520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-09-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
Size

2.6MB
MD5

008bddb8f6aaeb1ba1a98eedc5914b46
SHA1

b54a7b522990ae874b3b7ddf2adf700857e58fac
SHA256

520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02
SHA512

a9c9998c6f390c00062e5da41272821f51e7e361b95faa0a7d39729bd2d19e312285c228ed8a15f1172805d0da7a42ff94171f6f65906a827ff659242fe6567a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBN9w4Su:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2624	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid56\\dobdevsys.exe"	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotKT\\devoptiec.exe"	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
2624	devoptiec.exe
2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2624	2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	28
PID 2688 wrote to memory of 2624	2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	28
PID 2688 wrote to memory of 2624	2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	28
PID 2688 wrote to memory of 2624	2688	520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe	28

C:\Users\Admin\AppData\Local\Temp\520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe
"C:\Users\Admin\AppData\Local\Temp\520a142c6e9b05ef337c72280017569d984ae9212194a4bd52225ee832856a02.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688
- C:\UserDotKT\devoptiec.exe
  C:\UserDotKT\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotKT\devoptiec.exe

Filesize
2.6MB

MD5
44f201327bbe90108e811c57b840ffaa

SHA1
79e6bf56c4d940654482fbd0cec654290f521baa

SHA256
3ced96b8405e77e5beb4e01612b9a9a5cd89461f1a21eab84dc86c3280d7cbe0

SHA512
404ee3a37ec633f90968459c916512f83e256380a0ed3e3d689798a02f1e16c189a53dc3a81a5f0495e49a5342063ebee8cc18c6c8d2ed488b219f29c5656118

Download Submit
C:\UserDotKT\devoptiec.exe

Filesize
2.6MB

MD5
44f201327bbe90108e811c57b840ffaa

SHA1
79e6bf56c4d940654482fbd0cec654290f521baa

SHA256
3ced96b8405e77e5beb4e01612b9a9a5cd89461f1a21eab84dc86c3280d7cbe0

SHA512
404ee3a37ec633f90968459c916512f83e256380a0ed3e3d689798a02f1e16c189a53dc3a81a5f0495e49a5342063ebee8cc18c6c8d2ed488b219f29c5656118

Download Submit
C:\UserDotKT\devoptiec.exe

Filesize
2.6MB

MD5
44f201327bbe90108e811c57b840ffaa

SHA1
79e6bf56c4d940654482fbd0cec654290f521baa

SHA256
3ced96b8405e77e5beb4e01612b9a9a5cd89461f1a21eab84dc86c3280d7cbe0

SHA512
404ee3a37ec633f90968459c916512f83e256380a0ed3e3d689798a02f1e16c189a53dc3a81a5f0495e49a5342063ebee8cc18c6c8d2ed488b219f29c5656118

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
dc6a9de8dfbcc0431cc8ac051933e123

SHA1
639caaf0a7c5d3624979990c45a2a296bb21c98a

SHA256
b57d3fa28ef8aab0707de6c667cdffbc32729f7cdbb6b4f6826ee2bcbabd377b

SHA512
7d262146cef8cc885fcd15587d651939964b847e075d38fa967a945f92fb9289ee1cbb17fdc3ab872403084a4619a8980b09616f94c94280fd3a0be4de363f04

Download Submit
C:\Vid56\dobdevsys.exe

Filesize
390KB

MD5
15bfb22dcf19f2b5dadde6f2e6bcbdfb

SHA1
82ec38d0180b73d89e08fc6d6e97176caf08bda9

SHA256
d8df8be3513d16539993b78342c3ba93348b194d8698994e3de596c62edc8579

SHA512
fcbbceee18f65474865a51e3aa436e42a951d835b13e54d84b07053739b66f243c2c2283efc2dd8cae126a3b4039b3a83c1f048000153a3ce8ec71dedc112aea

Download Submit
\UserDotKT\devoptiec.exe

Filesize
2.6MB

MD5
44f201327bbe90108e811c57b840ffaa

SHA1
79e6bf56c4d940654482fbd0cec654290f521baa

SHA256
3ced96b8405e77e5beb4e01612b9a9a5cd89461f1a21eab84dc86c3280d7cbe0

SHA512
404ee3a37ec633f90968459c916512f83e256380a0ed3e3d689798a02f1e16c189a53dc3a81a5f0495e49a5342063ebee8cc18c6c8d2ed488b219f29c5656118

Download Submit