6a6d25b59a269e523d2d4d0e47912c992e4373499e89a0bae42d9ce8a7be28ab

Analysis

max time kernel
156s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

854ab0eaafd74df028d3865369114e70_JC.exe
Size

4.1MB
MD5

854ab0eaafd74df028d3865369114e70
SHA1

44a3877986b72a4afc75a29cfb73b36267789b32
SHA256

6a6d25b59a269e523d2d4d0e47912c992e4373499e89a0bae42d9ce8a7be28ab
SHA512

93a5afbdaa7427eb56c41038bab72d99f08f34cf460e27274965491422116019d2642466e839c81781bb1979b8289eeddf145d13cff5ba855e840dff96012fd7
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmk5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4464	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX2\\devoptiec.exe"	854ab0eaafd74df028d3865369114e70_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSC\\optixec.exe"	854ab0eaafd74df028d3865369114e70_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
860	854ab0eaafd74df028d3865369114e70_JC.exe
4464	devoptiec.exe
4464	devoptiec.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4464	860	854ab0eaafd74df028d3865369114e70_JC.exe	89
PID 860 wrote to memory of 4464	860	854ab0eaafd74df028d3865369114e70_JC.exe	89
PID 860 wrote to memory of 4464	860	854ab0eaafd74df028d3865369114e70_JC.exe	89

C:\Users\Admin\AppData\Local\Temp\854ab0eaafd74df028d3865369114e70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\854ab0eaafd74df028d3865369114e70_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860
- C:\UserDotX2\devoptiec.exe
  C:\UserDotX2\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxSC\optixec.exe

Filesize
4.1MB

MD5
6222f8dfae2705bf6a540b6bc261401c

SHA1
fe1e1002822304319313e2a2ff288990ea3da7fa

SHA256
23e15ed63686b32ed562c02da40ceb246989ddfa5b50bb8fe3b2d2f785ce9c84

SHA512
443a0831aef8e0baed0ecb3096bb3f4c251cedd1188d878367767a5a28b2e629d602f70789f891f03549e6e2c3ff851d200ce236b4b823d99f6d30f38574651b

Download Submit
C:\GalaxSC\optixec.exe

Filesize
4.1MB

MD5
6222f8dfae2705bf6a540b6bc261401c

SHA1
fe1e1002822304319313e2a2ff288990ea3da7fa

SHA256
23e15ed63686b32ed562c02da40ceb246989ddfa5b50bb8fe3b2d2f785ce9c84

SHA512
443a0831aef8e0baed0ecb3096bb3f4c251cedd1188d878367767a5a28b2e629d602f70789f891f03549e6e2c3ff851d200ce236b4b823d99f6d30f38574651b

Download Submit
C:\UserDotX2\devoptiec.exe

Filesize
4.1MB

MD5
f50ab655037128317585a64ed9309127

SHA1
c47c71b449ac2b8312dbb6bfd19e290f40851926

SHA256
e78b83da87e500e555f955b62b16158144fd8e13197445825ce348551a2044e5

SHA512
307b4bd6b00be63fe2bd4738af3ab6ce6f7c2878e7e4918aa122949d99b70e08f203f88db2edbe4d39aca38eb9e7469308fae704cf04f4d13d1edcc657fe075c

Download Submit
C:\UserDotX2\devoptiec.exe

Filesize
4.1MB

MD5
f50ab655037128317585a64ed9309127

SHA1
c47c71b449ac2b8312dbb6bfd19e290f40851926

SHA256
e78b83da87e500e555f955b62b16158144fd8e13197445825ce348551a2044e5

SHA512
307b4bd6b00be63fe2bd4738af3ab6ce6f7c2878e7e4918aa122949d99b70e08f203f88db2edbe4d39aca38eb9e7469308fae704cf04f4d13d1edcc657fe075c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
04efa241038a46d2a0e0fa3aa3b75b56

SHA1
b3ecb8d22e0daa08694ebc0afb6dce0f14512e2c

SHA256
01add794ce091f13ee67688ef83e52d045d35707c9032b0f72f085ba9cb44e0c

SHA512
c76d47df2afb1821b65731c5c7ecc680411fe829e9b62231f487087e647aaa8c6fc8376bec42627a9afcf76b46d4ea629a709a41a50cf834992ce7af2ebee465

Download Submit