372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
Size

2.7MB
MD5

3ac732fb645757ea0399f36306a9a9f4
SHA1

8d699153b9ae070664aed205c45346bd9658f412
SHA256

372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c
SHA512

86ac32bbfb8058f406b76f8112e65069516bf9c5f31426e06bdc77109f6265f7dcc358c4d9759d111f5529069278ea187d9baf3d346997ddec44393a113a7bbe
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Sx:+R0pI/IQlUoMPdmpSpN4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesT6\\devoptisys.exe"	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYF\\dobasys.exe"	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
1644	devoptisys.exe
1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1644	1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe	28
PID 1976 wrote to memory of 1644	1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe	28
PID 1976 wrote to memory of 1644	1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe	28
PID 1976 wrote to memory of 1644	1976	372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe	28

C:\Users\Admin\AppData\Local\Temp\372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe
"C:\Users\Admin\AppData\Local\Temp\372645a61b0e32e4ebaa38bbcc27f5e6ccec1e924816de1702d23220f1e6099c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976
- C:\FilesT6\devoptisys.exe
  C:\FilesT6\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZYF\dobasys.exe

Filesize
2.7MB

MD5
c3cae228fd47b5ee03fc7359c0dfece7

SHA1
a95f0ef20988eeded3db72527f28008989ca336d

SHA256
e1ab03d637457c512bb6e63bcfb60be66d880bb57157815f61fc493d83ffd37d

SHA512
730a895bff292fff93a1aac6b99ea11455744a62fb5510e62033820417234f1d182c3c9b5bab49dee0a807ec50de26ba6ad6f55e6b7f4ac714d634f4bb6cdb9d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
715571bea154a2d623c615974aafb1bd

SHA1
67ecb0075855f75e4bc351b8908bfa90ced22e8e

SHA256
a1cce08c54f1d99756f2ede82ce81ee0929619680c34a6c17a5d527f0ce4d93c

SHA512
81b026fdd778d48c448a83dd500e5f0e24765aa786708f5afaf4daffe69487b1265fb669969dbc874237ab80904536835db2a06d3bcb135cd5ff143e484a27cb

Download Submit
\FilesT6\devoptisys.exe

Filesize
2.7MB

MD5
e9dc57389b21887a49198742647a267e

SHA1
2576939617c95f85e4da2c33e6adac0461bd63a6

SHA256
e4e9275057aaca6080f9721bcf87f7157c4baa81e9e5337d0dc461943e45d62e

SHA512
9326b5d2d9279dbecf703289d2be06427bae74cde6801a3f8a79a2797d78fe5674f5b749319203f5a60484866cc3954193099693c438214cabf51b991d816c4f

Download Submit