90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 09:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
Size

2.6MB
MD5

89a005f926d5bc0d8740a04dbb09c0c7
SHA1

30532cad3f617476b2e41a22d76f56b29e7dcea7
SHA256

90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225
SHA512

7fd270a1c6dc8eee612d3312c883f80b5653bf4c1a99be91e4d954c01b22e658a747b97fb16452f4d31889daf3592d9fd5cdf5c9ea3eed964cf721ff8cfbfe00
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4SW:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocL9\\devoptiec.exe"	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE4\\optialoc.exe"	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
2108	devoptiec.exe
2108	devoptiec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 2108	4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe	87
PID 4748 wrote to memory of 2108	4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe	87
PID 4748 wrote to memory of 2108	4748	90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe	87

C:\Users\Admin\AppData\Local\Temp\90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe
"C:\Users\Admin\AppData\Local\Temp\90ea9bfd9b5867411fc95f060e99f88749c45325a4e9379d15ec37b021fe4225.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748
- C:\IntelprocL9\devoptiec.exe
  C:\IntelprocL9\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocL9\devoptiec.exe

Filesize
2.6MB

MD5
bd43b58e65b4c7973989c049a3f099d3

SHA1
90c2fcd2726a64ba21467825a182a042fcab6f97

SHA256
064a4965452400cfd5d6fa3bf2408247382a789ea6989473d382fe345344ef98

SHA512
35f8ca6c8bd062ecc58737a2c7b58a94b75f83033587dba90a9b30d270c5dedbae097f8edf47e33aedf73451f8430ed981450124d17b437914c1d71df7754bbc

Download Submit
C:\IntelprocL9\devoptiec.exe

Filesize
2.6MB

MD5
bd43b58e65b4c7973989c049a3f099d3

SHA1
90c2fcd2726a64ba21467825a182a042fcab6f97

SHA256
064a4965452400cfd5d6fa3bf2408247382a789ea6989473d382fe345344ef98

SHA512
35f8ca6c8bd062ecc58737a2c7b58a94b75f83033587dba90a9b30d270c5dedbae097f8edf47e33aedf73451f8430ed981450124d17b437914c1d71df7754bbc

Download Submit
C:\KaVBE4\optialoc.exe

Filesize
477KB

MD5
fb7cb7c47330bc43154fab4cde0c7ccd

SHA1
19ed5a0d2d89bed66885efd5f0638260dc1ba5ca

SHA256
38abd4f009f3d74c89d33fb9ab6022fe449975c207af6d6e18b27fb504b5966c

SHA512
dd24d6ead07c8006fc647a14e67bf86f66831b5cf54d55ce7a3ff1a8b45153d5c1d4ca984af106bb88325e809c71cfe3137ae1d69068f874a6ed2549162fb432

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
194B

MD5
c5a674e452d8ec01de4908262812b903

SHA1
cc1186822c08fdf07d80cbc3c2835cdb628cdb8f

SHA256
44fb71a9082fda5b748dc5707b73e00be4da23288f6802dfcb6b456f58787647

SHA512
819d7aadc25d35f4f20de8fa51cec8f69243d71f1dbeeb2b9bbf9c5950f2f189997689c3313e56b672ee4ab5ad43fb8483f0f95177d7f9f992df7066d8303cce

Download Submit