b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 02:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
Size

2.7MB
MD5

90d81c991b8f53ac5b9ed40be1947734
SHA1

5a49d7adb244df0d77219c9c72585e378204e5ad
SHA256

b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0
SHA512

8db9bde2a563c4209f5001260d52f6b3307fadfcfb88379fa4573bcefea56cc2a55a45e5bf7cd4524109f0ecfe5f86cd9e9f2c14c2ac5a2b06f6e8fdb44cb27c
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBv9w4Sx:+R0pI/IQlUoMPdmpSp34

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4896	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB28\\optidevloc.exe"	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBQ\\devoptiec.exe"	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4896	devoptiec.exe
4896	devoptiec.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4896	4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe	89
PID 4564 wrote to memory of 4896	4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe	89
PID 4564 wrote to memory of 4896	4564	b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe	89

C:\Users\Admin\AppData\Local\Temp\b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe
"C:\Users\Admin\AppData\Local\Temp\b6ad1d5b2b8bbc848a0fd3868f9821eb016a1a2bf2f434c51a44ef0821340db0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4564
- C:\FilesBQ\devoptiec.exe
  C:\FilesBQ\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesBQ\devoptiec.exe

Filesize
2.7MB

MD5
e6d12b57644e552a6a1bc538b101a61e

SHA1
0c0b2be9cdb9b1750ae8058c732cdabc9621adef

SHA256
f105ad57d559b665ddfc75f4a23d1ca85ecbf0fb02051ed692921e08fbd05380

SHA512
acd7ccdbcec7d36b59b5cd58825d1e3343c619a37acddcca4793efcfb0d26d6f3b581852ed796f733cd430fd6d52e2fa187fbc9ff3c8b6fa1cfd380011b98cc9

Download Submit
C:\KaVB28\optidevloc.exe

Filesize
23KB

MD5
a6aebd29ccc988545c49a93b8c422fc3

SHA1
70ea713ca93cc992d63d7aa2c8d1d01b6a3b2db7

SHA256
40b80ab3b88d64cd22cff2360518a0a47a400c092cfbee5dc3326694053ab7cd

SHA512
2e5635e4889783c9097ea9ed53b511562b3ce26e035c1551929223efb99aa73df73adeda868c6d0eee35073e6aa6814f965dab5e70a699a0f3951085ebea0b82

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
f087220781069b16a06488e9cad1356e

SHA1
112d5e39a77ccecd30cc523139d16080b56f93b8

SHA256
bd7823c8b0fe5815b18d3ff17a2f5888a6803b93c19fdc12ae407ac3ad9ceaeb

SHA512
30436ed1a1eb74fd02eeb1a7e932c7ba7a85ed73e3dd916836f63c98cb9f5b3038c157d0cc3ddc7772d3b5d5dc6d5cd1c10e0f7922e732c1dd79584a8b40f8ba

Download Submit