ecfad2dfffe144d9f5b5e13da46c6709104854e717a6cca0518b5e8e64c0533c

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

108e12d3209a3080919432c34f4428c0N.exe
Size

2.7MB
MD5

108e12d3209a3080919432c34f4428c0
SHA1

2f8ec9efd32b54e0ee219e0b155455b2304b9afa
SHA256

ecfad2dfffe144d9f5b5e13da46c6709104854e717a6cca0518b5e8e64c0533c
SHA512

4bb2d4f698639356ac9188273fb571501b72f7fcec8605481506fa7ba4d616d2f14529bd2371f3830297fa00462c3f140461ad76657a857fe689aff075a8a446
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBI9w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	108e12d3209a3080919432c34f4428c0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN2\\devoptiloc.exe"	108e12d3209a3080919432c34f4428c0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGR\\dobdevloc.exe"	108e12d3209a3080919432c34f4428c0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	108e12d3209a3080919432c34f4428c0N.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe
2944	devoptiloc.exe
2256	108e12d3209a3080919432c34f4428c0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2944	2256	108e12d3209a3080919432c34f4428c0N.exe	30
PID 2256 wrote to memory of 2944	2256	108e12d3209a3080919432c34f4428c0N.exe	30
PID 2256 wrote to memory of 2944	2256	108e12d3209a3080919432c34f4428c0N.exe	30
PID 2256 wrote to memory of 2944	2256	108e12d3209a3080919432c34f4428c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\108e12d3209a3080919432c34f4428c0N.exe
"C:\Users\Admin\AppData\Local\Temp\108e12d3209a3080919432c34f4428c0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\UserDotN2\devoptiloc.exe
  C:\UserDotN2\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZGR\dobdevloc.exe

Filesize
2.7MB

MD5
b6e78c5cb9c573161be29c6c12cec046

SHA1
aca6d67d7db4f4d3b97d316482588c94ffd4b554

SHA256
14f59e38b284eed7981507d57e95d93726927db102b25dac302ee3ef88e09740

SHA512
81ca1b5cc95f257a229a071b33e9ea2c30166e743f246aa7864d6a8c32c5f348cd21b23bc1f24e1b42326efca9f69e3a30ed873f6231bf5eb10832f26ac36659

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
a4d4145608f9af7624f87f37af2824af

SHA1
4c891219718e2cbd31eaef60842322433fff2928

SHA256
e3eb7935b2304fc778520e13341f2bd5a6264054cc5afe10433eb611e38b8832

SHA512
06eba2d854aa201c2d0a5ef770c7a416b64469d8e1fe148b879d6fb126d582157bfab694d599ff5de90a7bb421c925a1bd244ab0e762a68de7dfbc06db71a50c

Download Submit
\UserDotN2\devoptiloc.exe

Filesize
2.7MB

MD5
4a6609c568dfdf3e068a1997597a8514

SHA1
e2950fe9667ed8a4fa450e2b09284b1089ee05af

SHA256
be0d6d6117afc4a9ef85c9756d63b5a5a2883914126981bc261a83b4aa04df7f

SHA512
024211090896fa6c48fb359dcbe3a29878ffa74d553c352d6747dba4fd7ae2a399ed53bf0a49058d5aa82ddd4f60a2ae305ef60a7a03f816a3fff2f550f0f2da

Download Submit