24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
Size

2.7MB
MD5

c65c37917b726cad6d131865a2320c5b
SHA1

8e1a3e6f904ccb3d51436f82dd1056f6c13ca036
SHA256

24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b
SHA512

8d0bebf85bb3f50a8ff031902e9b40979cffdda0d1d8afbf96bba39b558c291ea97720250f9592d93355871cc95a110f3094e61aff394b3d517f18fa269708ea
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Sx:+R0pI/IQlUoMPdmpSpO4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4028	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1Y\\devoptiec.exe"	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZB9\\dobaec.exe"	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
4028	devoptiec.exe
4028	devoptiec.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 4028	2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe	89
PID 2068 wrote to memory of 4028	2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe	89
PID 2068 wrote to memory of 4028	2068	24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe	89

C:\Users\Admin\AppData\Local\Temp\24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe
"C:\Users\Admin\AppData\Local\Temp\24a81513aa74ad95f64949ea9908d7f1977d82b33994cb98469f99a34909d91b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Intelproc1Y\devoptiec.exe
  C:\Intelproc1Y\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc1Y\devoptiec.exe

Filesize
2.7MB

MD5
9a2fd0a885c726d706afe2c3d66a3545

SHA1
a58a0fe041b5ac2d0107782482bd46cbfed22e6b

SHA256
70835b43239395a33a5b1cca4e61d8dd482ff8eb755c5006922dc2ed2257dcab

SHA512
093c2a171bce2e32574145238b5620da76aa11347a2a638aaef135b7af9b36b32f6127f64b4e10fabd4c0de63dfdbe184944ee9fdc93ca04518064a73996d9b2

Download Submit
C:\LabZB9\dobaec.exe

Filesize
302KB

MD5
37ed0b4059cbf11cb8a97f676471ad1d

SHA1
4eef3cd139b2f675c9b829ffede462c88fa661ca

SHA256
dc469290a30e6725b6624627c06b6ba7747070c91630ea449eb312ad33a20d3e

SHA512
35acfc51f2e67cf6b9ad8a7033fbfa61e1d458c25586416f8c19b40af79b6e0857e018fd52022bf4a6996e5705c2fa378cd9af77438c9e134b8cdf6ac4f71682

Download Submit
C:\LabZB9\dobaec.exe

Filesize
2.7MB

MD5
2431ab4af8df9e3c86e68b8e3fce76ae

SHA1
db57078a73419b843ea6e3fd04549988e5940b42

SHA256
0de46bdf83530225c5ede512f969e324b98ef93dae4ec5ebe94c64036eb94281

SHA512
85b5ba2df5c0a48be79464917f7a1cbb4c49ca729c3f2f98bd9b3e913f06956962a49d0f66d2932c37347d214ae60468c807cd85a735300d41a162dd76d3739f

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
97f2ce11959fe46e4809f64e4b912535

SHA1
d201e2ab941b77d77407fc323b265008ad7f0ab5

SHA256
cf660f682ec74b53839178a46725c1f11f7af03511afd54972b48d055f138d41

SHA512
22d8e04f045672867c561f78450d9f7b2546f87b8e07d2f4c81106141973dcb5d41574d73227e4c52dbb4c41715f59bba5468046b33a4e36817c575d755c2565

Download Submit