Malware Analysis Report

2025-03-15 00:32

Sample ID 240603-2e3wyabd51
Target 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b
SHA256 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b

Threat Level: Shows suspicious behavior

The file 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 22:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 22:30

Reported

2024-06-03 22:33

Platform

win7-20240221-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Files2Z\devdobloc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2Z\\devdobloc.exe" C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCY\\optidevec.exe" C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Files2Z\devdobloc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe

"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"

C:\Files2Z\devdobloc.exe

C:\Files2Z\devdobloc.exe

Network

N/A

Files

\Files2Z\devdobloc.exe

MD5 d882df19ee641e018ef14140f76b4b8c
SHA1 26605a05f72c5eb2fe6c4ea17f38a79ddcc5c977
SHA256 2fdf388b0416b6e5c27560d4f75934991794c0a5e3931d906b5535d8ed5cc429
SHA512 addad9a18ebba0a618c3a4883d6ac0083622c6879e7dd42198c9e0687d7b622be2b3c28c68f74808f893ffd6e2b569e0db1e5effbd68bdc582c0d705bb1a65de

C:\Users\Admin\253086396416_6.1_Admin.ini

MD5 384b1ea5852efea73c6cfac4f27aee40
SHA1 2227b5efb838fb563a8d3a6d1fe146e3b637a94d
SHA256 b71de1189c4897af7bd2f4f3bb32ce3fad005333b43875560722fd141e2e02b3
SHA512 dc24d5f81c0e8f5530ac80bb83f2143a7113bed9b78f3ada0f7e810e44ef9fc621415da656846f655aeb71dcf439f7c6e98833853c266d720b459fc98af33775

C:\MintCY\optidevec.exe

MD5 f049f316d1dcca60f5682a3c1fad11ad
SHA1 2cc5209b28e53e0d97c2aa2540904a5db8d9a772
SHA256 29d9202c78612e74cb2b5016b22ff110d526a03ac7a3aca362e1fbc52bbf30e8
SHA512 333d8c63373946edfc76e8f9f4d1afcc993a45431e287816a4f1a0aa03880ace89972633c8d8665ab55880714064d30cc574d4c300369096dfbf74f671bc68f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 22:30

Reported

2024-06-03 22:33

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\IntelprocEC\devoptisys.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEC\\devoptisys.exe" C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIO\\dobdevloc.exe" C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\IntelprocEC\devoptisys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe

"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"

C:\IntelprocEC\devoptisys.exe

C:\IntelprocEC\devoptisys.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

C:\IntelprocEC\devoptisys.exe

MD5 5fa72fe32f0be437655fffee64838455
SHA1 3f03c8aaa1c5ac0be8826aa278271bff79c3e172
SHA256 60e934f686d8b8ff0f5c7eceeec403f728d37bd9b5792688339e8fa5ae3178b4
SHA512 26175dd09d90e7e7cb2f75ef3005837a1a9f05190941ebd44cdc2fa6359ac742a04b03f5ddc99407dc40945a83ed4eb9801870a435a5cb4dc1a46bbab62097b7

C:\Users\Admin\253086396416_10.0_Admin.ini

MD5 a92ae43874333706f747bf37b1d498d9
SHA1 d395d6322a82b664660b8290e9ce74a5c42664ad
SHA256 97486733c57012455ed6dcaf1355eb2cb8bb41c919af5d74b19419c12a500d01
SHA512 2f4698873aa2153aaf8d7dacb8217f3399c09c051068e3c42cb1f7b63eae055b00a9e2ce6454114780983b2006b6993ebf091f1934d0d579207b5d88c118ce2b

C:\KaVBIO\dobdevloc.exe

MD5 5804b7d4cdc77efbb29a02ff5f1d4887
SHA1 4927e58787f6319b41c344ce1cb31d66b5e9859d
SHA256 384a0498d57307191ff93a4e535a4f406e3b29d213816ee8fa44fbb4dd485705
SHA512 24e5fdf0e4111bf4915294e30c37414a73b3475e88a7f512246c7a692afb2f552c6d850e7d6806eea3fb96db7d41ea29bd2defee2f255a19d73a99c89d61c7e6