Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
Resource
win10v2004-20240508-en
General
-
Target
virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
-
Size
2.7MB
-
MD5
572673098cc48a13cf80cd2ca6c9c2f0
-
SHA1
40eda75d7a03de4f4ebbd6d170c921799a5b28a8
-
SHA256
e0b34d95f9dce958e106e9922e51a2a2a957d5bc693a8ddc531169affaa11c2c
-
SHA512
fc1a06801fe74ceafdd51372a8c20f80f7cdf3119b109e4b37e4dc0357d0dbac07c929b3dc115c74010a49c7d25dc6cc908f47ed854bdafb621b48291cd40489
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSpy4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1780 devoptiloc.exe -
Loads dropped DLL 1 IoCs
pid Process 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvF1\\devoptiloc.exe" virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBMM\\optidevec.exe" virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFecxopti.exe virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 1780 devoptiloc.exe 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2324 wrote to memory of 1780 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 28 PID 2324 wrote to memory of 1780 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 28 PID 2324 wrote to memory of 1780 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 28 PID 2324 wrote to memory of 1780 2324 virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\SysDrvF1\devoptiloc.exeC:\SysDrvF1\devoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD58bcfeb646e607b390a98321dd6dda76b
SHA1aa2c915f1e347b8b1ad2103205014a9a2974226d
SHA25648291e18f782591688297eaed122ecdd512b78985070155f58f4683bfbefb1e4
SHA5122b5555c4798e76b8ec5627174342837611bca1103c54c6d7406cba5b7cd3e7981483e1f098e7e539659088cfc886d915de737b96bade20fa2834ce2da197b7d0
-
Filesize
206B
MD544d0e47e6607839eeb25ae78cd8a4df3
SHA18262e02c2cdc8efd47ed53b34b02caedf5b2f58b
SHA256c87a208734f2d6541d440d9d8dae9df207ec7b38cf96cb89440bbbe6d51dc0e3
SHA5126ce359f70685f70b1817ff08867cc9c71518fd156c08b12fd5ccefc75a4382ba8ea4ec41e233da020df2a0e3050f4a94fd2d42bdb4129f7d69bde55e9dee1ec1
-
Filesize
2.7MB
MD5b40e524ae6ee7f1a215f36bdb952cd1d
SHA1d969e16340a15800da03995a9a241dfd3f794b7a
SHA2563357e8998a2cadf7637dc119bcd70d4a78ef24ee17a468513626c18c7fedfe36
SHA512aa4c8f66d563f5a1958c981a325d6c76a3cc3a04ba5d308f6a2d5d07970dd15de695030c9b5a691c8981c40fb53a414816c723aef3532dad004c5735e6ac70f8