ab4a72a17f51c517a72586cb5b6b42f4ccc520228992e292c3acc13374f6b004

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19214e8008da660d4ea2906e0a543985.exe
Size

4.1MB
MD5

19214e8008da660d4ea2906e0a543985
SHA1

bc358b8a093c67cd4d5b11bf27bdc61213bcf293
SHA256

ab4a72a17f51c517a72586cb5b6b42f4ccc520228992e292c3acc13374f6b004
SHA512

10ca5d1b8440e80c7ad1e1d39699dd39d08b1a7a5eeb2717e401e87bfed8660b874d6d1e38eeb3ec2a8bf5da0c1efad577395947a933b02ecc485b4b56861980
SSDEEP

98304:+R0pI/IQlUoMPdmpSpN4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmK5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2944	19214e8008da660d4ea2906e0a543985.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvVP\\devoptiloc.exe"	19214e8008da660d4ea2906e0a543985.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKX\\dobdevsys.exe"	19214e8008da660d4ea2906e0a543985.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	19214e8008da660d4ea2906e0a543985.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe
2412	devoptiloc.exe
2944	19214e8008da660d4ea2906e0a543985.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2412	2944	19214e8008da660d4ea2906e0a543985.exe	28
PID 2944 wrote to memory of 2412	2944	19214e8008da660d4ea2906e0a543985.exe	28
PID 2944 wrote to memory of 2412	2944	19214e8008da660d4ea2906e0a543985.exe	28
PID 2944 wrote to memory of 2412	2944	19214e8008da660d4ea2906e0a543985.exe	28

C:\Users\Admin\AppData\Local\Temp\19214e8008da660d4ea2906e0a543985.exe
"C:\Users\Admin\AppData\Local\Temp\19214e8008da660d4ea2906e0a543985.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944
- C:\SysDrvVP\devoptiloc.exe
  C:\SysDrvVP\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintKX\dobdevsys.exe

Filesize
4.1MB

MD5
24a0cce16d6e9cdd62c60c93c4812e98

SHA1
baecc186ea95d410c17bc8f2bae5116de44defe0

SHA256
ccea081b162d47261a468973b54d1fbc86f520e8a7b6a99141490e43c4ee2b39

SHA512
ac433d4865b3301c57475c89427e6bb03621e74d652554e0bab78bb4e0987c01640fcb3ebb723198602c787b49507165a8c8859784a68292136f177e1b127a9b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
5f7aedc7aa03e79a922f7becc924f3ca

SHA1
9800407b64fb8540e92c48a65c8a5b1391295794

SHA256
ddcb6418b3cc1c2c6178c2e6f4e1adc38a7a925407cd9ed51b09ccec2b98daac

SHA512
e94fa3e4f38cc86d5b3c5585f6afce1936a85de5dcc051f1b509b0ecf2c32f145f1383063d99d3f56dad04ea5aaa9de1c10715f85c694ff82842c7cdc10ff8a3

Download Submit
\SysDrvVP\devoptiloc.exe

Filesize
4.1MB

MD5
421f357024e37c057a3db16504a0c3cf

SHA1
796b0657d0dcb0ed8d8cf12144b7ef5cdb3e98d7

SHA256
09de32cb5db213429c16cfa7566bddcc20b133b2c1be9382c5e1a119d8c146cc

SHA512
4cc0121df81de386171fe8937c6a89c794079232cfacff3641ff80fe973200465654ba43b36f395b7011708eb368b83ee94101b36676f7a8e7d01f124d8fbb2e

Download Submit