e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af

Analysis

max time kernel
149s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
Size

2.7MB
MD5

9e5da2de72a46d7b3a3b52c87f9e2f58
SHA1

a6d0baaaeb79c59354e3b4f86a8fd8c0e02c5b99
SHA256

e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af
SHA512

b6c21a3c01753103d8d3eba3336c3fe56dc4289b8d6e7ac993ae8de024323b9163690bf1a78a6d7878b5a4a061fbc15e6ef1b5fd5ce5134d288f2035c2134048
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3128	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJU\\devoptisys.exe"	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintMB\\dobdevloc.exe"	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
3128	devoptisys.exe
3128	devoptisys.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 3128	1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe	87
PID 1400 wrote to memory of 3128	1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe	87
PID 1400 wrote to memory of 3128	1400	e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe	87

C:\Users\Admin\AppData\Local\Temp\e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe
"C:\Users\Admin\AppData\Local\Temp\e434ab8f221e27b2a9d8b900111a28211e59b4cd375b65337ec611f5143900af.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400
- C:\SysDrvJU\devoptisys.exe
  C:\SysDrvJU\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintMB\dobdevloc.exe

Filesize
1.3MB

MD5
e46e541bb915fbe3b5ec566185b9bc4e

SHA1
e2e040b0a9d36c774a2ec1b5a344b11578fe92fa

SHA256
ec0622819f2f6e0d8e974f8117182df2924009751d7fbc095e92286aa88a0580

SHA512
077e8e564ca2f2ea1042d01f946f561096c2ac53097903942e1aa1890bca3e76bc37c0f14d12d710eebe40e4a1aeab0542ab924c698aa8c68672c2521ad5e310

Download Submit
C:\MintMB\dobdevloc.exe

Filesize
2.7MB

MD5
8bf1e11db01c8c3a18ba80f511d4d768

SHA1
f091908c2625d6f93e1ae2ba7c5f1b4d3ff7c09b

SHA256
e49629fea00ba713c5b373988304e0087b16fafd7c770e83b07159694884b6d1

SHA512
a56f4c10309547176c737b8086dc82cf8ccffabcd9e4f3e7e93840cf6d7b7d864bd1c26dcd49141e15d9d604ee24bb253dcb5dea76ffdaae25f8cdb8b47b771a

Download Submit
C:\SysDrvJU\devoptisys.exe

Filesize
2.7MB

MD5
0e3bb48cbf8ca8b79b99a5bd90fd648f

SHA1
01b0fad14348a12d652d189f687e07d245871763

SHA256
98a5352d4251be016d6d15612fb0554604cd81a0862508529fc0cf0af646444d

SHA512
6241ecb1cd47f341a980dbd3defe628955e6d761a077403b2a2444d2a06b34d1aef6c69a714423a7db46bc91f60cfaaa0c28cd42908683cad702a30068d7c206

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
fa7e5e14ad9d4fb535111ff613d43002

SHA1
0768a02f050d4606ac1718ec6206072d9f10c7c5

SHA256
f4f3a17e3e7a6c2e432ba0843fd866c6178bf4f5af62ff7cabbdc9f68b5df806

SHA512
467ba9138ff7e50d0a96e0457e231850fb0cd92a8224d3efc8b5367260a94eadce1b5fcdb0fecd187c51f8350ba969cba3f91a1ed2b46233258248d473855445

Download Submit