d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
Size

2.7MB
MD5

71699b8a4d6581b361f4f739be428259
SHA1

a99801a2db6c921471d030730acf8b482b4583b8
SHA256

d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511
SHA512

1c39b537900f2c9cb29952152dff0e3ea92d8993d742d7c93a101d0a4547ea8799477d6dac5f403cd03a073bc7d226589dac14fd3021bb3b56e269f5a75ecd01
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB89w4Sx:+R0pI/IQlUoMPdmpSp+4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3872	devoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN3\\devoptiloc.exe"	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYH\\optidevec.exe"	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
3872	devoptiloc.exe
3872	devoptiloc.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3872	5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	81
PID 5088 wrote to memory of 3872	5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	81
PID 5088 wrote to memory of 3872	5088	d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe	81

C:\Users\Admin\AppData\Local\Temp\d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe
"C:\Users\Admin\AppData\Local\Temp\d1d35fdb9289e32a2a80b47a25a5b9afd8cffa42b3db14e920de09734ab96511.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5088
- C:\AdobeN3\devoptiloc.exe
  C:\AdobeN3\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeN3\devoptiloc.exe

Filesize
2.7MB

MD5
fe3fb780b1a3448612d74335337cca77

SHA1
c5582261818ef32360fca905d4b66d94a911b80d

SHA256
8aada33c86a7cb09a0a4811390f9ffac7c023be158f0e05a4e5dda8e2376ff9a

SHA512
3d1639aad35fd6af040745098aee360a22dc8689c3e34b440580bd50fb9857c8751eba91b9b112135935dacec5ada02e451aab4b8d428849995a94d7d3daf928

Download Submit
C:\GalaxYH\optidevec.exe

Filesize
2KB

MD5
7716dac85663bf0b072d4598eaf2c693

SHA1
908dc808004756550c268a1a538e7c8f766985a4

SHA256
d1fc8369581393c58434375e1753b1fb525ac09bf460a4c48ccd3060f0034d7c

SHA512
e956d956df58264a3bd9a1c99b35d9c2a9323d98c94e97e0eb3962888fb137d30f4648f2791ee22d2d231076bb58717997f5757d86bbdde79ee0dffb9b0688ab

Download Submit
C:\GalaxYH\optidevec.exe

Filesize
2.7MB

MD5
a3dc58c0c4dad867f4ae8ad9787f74bb

SHA1
d7ff592e05920781edbedcd5f0651dec3bfe14c3

SHA256
b84bedfb9c713d8948894183f32ba5ecd159ceeb97df4b152761ff01324ae84a

SHA512
2244f47c01a874acc8f08152267b981571d63ea821c54980ae8ed048e5e6e3855f4f4e5ed16e9bb9c0b1f769b28de0d58aa119e5e991ff03146852f9bf021f6f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
2f3521bb7bba81dbbcdbde046ea8cc8a

SHA1
e93ca4a1da3f51ef5c0f4ca198ec36b1b5feab0b

SHA256
bd1fc18c607be75f99beec7739f43328bfd0d528bbd69558aee246415d0e964d

SHA512
1474d3ef0fbf374c2718f4ed5b504652a4e8c2bd5718218ce903ab098a5893389ca55cae39367e417e24be9974b8dc7e7ec0d57dfc178d2966af78a240473fb0

Download Submit