ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
Size

2.7MB
MD5

611a2e9538ac48e61ba3fbc789bc45ee
SHA1

4f525587a4873501b28c2ecf23b1edbe7826a7af
SHA256

ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348
SHA512

a061d4e797adcf632ddd1680921856c4df43361e4a65c3cefcda0753ab64816a87b89fac2df3feb0f92152222b50baf7b0c6ca773858e3fae840bdb0103b34d0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBP9w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2720	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Q\\devoptiloc.exe"	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIF\\bodasys.exe"	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
2720	devoptiloc.exe
2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2720	2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	30
PID 2824 wrote to memory of 2720	2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	30
PID 2824 wrote to memory of 2720	2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	30
PID 2824 wrote to memory of 2720	2824	ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe	30

C:\Users\Admin\AppData\Local\Temp\ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe
"C:\Users\Admin\AppData\Local\Temp\ec7fc9ba18e1984f05014245e1488ad2fb2eea78434d21d7567e3d4363351348.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824
- C:\UserDot8Q\devoptiloc.exe
  C:\UserDot8Q\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBIF\bodasys.exe

Filesize
211KB

MD5
06ecc9e99a04963789afb5902a6c04aa

SHA1
06dd2e450b5d400eed9ab8c60eda36527a0304ba

SHA256
2415b409e744925cab26b4a6f6675778f3f09967d3b079d6c606a2b890b1efff

SHA512
d1ea46af92ed6b19fc16e60f99382077d918b5b3184fe6b751738e9292546269485acceab3a68dd3b35f8c4db02ede7ab665e097702953f2a9a0b377d77d93fa

Download Submit
C:\KaVBIF\bodasys.exe

Filesize
2.7MB

MD5
4c7f454f8e928f0c33ab7888ab11219a

SHA1
46bb29bb4f2b182890ab73b54000f2b4597b6ad9

SHA256
fc4f1e0c6fac82256d7a840699fe2f15e702b1054a2b11bf08b4bf709348ea80

SHA512
3d3acacc098b009e02000559511ff28307535d88f37a995f631995a1c567181c91cb67d29f24f76a2bb82fde8bdccb15fa1c9f531e0f189ef8dd571805ada9e4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
eb1809d5a72467470949c30c3124803f

SHA1
5657b23c2088caafc43945174cc9db47abdba833

SHA256
ea54ae745e30b8c7e2b56728fb2ecf3e349c10a85ee88048d9099377b490bec9

SHA512
186ee2f3a0415380bffef68eed732911937c07260a72d12fc7f7f9910b04dbc5d263e7cdb666bed917bcb33187952a5a514b28beec7c12a4eccbe19a72cd37ce

Download Submit
\UserDot8Q\devoptiloc.exe

Filesize
2.7MB

MD5
ddbf1a98ea14de6c6e288389379661a9

SHA1
13e844701005aaa005cf3fd407b6624cef22290e

SHA256
49ad86a7497ca5edce28db02d601bc5fc07771ee24c04e3120f98632395c5791

SHA512
db2d1a145794a0002fc770a69f971300c1fa3412d82d059f11b1fa0eb8917e488ba055424555d8edc0944582ffe5161f9c39552799f71363054e33fc90c63175

Download Submit