f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
Size

2.7MB
MD5

59826a6b23948cd546c6974fbb87815c
SHA1

1f480d1c270d94a5b55bf0cc1bb6d4b5f83e6aab
SHA256

f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8
SHA512

33e129ff60abc7d941f142b63e52453328918d7a5a9e92ec5fda35ca173b82b48c7cfeb2be07a9f068f9a8b77038bfd738c3bdcfa980897633a85d8914138afa
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBh9w4Sx:+R0pI/IQlUoMPdmpSpd4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1632	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUT\\boddevloc.exe"	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ2\\devoptiec.exe"	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
1632	devoptiec.exe
1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1632	1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	28
PID 1956 wrote to memory of 1632	1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	28
PID 1956 wrote to memory of 1632	1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	28
PID 1956 wrote to memory of 1632	1956	f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe	28

C:\Users\Admin\AppData\Local\Temp\f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe
"C:\Users\Admin\AppData\Local\Temp\f67cf3057afe2e6cff7324a9756143815543030d24d64c459bc4f58918096fa8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\UserDotZ2\devoptiec.exe
  C:\UserDotZ2\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBUT\boddevloc.exe

Filesize
2.7MB

MD5
36737a71e1456ae84165200f9df43c56

SHA1
6a57d72103d3fce6a68069b65f44054d10fa645b

SHA256
e8cba9eebe3c80ef3c97244fc0770c723496c501df7197143c8d6ebef9ad46de

SHA512
1d435fa530825de86b7660563930fba6225fc752708e30f56c385c1cd11237d5931cbccd619e1af979a2db8535d5f756de87573fd2df9bf6eb60eb9679f258cf

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
c48b1ad32097fbaf75fe937d1bc3bd35

SHA1
f23d4a2cdde936b471d43324532325eeae57d329

SHA256
de29de39b2f735d6b8a7dc44ded49dfed5027e399fd70452497810230bdb10c2

SHA512
6ab709be6d2ed802dcfde00bd6c65c538e9b8967a09412bf6b5ffe9cd504fbfce701b835d3e1c96cdcbc6d13c1ad9bdb806f2e34aaf223889f35123a9ce05607

Download Submit
\UserDotZ2\devoptiec.exe

Filesize
2.7MB

MD5
1b7ca6512a91fa897549b9ad6e134132

SHA1
f2fd5d392a329018c4222148d84d408baba03b54

SHA256
ba760198c40397c4045220b032f861abbb7e5c28b973e2e5e8e79ac2f0caa807

SHA512
accd68e5db9d82d83e00d5287692b8a3d4b691f5920cb15c60a79820f26c3e665ceaa70ba0e01e11025ad52678e9241d834930beaab6d98878c222bf98a4514c

Download Submit