347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
Size

4.1MB
MD5

b8ed1b3a2bc6791d401ea206e54e3bb5
SHA1

658b531b12b91b5d4f3b07a6126096022f9fb7fe
SHA256

347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375
SHA512

2c2562132467365898623cee0b5e9d625d0354717e9ae6aed438396b576efa1ac39ae07f3716b0a6b65cf23377631d11bd72ea18ad0d6a574ca3574e53638683
SSDEEP

98304:+R0pI/IQlUoMPdmpSpV4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmi5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1280	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMI\\devoptisys.exe"	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax44\\boddevloc.exe"	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
1280	devoptisys.exe
1280	devoptisys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 1280	1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	94
PID 1588 wrote to memory of 1280	1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	94
PID 1588 wrote to memory of 1280	1588	347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe	94

C:\Users\Admin\AppData\Local\Temp\347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe
"C:\Users\Admin\AppData\Local\Temp\347646b171fd21e266eb3f9dd5f9bcfa911b3f96b32ce65c9ee8b93f7685d375.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588
- C:\FilesMI\devoptisys.exe
  C:\FilesMI\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2824 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesMI\devoptisys.exe

Filesize
4.1MB

MD5
e9c035dfba57183ed7b1c52081757efd

SHA1
4a4cd279e6d61bf9699c9b6fb7eb8c5e75e6223e

SHA256
cafecc488172806d830f6725589372235c33b8257b4c18b137814946c24581e7

SHA512
800b640455bf6aeba4e5553ca2a8e9455d835877c92f1541066a793ad8fa2f0979d366001c7ec58e74bd536f3937ab5c493946fd6066f3a615f557444d6cef7d

Download Submit
C:\Galax44\boddevloc.exe

Filesize
620KB

MD5
772f30c9c97bbba078efbe77109e28ad

SHA1
584d635fae21df0954a335e0b48d49ee6f20e327

SHA256
b8e213b0db4f7c8fee2cb37a22757ec52d39e4ad34af10d1cc9c31a495a90820

SHA512
2dd89f5819b7156c1b12f83342ec0a0ac1362f8b00e27eedd611f11368f820a3d5c758f8b77afa085b7d06d7661523855c0d0fe5b28296d2606f7d6cf05a5db2

Download Submit
C:\Galax44\boddevloc.exe

Filesize
4.1MB

MD5
f1ec0b6c3a0367c19b26b548b3ff297a

SHA1
468a8d4059c43d88776d2da7e5257089023f4795

SHA256
2dd246bbe01fc8d23dd3d02fd423f4fc5a6203843cb2a6c5d2838c41068b9f04

SHA512
613b181b9a185368bf418d1c7c497fc8c3c750d7006b3b954d1ded438ddeec825de82fa19602893843436a55acc54a67ae74059dafd09d611dba3efaf788e7da

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
dda4115e16f7911789b2fd3e8a32c464

SHA1
44176d9605b2cfe48b515e9c6da39013b1c57c26

SHA256
b31e6cda25815e4cc166fc775af858f4106ad504dc3e5ef51acbf394fd636026

SHA512
7d2fb207baa34cc2505b645bbce34e0e46d04f298c1fc3d83a25f48c1206137593ea97e5555fa2aa4cc8d78a88f0d3cb0dbbbe9a6d7b23786ecda263ee463ac7

Download Submit