Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 03:43
Static task
static1
Behavioral task
behavioral1
Sample
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe
Resource
win10v2004-20240508-en
General
-
Target
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe
-
Size
2.7MB
-
MD5
273e642d4691f49f50fa86fb22dd37dc
-
SHA1
cc1a05ad460a2468866c039c823c1a0ad05287b2
-
SHA256
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e
-
SHA512
08f954cb4adcfa38c31e705a86cf69c9819bdedb0c81e855b51d435da2febc5f0d6e47d02855c49c2c96932b79875b5d0ad2bc226bac0411979a4274d4750d62
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4Sx:+R0pI/IQlUoMPdmpSpp4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
devoptisys.exepid process 2732 devoptisys.exe -
Loads dropped DLL 1 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exepid process 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBS\\devoptisys.exe" ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax5U\\optidevloc.exe" ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exedevoptisys.exepid process 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe 2732 devoptisys.exe 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exedescription pid process target process PID 2188 wrote to memory of 2732 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe devoptisys.exe PID 2188 wrote to memory of 2732 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe devoptisys.exe PID 2188 wrote to memory of 2732 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe devoptisys.exe PID 2188 wrote to memory of 2732 2188 ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe devoptisys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe"C:\Users\Admin\AppData\Local\Temp\ca14e9a0e86dd792b300cca4d949bbf02d281801a8ebf8bc8ce90c0a912fd78e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\FilesBS\devoptisys.exeC:\FilesBS\devoptisys.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Galax5U\optidevloc.exeFilesize
2.7MB
MD5eedcccc94fc2fcabb4ce745805db99d0
SHA10b3e27159d23bfe838bad0438c09d404ce4e32b8
SHA256e2472cd844a73bbcafcb7a697c2042c86b04678e1de9fe9e114a1ce53c379fc9
SHA5121bf0d2a8eaa9baecdca3c8ed0360ed22eb1eacd65d6987f5cb144d3edcf95df4a7312d5c0ce68a06fec8e6547e3e225b33d3e12a50a53e6d07b92c79f5af9628
-
C:\Users\Admin\253086396416_6.1_Admin.iniFilesize
209B
MD549b020cb6d59dd9897b54aca58a2b912
SHA1365eae96b5785ecbbd354443cff3729f14400115
SHA256d152e355a78002dd3b1f9f50d8cac8f8b9c0dcebac2f79f358383513926f1b5b
SHA512e9d773dc13a787b6f56e6bbd8ea5fec9abd27a849c817e53c129dfec7777491397e0c18d57099752f27aaff03d67b9385945c0a4552f655a8b45dfd0747372ea
-
\FilesBS\devoptisys.exeFilesize
2.7MB
MD5b43561c02528827b157caad1d613cf03
SHA197e14b8291c0853fa494124a996fb4d4e994f50e
SHA256d8aaef38b04eb82fa72db4b66243282765fcd6458ced6ee23a4d6a52c9306203
SHA512e91288fd5b7520d72674944eac37400aa0958ec94193c1c91e0a75dbc8fa96d95ca62a9a9e05da1dd01cc7ac0363aa0f9b58a7a83b623f658b01ea37489a69fe