ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
Size

4.1MB
MD5

92d386c9f7ada34b492f0fda97bed78b
SHA1

148603e84e07069f71cb076a2c63ca40dd50b152
SHA256

ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a
SHA512

81bbdb1a966c85bdf46d021ff7bba1bdfec9e9e726198bf9847b0bfbd387c4117b6443a048fc764a761f3ef94c1a1fa97ce32e5fd456e3553c9cae20e63a6aaa
SSDEEP

98304:+R0pI/IQlUoMPdmpSpr4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotW0\\devoptiec.exe"	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxS0\\boddevsys.exe"	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
1984	devoptiec.exe
2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1984	2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe	28
PID 2120 wrote to memory of 1984	2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe	28
PID 2120 wrote to memory of 1984	2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe	28
PID 2120 wrote to memory of 1984	2120	ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe	28

C:\Users\Admin\AppData\Local\Temp\ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe
"C:\Users\Admin\AppData\Local\Temp\ae2f56cac952e09d564ef10b5856cd04ddb4b9c2e63659449fdf702089537a2a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120
- C:\UserDotW0\devoptiec.exe
  C:\UserDotW0\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxS0\boddevsys.exe

Filesize
4.1MB

MD5
e98950a06db2256a6bddbf99a914a42d

SHA1
fdc0da4f9cc3c0ef84ac1615a5af79216fde4b00

SHA256
41aa0f799e36380a52fe48bd4bd7b70a74562bd16248ca878ab7dfd44a26c1da

SHA512
56fbae4406f47e2a7179c7e862a15a7ab6d5f5dc8784631d8de45e403fdfa344c4febd8f71ad0d611d7a4d9c8bca4984954eb36d7674bc5bca8d4d36e6a9c6ab

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
210B

MD5
22d57e34fbab6ac0bbb490a5af54ec18

SHA1
b728a5fe4a45fc52f33def57a652ccd336187433

SHA256
943d4a738cac974daefa13322f0e95300442f3744bcdeb0df96c5ae69abbe0a2

SHA512
655cea65e5aa04730395736302e72c8122043cd1f38d099273231d72eea24c6ea7d3471b85b641a5f5512d822c5a902a66189814e5ce4ec43bd2d0f121800e5d

Download Submit
\UserDotW0\devoptiec.exe

Filesize
4.1MB

MD5
94dcf9a91bae0408b2b510c62a2b9fa4

SHA1
9bfa0bcc960dc71df7d57e3c5a3fe90e08768623

SHA256
e95ae7cdf149f3670ab9137d3879afa52805f1383f976f942cd0ad831dc1e48d

SHA512
d1881cc2776557b229dd338eaee60ebf7cabb02912db972a9fc2d5fbccc8ba7724ec31023948756d45cab1edc462334c24aa99f70090fc8c8a776529d1086829

Download Submit