Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe
Resource
win10v2004-20240426-en
General
-
Target
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe
-
Size
2.7MB
-
MD5
0e7bce639bd393d4a617ecc9aca895eb
-
SHA1
4982239b2e18dd4587905436cd0e14770ca2c0c7
-
SHA256
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee
-
SHA512
10eeda7c7a19ad7c5a6150d02c7d2c520b820fa0e4aeccaaaf8394e9ad1d7fab54b5c8c5422672d3c760fba9b1beca8b40185b5b932730cf33dee072a12826d3
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBb9w4Sx:+R0pI/IQlUoMPdmpSpP4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devoptiloc.exepid process 4628 devoptiloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesML\\devoptiloc.exe" 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRF\\boddevec.exe" 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exedevoptiloc.exepid process 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 4628 devoptiloc.exe 4628 devoptiloc.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exedescription pid process target process PID 3604 wrote to memory of 4628 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe devoptiloc.exe PID 3604 wrote to memory of 4628 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe devoptiloc.exe PID 3604 wrote to memory of 4628 3604 08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe devoptiloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe"C:\Users\Admin\AppData\Local\Temp\08c03a107e01abe2e51a294473af5a9dc6a92badb0c28f224ded0b47076269ee.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\FilesML\devoptiloc.exeC:\FilesML\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FilesML\devoptiloc.exeFilesize
2.7MB
MD52d7f0e48ffcfcc167e025bee6ba0c8f0
SHA1ba017de7da439349e3dac73035728ff18975c0ef
SHA2567863681df16f6165344b4572272eed4b88f7cfe4bbd45f9d45ad1779fe7b37be
SHA51259b481566d7032b17776d8951dfbf9f8733c092005277b0731b7b8fc631b19f059e885d1852f3ae318e022133468fb20b4bf06a23be2788beb6223aedf4c5915
-
C:\GalaxRF\boddevec.exeFilesize
2.7MB
MD51566af83306befc481fb42e51ab33702
SHA132503550543b9b3d22b53581c852bb12f019a3d3
SHA2568fad91f6d98b0cb79bb84289126edd3216c01202b0d31395c1bdafee6175f657
SHA512f572baefc4b5bd08ef492c4f19e8eb03337a8f438f906363571636ac1ad8df4bcbf5676d551ec179c0e49bc5ee2c40f8691c52389657d745075539746b4d3226
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
208B
MD52f187e0abe8e0d53941d474fee563271
SHA1d673ba66e95736d03c2f76d2726311489502c925
SHA2564823d8620954156c6d8b2ac507f2b8e9ac5ff7efa40405f9877b17cc9e6b7dd7
SHA512072c5f9a46b33467c3e6339f5356cd4170ca92e5b8b8c17472b4bf1e6a17518bc31f1ddb85c88c335527526c61b76e19ab7e2ff3e1027792c6345a2d1854e0da