df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
Size

2.7MB
MD5

de77487d2efce6397be03ee0f58fc4d5
SHA1

a48e7c7e43df1b43cf24fa0f0acd4cf245cd2f42
SHA256

df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3
SHA512

f7f514a269411f6c06869c7b9c6b216d80c6458954a9973ac3003428d30c25db0c6d9450a63f255638224917db92a0dfdb1f9c9080ea800ecb5c8b9c108544c0
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Sx:+R0pI/IQlUoMPdmpSpw4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1464	devoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYJ\\bodaloc.exe"	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWD\\devoptiec.exe"	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
1464	devoptiec.exe
1464	devoptiec.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 1464	2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe	86
PID 2864 wrote to memory of 1464	2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe	86
PID 2864 wrote to memory of 1464	2864	df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe	86

C:\Users\Admin\AppData\Local\Temp\df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe
"C:\Users\Admin\AppData\Local\Temp\df3c4b0cc35e06564e446c37d55901e4dda672aad9ca02a5ccef8c210153f0e3.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864
- C:\FilesWD\devoptiec.exe
  C:\FilesWD\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesWD\devoptiec.exe

Filesize
2.7MB

MD5
23e07487ed978efc925a042ab5c9965f

SHA1
3c6cd23c1364e787185fd9aa93f5e44aa56d44fe

SHA256
f3040345a23f1eaedd78a3258a5fa477a944942f61cb5b650c9d27cf25eca0de

SHA512
b9846aa2108aa2c6d30e36e8a62a567e196467ec686d94a0e1cf1e9775ebfcb18efe089b062d40ede223089c8686fd69ffb0aaa84ef89cab85097f5868e37387

Download Submit
C:\MintYJ\bodaloc.exe

Filesize
19KB

MD5
00be87687e8dd824b72e7eb439a12c6e

SHA1
16d3628dc1cab4d9c12b33306728a64f858d112b

SHA256
71a3490eaf0625f1e136809ab0478b30f7d1ab119655b591537615f2e50acf9f

SHA512
3fade0e71133fc6873cf7d5bc2b3b24b3bea774083a804abcd727f891fe313bb0a99165d488e3bfe6bea59137f3ad6ab91486c983f8639e6dc3543145c8db3a0

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
0214cdf43999e11d730240290627d95b

SHA1
728c3394fafbb381d03ba7912728c75a58cbdb8c

SHA256
e6a1c9ee4f2d525de684509e19b2ae6bc1fe8e9565276b4c99781bf8e8a96525

SHA512
266a32b531f43eef2ec1551065fa71944c2242d01a69c2e471bf8b7c4e021ea2c1601a2301b3546bdddb1de87d87b7ace3d8dcfff2329e29c0587d29674b3b0a

Download Submit