ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
Size

4.1MB
MD5

a2d536b8615442e97e3d06e56140928e
SHA1

c919f69e466202143679d24335c0ea9ca7a99cf3
SHA256

ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838
SHA512

7206d2846146b418bfb43746cd453bb4ff7b3a917b1eac3e8081cb082f835ca0add630b04a8c5d2951e8b2b582f3963703676eba79f51bbceb080cddebebb636
SSDEEP

98304:+R0pI/IQlUoMPdmpSpI4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmj5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4116	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMW\\devoptisys.exe"	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKL\\optiasys.exe"	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4116	devoptisys.exe
4116	devoptisys.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 4116	4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe	96
PID 4968 wrote to memory of 4116	4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe	96
PID 4968 wrote to memory of 4116	4968	ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe	96

C:\Users\Admin\AppData\Local\Temp\ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe
"C:\Users\Admin\AppData\Local\Temp\ce39d724bd09a73cc64d9f50daacc590ba2054772c0ae13f638830102ee04838.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968
- C:\FilesMW\devoptisys.exe
  C:\FilesMW\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1036,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3816 /prefetch:8
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesMW\devoptisys.exe

Filesize
4.1MB

MD5
5884144e3aac15e60027070abc2b4937

SHA1
8b6b6529bd8609de16eec9752ad9878a8abf63b5

SHA256
578b684db4ff0e71e405b3868125d7c7fb8f0c4e999bf9d8ee8c74366b3d06e8

SHA512
6f79865a8fa5f9d7caed8f4c2d480c2268aa9845454fd15face3febd8355f59c6fddab72dab35526d4387c2c3588af924a64f94c3e4a754e8b92c6c39d8ae525

Download Submit
C:\GalaxKL\optiasys.exe

Filesize
4.1MB

MD5
04ceb445b40d23d7e55c8d9c2d21316f

SHA1
ea21e45dbeb741a90353e891ff00b456de5f6d19

SHA256
5e0779226ca6efc21ccbb08a85ba5ccf24932b3d1aa5e719aad9272d10cba9df

SHA512
9e1ef266e392ecb801cb18e16532f6745b368c3ed587be8e5b4fd18f8a9348148eba4f7fd3a06633e0840efbe3fea68de85af3bf90997b5f44e5f0f487665507

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
cd354ceab1e449eae6ef6d7bf6f88089

SHA1
0dba1be61173fe9fefcbade5728ec20a7808d28b

SHA256
9e2de452906ee8fcee75a2e829a27fde0d041b4a26cbb9db3c0f1eea51f09485

SHA512
3e15732bb8daaba545fad4209464a35ebaac77e9c03fbc7940b110ca2eebe95326dafc4ff70bdc4673e6a9d45f8e10c76565e9d046e26ca65b001b194cc1544b

Download Submit