d8ec67bd2273a145593101576349db37e709fe7b16a7f529578b7426e045cc29

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
Size

2.7MB
MD5

033ed44a2f1841cce29d91d7ee4909d0
SHA1

23851ff70880505dc2c12a76e0bb0a879c692a9b
SHA256

d8ec67bd2273a145593101576349db37e709fe7b16a7f529578b7426e045cc29
SHA512

d19baf28cfb1f007fedbed7f99dad6ece4604db9c0e2a3e2219c49640313146338ca37f6ee470b7707d5f2f35ef164badf54ae594a0c4191c7f5d42670a49d93
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBR9w4Sx:+R0pI/IQlUoMPdmpSpF4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2480	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files66\\devoptiec.exe"	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRF\\dobdevsys.exe"	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
2480	devoptiec.exe
2480	devoptiec.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 2480	3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	88
PID 3884 wrote to memory of 2480	3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	88
PID 3884 wrote to memory of 2480	3884	virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe	88

C:\Users\Admin\AppData\Local\Temp\virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Files66\devoptiec.exe
  C:\Files66\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files66\devoptiec.exe

Filesize
2.7MB

MD5
0977c136782c6eb88970fabadb28ce89

SHA1
96563c31e022e8e52091296f972809ee0b04274c

SHA256
33921fe4a18f0cd1b96c4ac1ce9c873c279a241fca4d773635efa98e5a5bf16a

SHA512
2572b7bf50ce252f26c69af4c39cd335fd612b89afb87ffe60eec2fdf56b5f11a3439377a435672ff7b55c7da9a9a039e5f1f73823e93f4a37d185c76887bdbe

Download Submit
C:\GalaxRF\dobdevsys.exe

Filesize
2.7MB

MD5
a1a2992d7d71ea69bd1e5c34f9f7f8dc

SHA1
809d9bddae3ddbaec017dfd805e6e331da0d0683

SHA256
2d30c30c827b31d7d5f0a78504427a8d98de26064b0c287ab74109f2833dd3fa

SHA512
f3b0bb8891227f1710efdc1ee9df8dbfd4532cebfad1b6728266f3a915a544c2ea5224366661d437a8379e65b949b0a2b718cc8309796329db620af510d6ba7c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
cbf6b68a326182d9248e88edd7b70e86

SHA1
ab37dfb2dceb35b5c8f234f217e3485f51454c19

SHA256
36d6aad71546f912aa812b3748657a0f9582cd95eace9f0e1b06ef4c4d1525f3

SHA512
0036d69edde4a51ea884b7f9d3d2db28294c157ea8239b77bc0834d79dc9a098b8305128468dcc5fb3a34cd00723c1eb7fd2e33757dafb85684f6b959ef00f99

Download Submit