f54e312123bddb6f9e8315110d39f82548810b9f6a8d201a5e78fe845b2a7929

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f17bd7b2520c597a322478e44bb55b0N.exe
Size

2.7MB
MD5

8f17bd7b2520c597a322478e44bb55b0
SHA1

7ed056d5b0e40284a303363080ab2d6a4265205f
SHA256

f54e312123bddb6f9e8315110d39f82548810b9f6a8d201a5e78fe845b2a7929
SHA512

1dc5e22bea5de35ac936fe5c9566500af9def6399faced2d7517b997bbbaa81f6baf31d3455d7bea28f1815498eae05608702bb0b53b28214cc5e33705a6243a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2728	devbodloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2388	8f17bd7b2520c597a322478e44bb55b0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe75\\devbodloc.exe"	8f17bd7b2520c597a322478e44bb55b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHT\\optixloc.exe"	8f17bd7b2520c597a322478e44bb55b0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe
2728	devbodloc.exe
2388	8f17bd7b2520c597a322478e44bb55b0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2728	2388	8f17bd7b2520c597a322478e44bb55b0N.exe	29
PID 2388 wrote to memory of 2728	2388	8f17bd7b2520c597a322478e44bb55b0N.exe	29
PID 2388 wrote to memory of 2728	2388	8f17bd7b2520c597a322478e44bb55b0N.exe	29
PID 2388 wrote to memory of 2728	2388	8f17bd7b2520c597a322478e44bb55b0N.exe	29

C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe
"C:\Users\Admin\AppData\Local\Temp\8f17bd7b2520c597a322478e44bb55b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Adobe75\devbodloc.exe
  C:\Adobe75\devbodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBHT\optixloc.exe

Filesize
2.7MB

MD5
5ea6d399f401cf5d127598096a964837

SHA1
619502a22c41f8d4e6e58449f9e5296b81fdcf40

SHA256
e9240167b85489f88e0286938b3cfacb3a7fd97a3bce63987c732ad7735fbbf8

SHA512
5508824a80b9726e214d2bd66a6f7048ac4fb8c08680c4b6f598b87e28ee2902b695fd1a525eb59e4e00c7ad7c6977b7d60165ae667980fed5ef1c5f90627d64

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
b38ae8111a3e33d75f518bc366e90213

SHA1
285deadb8ff09a9180857fbc83a8af6609524508

SHA256
543b4d1861e35a48292ea30487c0f5aed7d84ff7a315f0efb032936015c7f2e0

SHA512
ebba2df53c9c6bc9562ec3a6b92252ed57b3c0ca4c59e98ee5d65bb64ca26e91ba877c1c3b69f0d2e2daf629461f4a1c7c3c3923abefc26de7b1e8082c5faee1

Download Submit
\Adobe75\devbodloc.exe

Filesize
2.7MB

MD5
fcd8ffeac170b3c2e4bac4d81c39afa5

SHA1
2ae1e5671d04f87e333dd071216682b8e536a8cc

SHA256
dddad6bcb12a19f23a2dc2d5c03a2bbba5f8e56521d35ea32245a682e853c3b4

SHA512
7a2e7fe343064b4b2b2c25ea3a209e347653865c90d5d58f56f0fc3c6e416992ad428a42982e6102a3310f0f3c715cc484807d2c0993bc55e160ff24c3bf436f

Download Submit