7f04f2934aec

SHA1
9281437e6e881ebda9ebdd239ba8679df5fd404f

SHA256
8268c2a6cd012fc0f2fc511086f3b834586f67abcfe56b23bc1a1847fcea02a2

SHA512
98bb6ba2dd2e1142e1f708c2170f16e3477cf56ac646c1099238e55120b1402abfb5a799e5decf4b4d5619656424ef66ade6dc66b0c5f1a16d24f23f47a770cb

Download Submit