5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 22:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
Size

2.7MB
MD5

1e8e1da55ece984999abe1ef63720211
SHA1

de43f7cb9e1d0fdf17332183a9e3a80b9eda5b65
SHA256

5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b
SHA512

b1924c5614c1aee1f57cc68e7448eb61b9c857c324df65a4c69603a25bc9b0e15f54ff914182c5e454d8278ec13442ec23108a8ee7705e9c67ca489df66d0b14
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSpJ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1896	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxY2\\bodaec.exe"	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUL\\devoptisys.exe"	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
1896	devoptisys.exe
2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1896	2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe	28
PID 2804 wrote to memory of 1896	2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe	28
PID 2804 wrote to memory of 1896	2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe	28
PID 2804 wrote to memory of 1896	2804	5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe	28

C:\Users\Admin\AppData\Local\Temp\5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe
"C:\Users\Admin\AppData\Local\Temp\5984eeac8b743d98a1d44c8d197b1c9083280319f3b348bd9acfddd65689e54b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2804
- C:\FilesUL\devoptisys.exe
  C:\FilesUL\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxY2\bodaec.exe

Filesize
2.7MB

MD5
da6c4f33097236ee2c2bef78fa9072bf

SHA1
be97eb9fbc4a79bc14b9436cc2fa72785711ec29

SHA256
0de79117dcf703ae27d6fc04195fa1ce7942bf2ca40c886a878e044c5cfaedbe

SHA512
88d947a19f8534c86e12fdd3c4fcbef41234354409267ca1779ba490d2845274f6e1175d9c7bde6f9341b485f0fc68e556d18190c5a7146d147b74287b4a9c8c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
4f0931382c7679bea78282b051e38e92

SHA1
0f197b80d0d38f6dcb0031ea1d8386ff94d64580

SHA256
734f011036856be66de6cd391db22f6f7bda185aac7122785e7859cf50e35510

SHA512
eafba1e58fd929a7b5a085f13cc22e67c55fb09b4b7e897f59af538cd707c6cb1f241eb1e0a01274d8d7440b2cd48e06c57ecae71470620a761569d7e60d09f0

Download Submit
\FilesUL\devoptisys.exe

Filesize
2.7MB

MD5
56e94d2c8136f90e80d8270713a94ff9

SHA1
938793fec5fc71dab06482000f37ab833e1caafa

SHA256
b000ce8083d2723a12a12bb8872747f0a26a57e335aedc7e2c09e1aabfb9ff42

SHA512
3ccff14cad9c331afcfcef192f14926a36aad6a00d0e807e5a77af43f210649aef668f5cc31b209e0d2a81c2fe2d267b8f1ad0c416965aac7653c192e6d98cd3

Download Submit