3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
Size

4.1MB
MD5

676dafdb9379ff49445d7dc5aae0bc71
SHA1

260ec38447f25481ae3b7f3b31feac873bea5758
SHA256

3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16
SHA512

56f55005fcb3c3183252b7bb9ebc3e227830bec6c78e9d703d2c9a08702c3c036773ad708f389f3b2433d1a4816fcf123921ae22675b96c18de9e7242da6b039
SSDEEP

98304:+R0pI/IQlUoMPdmpSpx4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdma5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4464	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8I\\devoptiec.exe"	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZK5\\optidevloc.exe"	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
4464	devoptiec.exe
4464	devoptiec.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 4464	1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe	89
PID 1332 wrote to memory of 4464	1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe	89
PID 1332 wrote to memory of 4464	1332	3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe	89

C:\Users\Admin\AppData\Local\Temp\3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe
"C:\Users\Admin\AppData\Local\Temp\3d47acbcaf26c32c8a428fedeb6875b53952f8544cb159243cbc6a0302470a16.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1332
- C:\UserDot8I\devoptiec.exe
  C:\UserDot8I\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZK5\optidevloc.exe

Filesize
1.9MB

MD5
fed274ecff6533eabb5bdb1e17ac311b

SHA1
7895c27a6086096480775bd963595a7a2ad90251

SHA256
c2f54574c08fe18960d7a5c391732016c30624a7342660d230fb9bf04684cb8c

SHA512
5ecebb5f1b4487d9a72b6e8703793fe9c536c07fb4f1cd4d79b3f901ac62f6e7c808b1e4ef6fac616e3fe2439b24e7e0ebf205c96eca6fd19a82d17ce809a680

Download Submit
C:\UserDot8I\devoptiec.exe

Filesize
4.1MB

MD5
05cbe669e29157c186003fe7307a5b20

SHA1
2c0bd17cf976b43cdab366503451d8951ae9e3f7

SHA256
8ed8279012cf00a667ec46a752795bc864f2f4c98c420b9aab6c67fb1e55e979

SHA512
e104e0c31ca6ca8d90fc78f3fd5f9060ee0603150eddd9d19303d5cc2034ec07c4a9a8529d686318b81757d8dfea7bbab70bd8d77dc6758c9253ddd22199ebb3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
25e138e0afe3f0ed69d6f5eb8cb1bee5

SHA1
bdaee896ffcf7337dbc26bcaba119a5decb1628d

SHA256
79c926b9020b7eac7d963fd9f8f87509522040bfcf3ed530a2de49e61b9d00e1

SHA512
df996905b564ff8ecd4daa96bc930d517c88dd8d060ee96657a893362e117cefb7a452a0e122d12ca004ecc9461c6db104b4a47272de15ffff741e2dbbc7b170

Download Submit