395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 04:31 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
Size

2.7MB
MD5

3978ba71e3e4d5739e2223a3cacbb220
SHA1

0864addd0f5d750babfaca987db7dcd6c85cbc3a
SHA256

395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb
SHA512

56f4f78ca7f568a7cb9e999725d28573d425a178d984920c3981440ac087a234f5e02e8d04f3de343abb0db21b22465e0c3ffe71dc26cd8a845928174deaa31f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpe4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvD7\\devoptisys.exe"	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLJ\\dobxloc.exe"	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
1680	devoptisys.exe
1680	devoptisys.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1680	4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	83
PID 4856 wrote to memory of 1680	4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	83
PID 4856 wrote to memory of 1680	4856	395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe	83

C:\Users\Admin\AppData\Local\Temp\395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe
"C:\Users\Admin\AppData\Local\Temp\395a08e5d6cc7e9bf6d13977510fdfd86544d0377ccf4a9f122a61080b8e66fb.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856
- C:\SysDrvD7\devoptisys.exe
  C:\SysDrvD7\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1680

Network

DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1736153D92A9605B1B20018E93126160; domain=.bing.com; expires=Wed, 30-Jul-2025 06:00:54 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E943194967EC4BF99701DFD8A7089F38 Ref B: LON04EDGE0807 Ref C: 2024-07-05T06:00:54Z
date: Fri, 05 Jul 2024 06:00:53 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1736153D92A9605B1B20018E93126160

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=fJMicEYrn_WpkCGKAJYOBxjCPlMXKwEI45xMjjW2YuY; domain=.bing.com; expires=Wed, 30-Jul-2025 06:00:54 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A0196D37D1D74232A49C2741EB57E997 Ref B: LON04EDGE0807 Ref C: 2024-07-05T06:00:54Z
date: Fri, 05 Jul 2024 06:00:53 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1736153D92A9605B1B20018E93126160; MSPTC=fJMicEYrn_WpkCGKAJYOBxjCPlMXKwEI45xMjjW2YuY

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 52A0C2247EFB4170BEFB968C60E527D2 Ref B: LON04EDGE0807 Ref C: 2024-07-05T06:00:54Z
date: Fri, 05 Jul 2024 06:00:53 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

tls, http2

2.0kB
9.3kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=22ab75f8b8de4d74964cf76610f9fce8&localId=w:A722701F-1589-5EDD-8B83-701925E7ACC0&deviceId=6755471616861629&anid=

HTTP Response

204

8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

148 B
128 B
2
1

DNS Request

172.214.232.199.in-addr.arpa

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBLJ\dobxloc.exe

Filesize
12KB

MD5
feeedd3354f177149f741107f13a4982

SHA1
cb06dad3e7e058cf1e0b70f7a65cf976c0788a03

SHA256
e41e3123e8e9ac8e60645f2aa2fff981f18852c6b50eae899f0dc5028d75d090

SHA512
d5587069b6f506946ecd309e9a4caa55abbcb746a2ace963c3a99c8ca121f194f2c7bbf26e129dc089576cfb904b728b8a2981925b735e6a5788e5e3a5e80dae

Download Submit
C:\SysDrvD7\devoptisys.exe

Filesize
2.5MB

MD5
3a8b1ec44d7b4248aef27aae343ab79d

SHA1
0e48686a644b9f8794edb940785c32e380c6fa7c

SHA256
049196e2b13844f957e39db31875833153e4a56751844810104f6a48e6f798fe

SHA512
3f4e719a095b9b061a2439f2cc87e409d13eb81ae495da263a3d8a781d874e8aac628760f9dbe862d47dcf4696670de0a615fa78cfa30f0f2275c18705467474

Download Submit
C:\SysDrvD7\devoptisys.exe

Filesize
2.2MB

MD5
cfac6cd2d54a0e39ab15c57202534d22

SHA1
5fadb5c1030cc3de09e367d8496ceaad2de1e68a

SHA256
2e040420b7ba980036c6719a5f1b7bd4d9633a01e66c6091404ac6943db00150

SHA512
b69c39ec43dd878aa5bf0db49d010febff878ee75b3da78ed259406d0d746b63bab792ed864eabe2bf57090c49e5bfdb1f7ed92a5f3719d739f4c079b8508801

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
e346416b1a4df656205e2e790f9542d9

SHA1
b63de66c9fc8e11569781cd743dab7d0f5553609

SHA256
c12bcd2765b8e08e531806f2874ba113bccb95b5542709f8eb860cda259613e4

SHA512
c7eca9cac9e13f6041839349c2808d195a932d8ce1bf7440b83bfa1c602d57c4ceed1e4caba189a306e32f98dc436f6bdc29171e4fedca692eed1c2ae1b54d37

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.