1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
Size

2.7MB
MD5

696f4b8fe87dcb8e1d82c1c0d27a2a13
SHA1

b492c3213ef11dbb30c5ac6a154a9d8577cb7466
SHA256

1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c
SHA512

290e4bbc9ed6a768a1156d33dbfc3ca6bafd4ce89bfc88201ebed27f1df7843e88d006d4ba586ea885a3203404daa801b33377559cc9b8bfadb090e07031fc20
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB69w4Sx:+R0pI/IQlUoMPdmpSpw4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0K\\devoptisys.exe"	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPE\\dobaec.exe"	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
3052	devoptisys.exe
3052	devoptisys.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3052	1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	84
PID 1168 wrote to memory of 3052	1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	84
PID 1168 wrote to memory of 3052	1168	1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe	84

C:\Users\Admin\AppData\Local\Temp\1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe
"C:\Users\Admin\AppData\Local\Temp\1a8999fb680764ca06ff32f8ca2f3a10104e5aa3ef677a4066656d54e7f1987c.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Intelproc0K\devoptisys.exe
  C:\Intelproc0K\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc0K\devoptisys.exe

Filesize
2.7MB

MD5
4fede4f989371fe393fbf58c959b500c

SHA1
add2fda2e6828508352759618f7f127352084e02

SHA256
0a1dec255b1166c6ed3caa7eca8969143401ae3ba25d27a352f89488b89cf755

SHA512
3e13da61caba5e28cb5dbb3932176ab8cd88922438a1b71bba197b7f0a0bc95d73816c4ae34c315790ca66da39a8f2922347889222132325acbc0da606a65eec

Download Submit
C:\LabZPE\dobaec.exe

Filesize
2.7MB

MD5
0ed241abc01f14766d71e105924ebe60

SHA1
e2d495c69e0fc09c116807ec5427222aa8c4360e

SHA256
904b7a6ddfdf4f265ad8734ea840a7daea89f7042ee57937f93ac0f35cb4a58f

SHA512
888e1ac5df9147d0e5d221f0220a97b6ac0343a1d52599ca685e7227ec1003bff1ccd909ba478eecfd47dda50a0e199608ab2e12004e9c077e21ae882bc5fa08

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
378ca34976a46f097a5a073e674d5b02

SHA1
92bf94e6220ccbba202063fec9733f4848348e90

SHA256
9c1eb065b6066a2c0c7c1a2a5595bf94d748d722cda755b157bcf0052ec82d9e

SHA512
1723f055f61462b5b737cebe9cb3811b84083a2649d6a28aca2b813f3745c3c7885ddca85eb2bc2b583b779036072798786ff46ba3da186299d385928fe0f532

Download Submit