c1524e7a528983eca8c846f7ff3a61d0a54bd4f1e2ad6095f4a6eec4109fc458

Analysis

max time kernel
119s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 08:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74d39f8306498ebe20286221301b9920N.exe
Size

2.7MB
MD5

74d39f8306498ebe20286221301b9920
SHA1

390a5cb9397e21fecf02c0b67e6ae3a79c8411a5
SHA256

c1524e7a528983eca8c846f7ff3a61d0a54bd4f1e2ad6095f4a6eec4109fc458
SHA512

40db30874bdfea304ae5bf0c589aa118e2b49cadb3b0305366bd64df9e5da70ea16be96b554b26d0e416c8b81ed94e6cba2501aa42b0ed12ddb4d22c740bc1f2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBx9w4Sx:+R0pI/IQlUoMPdmpSpJ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	devoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5A\\devoptiloc.exe"	74d39f8306498ebe20286221301b9920N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZC8\\boddevec.exe"	74d39f8306498ebe20286221301b9920N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe
2544	devoptiloc.exe
2544	devoptiloc.exe
1036	74d39f8306498ebe20286221301b9920N.exe
1036	74d39f8306498ebe20286221301b9920N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2544	1036	74d39f8306498ebe20286221301b9920N.exe	87
PID 1036 wrote to memory of 2544	1036	74d39f8306498ebe20286221301b9920N.exe	87
PID 1036 wrote to memory of 2544	1036	74d39f8306498ebe20286221301b9920N.exe	87

C:\Users\Admin\AppData\Local\Temp\74d39f8306498ebe20286221301b9920N.exe
"C:\Users\Admin\AppData\Local\Temp\74d39f8306498ebe20286221301b9920N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Files5A\devoptiloc.exe
  C:\Files5A\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files5A\devoptiloc.exe

Filesize
2.7MB

MD5
ac7e4ec8b9696ba65dfbff22944b246d

SHA1
95681616563fc663d225c1cb8de6d5a93d41549b

SHA256
6a757b8e75076abca5cc0b0c122e2beed4e201529db09753920415919ef53e6a

SHA512
5b073e46bbbf5085ee34a5c92d9347189d24c1e944707304938f79208978b37d6fc567048af32cb2836d523c5383d4d3bff1fc8c0fac4575943ab39653a7fd42

Download Submit
C:\LabZC8\boddevec.exe

Filesize
2.7MB

MD5
a992eb459193c327b1a0a7930f910cf2

SHA1
cc6561ca39eb6fee1edab6f6b4197d1dffe70179

SHA256
d93104f3980a5e2737e2ba83ae0a4f45c88d369f196ca9a7f928bd5a47ed0b79

SHA512
cd520aac8507ccfeeaf50eafc5f4504aa1146fa79d53e38abb77bac7fc60fafb9362043994000e35a3ca3ec60cf345f0aa8d3c3eb17bb547240c1872ead95f77

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
fb89c43595dc7d67a0c0c17b0f647512

SHA1
ccc29722fd6c7c584b5fd1ee010bcf38df190bcc

SHA256
6e8640ab2c68166303478bf29f9b31400a8e9d4a1df9feb5a8637ef96c743642

SHA512
4f00409ea5ccfd6993b216f2c48a716e944ff4c448526fa43f2174d2e0d5b76bd89297d5369b5276a0fa78d4ca0ba97f3b3518340002dd5c057d37f93a980dd3

Download Submit