920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
Size

2.6MB
MD5

4f7e9f2731baff041df53f0e3dcb756f
SHA1

323aa384ed4f63f7cbf326d0e89e47a3ef3e7a59
SHA256

920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab
SHA512

1a1c2fe35083cafe1c0258e0c872e06f977a86c7bcc1bef4a55bf3c4a028fbbe8770d5bdf73f4644d3037c528893e8a646a040f8dfc548662716a7342e4e8d19
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4S:+R0pI/IQlUoMPdmpSpD4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4F\\devoptiloc.exe"	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNY\\bodaloc.exe"	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
2308	devoptiloc.exe
1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2308	1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe	28
PID 1972 wrote to memory of 2308	1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe	28
PID 1972 wrote to memory of 2308	1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe	28
PID 1972 wrote to memory of 2308	1972	920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe	28

C:\Users\Admin\AppData\Local\Temp\920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe
"C:\Users\Admin\AppData\Local\Temp\920f60bb87e6f63a202de93f1ed5bc2eaed4b9b93719c10d41c88f9c734b4aab.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972
- C:\SysDrv4F\devoptiloc.exe
  C:\SysDrv4F\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
a08556e5e96323c99aff0476119b9aa1

SHA1
472a5cc4db0602bfa964055ece672e6611dcd0a1

SHA256
f95ffade87feeb06f06e9ff927549aaeee5e64bd9278c83ea3f0db70cdab4fed

SHA512
9cfe7906cd4a5340772b56f8278e415f4e82c3122d9f1ac70243bddb46736d8a806699a3194388122769b8280b7c8605029771b68e5562995a8335c02475d9ba

Download Submit
C:\VidNY\bodaloc.exe

Filesize
2.6MB

MD5
10bebb5552b28d823d17308f53473a0e

SHA1
9880559ded5cbcfc958effcab67043bdf390cbcf

SHA256
0249a0066cf5aa284b88126c4a62aa99910ae1c8d001f628888bf3f24c1ff373

SHA512
7a4b06dbde2641d12f6231413d0a6de7e10cc32e017c4fedf22f9b20c2a1d086d8a188239484d33c76dbed703e6ccedb2c97f8da5cecdbf99ae930df33ad192f

Download Submit
\SysDrv4F\devoptiloc.exe

Filesize
2.6MB

MD5
665385532cbb6553ede995551c9ae610

SHA1
dd5c135b0a48657583563c8ff28de4c3285232f7

SHA256
3623662e35d1060ae88564e4a1aa8c80b91638c9b18c06999940f3e766daaea8

SHA512
a6ca699472b1dd73728947c4cc5dd01bcf603c68939820fe6ac570a0bf3f34d033df075c6295f533e892a45bab14dfe464782f3f50d1066eff5074bf45732893

Download Submit