5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323

Analysis

max time kernel
150s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 21:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
Size

2.7MB
MD5

11cb60e81c055c2b1219a8541a602427
SHA1

b1b662f1e4ffe1d96df17bf4d6fa949c28cc2afc
SHA256

5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323
SHA512

0e40905f5f69325e8df8e07856ebef839061d8102ceb32858401af6da544bd4c05661e323ec5e3eb51488709c446ed32266f187d09aec761580676f8d7aa023e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpA4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3792	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQE\\devoptisys.exe"	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU8\\bodxsys.exe"	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
3792	devoptisys.exe
3792	devoptisys.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 3792	396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe	93
PID 396 wrote to memory of 3792	396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe	93
PID 396 wrote to memory of 3792	396	5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe	93

C:\Users\Admin\AppData\Local\Temp\5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe
"C:\Users\Admin\AppData\Local\Temp\5345122d4193d1258cea93f05e6f356ad0e56377c4d81bf565613e7f4f5a2323.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:396
- C:\SysDrvQE\devoptisys.exe
  C:\SysDrvQE\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3976,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:8
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvQE\devoptisys.exe

Filesize
2.7MB

MD5
5d23e446af31aeedd051eed82c8a8e50

SHA1
ff31d3af14bf93eeb44eb09a71a0ad42525b4eb1

SHA256
f923594c48aaef25af0d9b302d5fed64848ec7835a3616854b6fcef1e4bd0a54

SHA512
4c0d2053f6535517158111f8f39ff2a04acad7609a6197644463ed6fc7ff6a3f04a89bcb4eb44ab974ac9f8fa7a6489159d0b9f693081aec76c451ed5932ebb5

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
348173e3c04abb33af0741f4c4b272d9

SHA1
8dcac4883bf596a94322e2ffe8ad3bd353788b51

SHA256
cdc3eb0e47ddc59fcb59be93fbb33c7b222e1dfdffcebeb029393d2096f54108

SHA512
0b9528e981c1ddbb648508f86e94d4318f2808d3c23cb5528d8569adf0144d7484b444fef78b07ef2e7d942ec55620de7bb40b3935cd120c07405bb2e03c9577

Download Submit
C:\VidU8\bodxsys.exe

Filesize
1.3MB

MD5
560c6eb609346a3376451eaab2be8a12

SHA1
47f01d8d8961647dafcb925977e5c0fe96c4fb81

SHA256
2a60b850fbb0651d259e1eab353c42009e9efc189e289bfa9288c2dcaf11f153

SHA512
5f06794d1a1f07dbbdbbbc76825db27078b500eaeac0e5ac82706de6f31eb6e5b4c5c5b74568581488cda3ea236010a5a4fed1074400b4012b151ea0d26694d7

Download Submit