3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 20:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
Size

2.7MB
MD5

9752016fbb189737645167ab989167f7
SHA1

fc7fbaf5a08ec8a152203695d4914fa744f11319
SHA256

3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96
SHA512

0049b55207644928bea6e4f3eabaa431b55b8df45f550b4ae14b8ecf4c56033d0ff62430b4ec4295b2c15f2ec33ad87f3c80d5c2f1e50111a105c12ab6e9c342
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBD9w4S+:+R0pI/IQlUoMPdmpSpj4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3308	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvEC\\devoptiec.exe"	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGW\\optidevsys.exe"	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
3308	devoptiec.exe
3308	devoptiec.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 3308	4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe	81
PID 4132 wrote to memory of 3308	4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe	81
PID 4132 wrote to memory of 3308	4132	3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe	81

C:\Users\Admin\AppData\Local\Temp\3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe
"C:\Users\Admin\AppData\Local\Temp\3687b1e916b48a0999128d143b96156392a8bce975c2f228f911219035ec0c96.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4132
- C:\SysDrvEC\devoptiec.exe
  C:\SysDrvEC\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintGW\optidevsys.exe

Filesize
2.7MB

MD5
fe9fdb5f4d56d64e6906d63b327dfa0d

SHA1
3141ff8a385c716b476825d6f55bda9c6871c926

SHA256
e5f199ecacb89c817f3e3455c990ae5cf76e8dc5c8e35cbde5fab5e0cce4f64b

SHA512
2a22ad2542ce0ba9ac1032849111ea9e0e5f56a604c2fe7617b0586983859e8e3e534206163caa58b6157a67615b0ad45169fe21ad2381d67e36df067c1e2791

Download Submit
C:\SysDrvEC\devoptiec.exe

Filesize
2.7MB

MD5
1ce294e1e3e6fe92f500f5087604e5da

SHA1
b449483b111cefc23fa02a23626a556394ea0a2c

SHA256
a8de150f57845a5a59f13eebbe666fb755072b256398ea5a06a69b5017f5b162

SHA512
069873210350e71b42272fb2319ac7d44447c540afea61fbcacc3be5a4e96ea66707a663d0583a0c772662de5bf31e7de530cdea2b744c46a8e8c8e2f8f0b39d

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
300682c288b4715e38be369afff48332

SHA1
f1fdfb67e97b789423c91f2232b2923f7b28ab30

SHA256
3789d2d7557c571138e7f6eca468c7ba0bd1449e125beb42c6925fdc53454d22

SHA512
a5f78df896222b18e4d704506df40cba740675085a9b404fbe3bb06b61402e36f42b01217fd3ff451e6a268fa65afffa9b78dfde368b382af03e43a7e2eb29f1

Download Submit