Analysis
-
max time kernel
149s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe
Resource
win10v2004-20240426-en
General
-
Target
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe
-
Size
2.7MB
-
MD5
5d89ae3cd6222d228c977547475f9c89
-
SHA1
f583bd60397bc5d6f24f011cf2937e2289fb7f6a
-
SHA256
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58
-
SHA512
4844606c204e258d68e83192e35e5abc147bbd31f4e2d027377d3b909891404936e025f0ba1cce02a0664d2ca5368bd4378b04c5b4428486a4b44386661ca240
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpI4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devoptiloc.exepid process 1780 devoptiloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWD\\devoptiloc.exe" bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidO0\\optixec.exe" bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exedevoptiloc.exepid process 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1780 devoptiloc.exe 1780 devoptiloc.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exedescription pid process target process PID 1464 wrote to memory of 1780 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe devoptiloc.exe PID 1464 wrote to memory of 1780 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe devoptiloc.exe PID 1464 wrote to memory of 1780 1464 bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe devoptiloc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe"C:\Users\Admin\AppData\Local\Temp\bd4e3b5bab2e6418e701ab52535bd2e87614bdef9fd56035bfbb6c1b84caaa58.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\AdobeWD\devoptiloc.exeC:\AdobeWD\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AdobeWD\devoptiloc.exeFilesize
2.7MB
MD51a252c57f7fe3e13eb46531fda10c085
SHA137ef9e0d8ec415dcad521820eb4de55e7d49eee4
SHA2561467fabbf3bec52e86ac9389c023e380a6f0b7b9d83c3047480afa495c37d330
SHA5127d4cbef5e211d9a73f8841ebac858a1a41d1c6ed932e4f7995f38413c81e42cd38a2b95234bdf90ca28c98b3a89f1bbeb175999b2e7a88a8c3c4c8288fba01e6
-
C:\Users\Admin\253086396416_10.0_Admin.iniFilesize
204B
MD53e4c0212a26b2278c7d38b4dd242d595
SHA10eb088f65ee83fd9bb41f929038282067ac5b278
SHA2566a53f5847c4a522307b47a2149a9764549fdb5b355507dc8610639a43ec8f476
SHA512bce608c4d7c00eb37229a06782937b8c79be054f3bab4ad6e421191628b66760bbe4f1ccc5e32ff8f485e8ebd5de5537cdfc481b62499bfe768dac3f565d20d6
-
C:\VidO0\optixec.exeFilesize
2.7MB
MD54f09f4641469b3e8151cf90b798ba14b
SHA1c9e70c2c9301f18e258c288cbcd774eb3c406f62
SHA256a9800c39a8550c7012893e5e12a17d2cc439814b90e09bea440f1b1b4169543b
SHA512c98c9e0b2219ed35803ad196d3fb99ef04ad20d142e95136d342e45bfa7ac8b8585c06b9f40f390e46c95641f590a5e148246f1c3d7553b7edf464e7f85299b5