0af31e9a6ea42cc13110a6b508c465660291563d20170477b8b0cd08dd6efd59

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0b6622b4442ba6a98e1d018127e0c0N.exe
Size

2.7MB
MD5

0f0b6622b4442ba6a98e1d018127e0c0
SHA1

8a9b1b09211ac50667b669b961b1481a67d224d4
SHA256

0af31e9a6ea42cc13110a6b508c465660291563d20170477b8b0cd08dd6efd59
SHA512

730efebe6ea4394bf04f00012bc3e82371e95846ce61c786d8f00e36d280791ffd3cef1561213a8f39b0c67271a56f1809c73f0cd5831e278485522cd43ec1bd
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSp+4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4072	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7B\\dobaloc.exe"	0f0b6622b4442ba6a98e1d018127e0c0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotD6\\devoptisys.exe"	0f0b6622b4442ba6a98e1d018127e0c0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
4072	devoptisys.exe
4072	devoptisys.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe
2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4072	2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe	89
PID 2812 wrote to memory of 4072	2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe	89
PID 2812 wrote to memory of 4072	2812	0f0b6622b4442ba6a98e1d018127e0c0N.exe	89

C:\Users\Admin\AppData\Local\Temp\0f0b6622b4442ba6a98e1d018127e0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\0f0b6622b4442ba6a98e1d018127e0c0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\UserDotD6\devoptisys.exe
  C:\UserDotD6\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint7B\dobaloc.exe

Filesize
8KB

MD5
18f9e5889b79178d8757b18c8d1b67d3

SHA1
e70ee94d53ceba1eacdea91d5af71a2203f08ea9

SHA256
187f66f9d8a67e69a32c5d0631666f1a7594d1207f37d94d421023d225ed6c14

SHA512
b64bd79cae188097cc91a99887efef58804ba8948745a6bba8e365bf023d7c107be2433b4b8f12720994b00e45c51902ddb1a9042db65adc85c64fea360b76f2

Download Submit
C:\UserDotD6\devoptisys.exe

Filesize
2.7MB

MD5
44cc8f0e6280cc2779ea45469282769a

SHA1
b081e403494e25e8f3b03721577ef280d40cf37d

SHA256
d303417434ac7fcc8024655714d373581f03c5c98adb434ce796f68b91abb768

SHA512
442c34eb534ccdeac8a7edbc44f7dd309a09b011e331909d84383422e8326a3a655c2d2c3cdac48aa2bc043c619ed8c61055e772835ac071f4bb9b8079cfa195

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
193B

MD5
b11b4f282ed4000c7526066fcd3a2d9e

SHA1
376c8ddf4f0992724eea76cf9e42dac0965c205a

SHA256
4e9a907a513195cd274d43045dc41502ec2eb91f79ed1436a9ba32430da882aa

SHA512
986f9494761eb4dc674341db2ea03878c96b646111c97692bec2799453780d06f8c8907ff99256cb698acd52e6ad89fb2d329c9891adafae916d5b56464d5e98

Download Submit