Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 18:57
Static task
static1
Behavioral task
behavioral1
Sample
virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
Resource
win10v2004-20240426-en
General
-
Target
virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe
-
Size
2.7MB
-
MD5
033ed44a2f1841cce29d91d7ee4909d0
-
SHA1
23851ff70880505dc2c12a76e0bb0a879c692a9b
-
SHA256
d8ec67bd2273a145593101576349db37e709fe7b16a7f529578b7426e045cc29
-
SHA512
d19baf28cfb1f007fedbed7f99dad6ece4604db9c0e2a3e2219c49640313146338ca37f6ee470b7707d5f2f35ef164badf54ae594a0c4191c7f5d42670a49d93
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBR9w4Sx:+R0pI/IQlUoMPdmpSpF4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2480 devoptiec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files66\\devoptiec.exe" virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRF\\dobdevsys.exe" virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 2480 devoptiec.exe 2480 devoptiec.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3884 wrote to memory of 2480 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 88 PID 3884 wrote to memory of 2480 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 88 PID 3884 wrote to memory of 2480 3884 virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_033ed44a2f1841cce29d91d7ee4909d0.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Files66\devoptiec.exeC:\Files66\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD50977c136782c6eb88970fabadb28ce89
SHA196563c31e022e8e52091296f972809ee0b04274c
SHA25633921fe4a18f0cd1b96c4ac1ce9c873c279a241fca4d773635efa98e5a5bf16a
SHA5122572b7bf50ce252f26c69af4c39cd335fd612b89afb87ffe60eec2fdf56b5f11a3439377a435672ff7b55c7da9a9a039e5f1f73823e93f4a37d185c76887bdbe
-
Filesize
2.7MB
MD5a1a2992d7d71ea69bd1e5c34f9f7f8dc
SHA1809d9bddae3ddbaec017dfd805e6e331da0d0683
SHA2562d30c30c827b31d7d5f0a78504427a8d98de26064b0c287ab74109f2833dd3fa
SHA512f3b0bb8891227f1710efdc1ee9df8dbfd4532cebfad1b6728266f3a915a544c2ea5224366661d437a8379e65b949b0a2b718cc8309796329db620af510d6ba7c
-
Filesize
206B
MD5cbf6b68a326182d9248e88edd7b70e86
SHA1ab37dfb2dceb35b5c8f234f217e3485f51454c19
SHA25636d6aad71546f912aa812b3748657a0f9582cd95eace9f0e1b06ef4c4d1525f3
SHA5120036d69edde4a51ea884b7f9d3d2db28294c157ea8239b77bc0834d79dc9a098b8305128468dcc5fb3a34cd00723c1eb7fd2e33757dafb85684f6b959ef00f99