371be4145117d02ecc86417b034fb97f678b4359384feb4303ed3756d8921d0f

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58859c37d5a654a7e00d6c61efdbf700N.exe
Size

2.7MB
MD5

58859c37d5a654a7e00d6c61efdbf700
SHA1

a457693dfb853df696ec9535f5588cd5f0b82a1d
SHA256

371be4145117d02ecc86417b034fb97f678b4359384feb4303ed3756d8921d0f
SHA512

7f3c09fb9fa009f539e11499338369d9b8823c07414eb7680b063c265f410282b20c7283e46836cebd8887d15648e866590a0289cbfb649e35dadb02607cd6a1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpU4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2996	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesS7\\devoptisys.exe"	58859c37d5a654a7e00d6c61efdbf700N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYP\\dobxsys.exe"	58859c37d5a654a7e00d6c61efdbf700N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2996	devoptisys.exe
2996	devoptisys.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe
2512	58859c37d5a654a7e00d6c61efdbf700N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2996	2512	58859c37d5a654a7e00d6c61efdbf700N.exe	87
PID 2512 wrote to memory of 2996	2512	58859c37d5a654a7e00d6c61efdbf700N.exe	87
PID 2512 wrote to memory of 2996	2512	58859c37d5a654a7e00d6c61efdbf700N.exe	87

C:\Users\Admin\AppData\Local\Temp\58859c37d5a654a7e00d6c61efdbf700N.exe
"C:\Users\Admin\AppData\Local\Temp\58859c37d5a654a7e00d6c61efdbf700N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512
- C:\FilesS7\devoptisys.exe
  C:\FilesS7\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesS7\devoptisys.exe

Filesize
2.7MB

MD5
ed858cfb6f188cbbd6576a991b631ce6

SHA1
2098aed3c94cefd9029ea9c1b0caf37636ed4253

SHA256
a468be43724aa222f43d3f5350559f42970a4e7bc0187c94ecfbdc1c3a20750f

SHA512
426ce644d25809a3dfdab8f40685a3c5a515d0dad627e9b8d13dd9d686533e95351780d10e5f6de9ff0796dafc9d580aabe570bd8227fa08b3eca386121824fc

Download Submit
C:\KaVBYP\dobxsys.exe

Filesize
2.7MB

MD5
71a0fca48961cec93d824e9915f54cef

SHA1
2cd88b0ed4870630782ff4da5816b3075b9e4285

SHA256
e926ce0b91aa5ba24b8fe5c6a7cd126110a23a5cf01e54ddab9a4ce9c2d785f5

SHA512
e72992101e2c16350d9a3fa36a7a90a5ff85bbb89d2aa6fdb384e5993487e6873ca7bfaf2cda3e6f447a97e02fef912a8fe401536345373776137736c9df72c8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
b6c074376733caa58fa737aa4ae3f9bc

SHA1
65b5619e7d922bc28ce6334d9b47bd3c6edfa17d

SHA256
e209d461048836eb6fc19e01702e965ef38ff8b61a48be2ca3cba77b4d481236

SHA512
4ef1f9fadbaf7096be17f584e7cac37101ddf447fc2f86777285a4cf7f660ff167f55f11a9c0b466a7707334df168552b8af262a49c76a4ba44a5383619aa12d

Download Submit