b7cee677174a25d161a57b9e0dab8a877c82260191d7d079f88e54a94785ca09

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f07394a87e9bc585eb768dea0bdf090N.exe
Size

3.1MB
MD5

3f07394a87e9bc585eb768dea0bdf090
SHA1

d0482a79d960741fb5bc558e0359f44dd01a1b05
SHA256

b7cee677174a25d161a57b9e0dab8a877c82260191d7d079f88e54a94785ca09
SHA512

d63409fd929e57e795ae86215cca8499c65aa894986062e7f21b6bbc04c4b6daa5c7f9445897e353d2f32e4c0836795141d88357cdf6eef09d438ea01a9ab853
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBU9w4Su+LNfej:+R0pI/IQlUoMPdmpSp64JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2684	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2760	3f07394a87e9bc585eb768dea0bdf090N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJN\\bodasys.exe"	3f07394a87e9bc585eb768dea0bdf090N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2H\\devoptiloc.exe"	3f07394a87e9bc585eb768dea0bdf090N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe
2684	devoptiloc.exe
2760	3f07394a87e9bc585eb768dea0bdf090N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2684	2760	3f07394a87e9bc585eb768dea0bdf090N.exe	31
PID 2760 wrote to memory of 2684	2760	3f07394a87e9bc585eb768dea0bdf090N.exe	31
PID 2760 wrote to memory of 2684	2760	3f07394a87e9bc585eb768dea0bdf090N.exe	31
PID 2760 wrote to memory of 2684	2760	3f07394a87e9bc585eb768dea0bdf090N.exe	31

C:\Users\Admin\AppData\Local\Temp\3f07394a87e9bc585eb768dea0bdf090N.exe
"C:\Users\Admin\AppData\Local\Temp\3f07394a87e9bc585eb768dea0bdf090N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Intelproc2H\devoptiloc.exe
  C:\Intelproc2H\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxJN\bodasys.exe

Filesize
3.1MB

MD5
63967863644c8f3a5acf421b3d3b599d

SHA1
8f321af23d7585ba6d8ec432c00492ba3c9038bd

SHA256
f504995a1a8482211936e0f157f00f3b25092b5b29f6c2d6b38ad1722e481efb

SHA512
38615c9bc7d05e5b66589d3ffe9fd6c0baf97ed5d1cac33cfec4a419819adf6904ef7692494314b9820092bbaca9ebde64913fd1a338103869337261953b7757

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
210B

MD5
b5b244e918e27404b1913108c25ca138

SHA1
03e91b2e21e47b5029210838e61fedfcc73dbf2e

SHA256
cbf48a209a542c478f6177790dc97eead8c7c543a71a5f26efaf61693da501d1

SHA512
3a1bf59ef709226a15a9546997f89a2b17d3895080c2ebfbc30ec847d52aca5f2e07766285037a7767ac45549a6dcc0d07555c8bd20f0409f220abfe3caa0e43

Download Submit
\Intelproc2H\devoptiloc.exe

Filesize
3.1MB

MD5
1369fed6db374f0218f73d4723992267

SHA1
b52079a3e43c4ff67803e9e254abae0770364329

SHA256
f564f61039098477328429885f78cd3a19ab2c9a0693992e2164b7e74d050c0d

SHA512
7e772c15a15ed3900ed8ce8d782a8091121ad355ff99a4b3037a734561037c11ad21dabec72e2c6965947ebe7d3c876d575a1f68d9670fcb6bc19624e21990f0

Download Submit