c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 02:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
Size

2.7MB
MD5

c83dc7ed5ff53ea991fce0ed6940393e
SHA1

9f04aa69d1a32a5af3cd2a3578dc13efeb3f9d31
SHA256

c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa
SHA512

46cda4319cf3c8656f78f9acb7a33454a5dd40357744ea77fc7f2bdf0e9739ccd4b7d477d60fa91e12478284f79dec962fc958fd54cb9cb44feb7e6f76795eba
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB29w4Sx:+R0pI/IQlUoMPdmpSpA4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9W\\devoptiloc.exe"	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV8\\optiasys.exe"	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
1900	devoptiloc.exe
1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1900	1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe	28
PID 1368 wrote to memory of 1900	1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe	28
PID 1368 wrote to memory of 1900	1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe	28
PID 1368 wrote to memory of 1900	1368	c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe	28

C:\Users\Admin\AppData\Local\Temp\c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe
"C:\Users\Admin\AppData\Local\Temp\c8e32ca8eb228c0697679d6ef8b879625795f5b8491f7648851fbc6200d8b4aa.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Adobe9W\devoptiloc.exe
  C:\Adobe9W\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxV8\optiasys.exe

Filesize
2.7MB

MD5
b1a531635027a3b55d79af9006294d66

SHA1
cdf3a5d37eb8c1ee48cebcb23005df063a5fdb74

SHA256
47c0c04b50dcaa003dfa065f90fcac6e5da6748c5474cb546c2267a6012907a8

SHA512
360d4980bd08357b7c9aff52b5a49f0ebe27ed35300f27a4edaea739d4cda34971077998519d64af5cb89a8368fb584d6a7cf989be72cc15ec835b74c0940cab

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
60711e65a8b4b549827ec79f37a589ba

SHA1
956a567c9e3043e5be6bc49c8a80c3c169ad1587

SHA256
d16c7e49cb1e72ae948577ce4ca92eb122789b597d655e7ca449abce9d78f07e

SHA512
e0e71090561b1b70c156625616420541c3d9c56cfae122040464d5658a7374f30b6b08c846cab779ba82fe300fff3a5061502754d2c5fb5feacef70886ae20cf

Download Submit
\Adobe9W\devoptiloc.exe

Filesize
2.7MB

MD5
02714b0433b6c35eb9c61c215d169c51

SHA1
9f2bad4df3583e52b39cdb247d3b592aec4df378

SHA256
be7ccfba80aece5f2dbbbed5e9ca6a1d46a7183ff06159c41510c8d31ebd3958

SHA512
745890520b28b73ac51f49a21219dbedd604c7dcf0c2b00762363eb8bdac207b9eb23e266aacba7482745a0d1f8c74704d176db75067139c079a0f9589561cf1

Download Submit