Overview
overview
10Static
static
10[DemonArch...fb.exe
windows7-x64
1[DemonArch...4e.exe
windows7-x64
7[DemonArch...86.exe
windows7-x64
[DemonArch...1e.exe
windows7-x64
10[DemonArch...a6.exe
windows7-x64
7[DemonArch...a8.exe
windows7-x64
1[DemonArch...4b.exe
windows7-x64
3[DemonArch...6b.dll
windows7-x64
1[DemonArch...23.exe
windows7-x64
8[DemonArch...38.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...03.exe
windows7-x64
5[DemonArch...96.exe
windows7-x64
10[DemonArch...f0.dll
windows7-x64
3[DemonArch...4c.exe
windows7-x64
10[DemonArch...b3.exe
windows7-x64
1[DemonArch...44.exe
windows7-x64
[DemonArch...13.exe
windows7-x64
1[DemonArch...22.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
1[DemonArch...73.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...f6.exe
windows7-x64
[DemonArch...b6.exe
windows7-x64
1[DemonArch...84.exe
windows7-x64
1[DemonArch...a0.exe
windows7-x64
10[DemonArch...9e.exe
windows7-x64
[DemonArch...f2.exe
windows7-x64
[DemonArch...f4.exe
windows7-x64
3[DemonArch...c8.dll
windows7-x64
1[DemonArch...85.dll
windows7-x64
10[DemonArch...71.exe
windows7-x64
Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:19
Behavioral task
behavioral1
Sample
[DemonArchives]560184b003e9c461fdfa4ab15cd3b6fb.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
[DemonArchives]58b00f133ec3b7efa68faf94233d594e.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral3
Sample
[DemonArchives]627ba000cff6d43aa031da4020d15186.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
[DemonArchives]68d0fb679004d3c27c9efa840010881e.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral5
Sample
[DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral6
Sample
[DemonArchives]6bc2fcef470b064c9bd339c7e2553ea8.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral7
Sample
[DemonArchives]6bf80d8b5b235df5efb621da1dd61b4b.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
[DemonArchives]6e102d15d6af7c43d43141e9d2a1206b.dll
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral9
Sample
[DemonArchives]6e4f9763c17ea31c3d1406eabd7db423.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
[DemonArchives]720d7d1deff763aee99bcc266f96b238.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral11
Sample
[DemonArchives]7a8bde6d1942443bdbf09e610eb1b794.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
[DemonArchives]7da028810a703bb926d39a9b4ba50703.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral13
Sample
[DemonArchives]7e020e96f43c40b26aa7f880ad0f8a96.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
[DemonArchives]81759dd56bd4387d02cb20d44422c8f0.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral15
Sample
[DemonArchives]853a559e0dcb25ab9605685ec776224c.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral16
Sample
[DemonArchives]887a4917f4af1126d489a4f4d56b2eb3.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
[DemonArchives]8edcc9bf66c21c55cf482dcac1c18c44.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
[DemonArchives]973465ab358797d8d056e4f04bda2513.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral19
Sample
[DemonArchives]9a6f31f789128531e4c714e44915f822.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral20
Sample
[DemonArchives]9afac07fd6517652d6e659963db8b87e.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral21
Sample
[DemonArchives]a367e7069b0df249dbcd93f02f05a573.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral22
Sample
[DemonArchives]a410ac0c141ebeb019661a692020fb94.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral23
Sample
[DemonArchives]a62aacc19cac89138571eec242bcd4f6.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral24
Sample
[DemonArchives]a7f2bf63baba5ffe2b5e76ab67d25bb6.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral25
Sample
[DemonArchives]a9ea383aca2b60aece3a27c899e3f784.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral26
Sample
[DemonArchives]ad9972de71fbca864e9303a043d203a0.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
[DemonArchives]adefb3d586e8f74af30155d21ac5fc9e.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
[DemonArchives]b00c6b1b2a79fc9c57f97d16d58d00f2.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral29
Sample
[DemonArchives]b2d7c4f62aa3abc7e398981d5c280af4.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral30
Sample
[DemonArchives]c30111080c9e6acc70dd86ff97188ac8.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral31
Sample
[DemonArchives]ddc0d08019efa4cc5f2a39de99cc0a85.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral32
Sample
[DemonArchives]e28fe1917c5ffe9a3062ee369087f971.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
[DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe
-
Size
2.6MB
-
MD5
6a1fe8f4fbbc726b6ee093b2688a33a6
-
SHA1
90259529d74b39d95a10c57d175622662f880295
-
SHA256
4b48bb56e58eb299e508228e91dbc466ac1fc5948e5975d400b89dca0e1c334b
-
SHA512
3a478f2d252f1203e173f0e5ff138ad1efd10b01cac22f3fab8d38895d4c767fd57f6fa9443f254e362e636f2ea12d914fbcb2db0f4b54f3e89ca58bc45720eb
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBZ9w4Se:+R0pI/IQlUoMPdmpSpR4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2028 devoptiec.exe -
Loads dropped DLL 1 IoCs
pid Process 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTW\\devoptiec.exe" [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxS8\\optixsys.exe" [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 2028 devoptiec.exe 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1008 wrote to memory of 2028 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 28 PID 1008 wrote to memory of 2028 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 28 PID 1008 wrote to memory of 2028 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 28 PID 1008 wrote to memory of 2028 1008 [DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\[DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]6a1fe8f4fbbc726b6ee093b2688a33a6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\FilesTW\devoptiec.exeC:\FilesTW\devoptiec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD57a9cd892eaa401cf4a056ef100c29fca
SHA1b48cd571d5b5e161a280c5444ef781db28fc633f
SHA256ee48a33ece0260c99a884299ecfd6fcc48aec3061f1bd33c0e6bf79e96d9ceec
SHA5122e8b13aa40c575f63765f017d1a8670eff029bb60d3a7fbeccf8b8aca49a029de8b4ab010cb9388e7fe2792cc5e39d58b6453d706cb097235c4756689e5060d1
-
Filesize
205B
MD549232c917b6af846c4be6d4bf598657b
SHA1080ef63542e657903a61e21993a6dcd1300cf8bf
SHA25623b1d9932ac0c6d587f06a1a797f88ae6c4eb3a3fa09742a4bc49789e38968a1
SHA512ff475be70ccc7c982991bc37286181c99f01b17bc7c2f4b212382fc12e30feb7bb9c0a31a153150d08c9c47cb89871c2ecb5e648437f820162da83912f35de20
-
Filesize
2.6MB
MD5e6750ce34eeeb06a899b18485c97f4d5
SHA19e6a0be7586f854a8c46ef9540ff7e945e5ae45a
SHA2569bd101ce9b9c7ef0b883adaadd7a0d48109687a2803c48bd730c52cf859f3999
SHA5120f412acb47505a1bb1aaf2669d7bdbaa3c0a55ece1f2e01f43f5a02ed6b6cd22da7d7111ac97e4540038f5d3886e60447eb6e7d4b78dadb0e775edd5c7571aac