382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
Size

2.7MB
MD5

3d61daed083cfe0dea269ce8337655bb
SHA1

90e1a8a24d27a5ae607c7997fe68d2117bd5c6b8
SHA256

382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5
SHA512

4d6cb7b08bf61f5b73e35f48fbfd4085409167c5b54822a439fd34a6949a6948fec52fccf0d71dc2d369ddc357c841739553f1df7e92c2dbd1496cf7a6d5bd2b
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBr9w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2120	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesB5\\devoptiloc.exe"	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintB7\\optialoc.exe"	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
2120	devoptiloc.exe
1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2120	1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe	30
PID 1628 wrote to memory of 2120	1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe	30
PID 1628 wrote to memory of 2120	1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe	30
PID 1628 wrote to memory of 2120	1628	382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe	30

C:\Users\Admin\AppData\Local\Temp\382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe
"C:\Users\Admin\AppData\Local\Temp\382482bb7b557e5153f019bb8c90e6732d3f6815151ebefcb506c21013083ce5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628
- C:\FilesB5\devoptiloc.exe
  C:\FilesB5\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintB7\optialoc.exe

Filesize
94KB

MD5
4dd49a2725facbe796f664b97341059c

SHA1
bfcd7920826b0e50363316f830d8974920244238

SHA256
37b9c71a7ced656661c01cda7f0958fd799b15a4ab4ee99ca0bbf7fe525a93f4

SHA512
2e5ea8d8d9e86b7dddcfd6024ecb8a7c363ef1d27ded4036f56aadb77bf1a8fd04eac68f2acd6690bf68da5cefefaf8a067409dd4e02d852f4df7099fc613e46

Download Submit
C:\MintB7\optialoc.exe

Filesize
2.7MB

MD5
68397cf321054877ec7f24261c29ece2

SHA1
01d50adb7b050cc372596ef63a74c9dad10466b3

SHA256
fa30be1764224b7e160031673181f811b76130895f17c58166b2f5e6a20d2482

SHA512
7df243c967cd3c2b483cf33ba77318ebacb48b6864da1c7f71d968736dfdb9e2548d5c5ba7d8e68cf16bda7b3ff81eb67cbef3cd258c2202d66508472d2555a6

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
273a8398dcf4f58e8a5620394f389e9f

SHA1
c7f9737c1988aca01609eecc2062d3f571202e19

SHA256
7162f0f512540612aa74ac159cf087aa9c601f13dd94e09932afdfac22fadf75

SHA512
60bf81d0c294728b5330dfeda1a494d0c5cccf0f1b46ebb6af2272db1c45f4544d5635fa8cee91b99bdd4f9055a24812199a942c1a36ecc0f03010819f815d31

Download Submit
\FilesB5\devoptiloc.exe

Filesize
2.7MB

MD5
fa661d848c9cdd8b81574d84e2d854e3

SHA1
0ff76440dab021cf6cfbf1c9e8e40d7a76aba051

SHA256
8413daf4568021c93f1835e32ec20b6227ab73161729b8bc94be31ed7b2accb9

SHA512
6d1f52cdafc42dad1cc4ccefb00f99381bc952e4c10896f5ae1183286503c8e03fa37a9a9e3d74598935023f8d7979ef70012ad1d0b19ab8842c83ed57b02548

Download Submit