3a59b0795985b0d19af9fb21002613cab96e3812e19529efcb9c1add9f491953

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/07/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27626ce203ca48bb276f020211df2e20N.exe
Size

2.7MB
MD5

27626ce203ca48bb276f020211df2e20
SHA1

33d0d03ef89b00352da937ee3adc7cf1bfd4353c
SHA256

3a59b0795985b0d19af9fb21002613cab96e3812e19529efcb9c1add9f491953
SHA512

b4e01071da80ede293c998c211692a77663398e8f1f6884fcf0c9077c80d35e5cf5aade924c7efe3a3f1dc34999f75d986f43768a3b63c4732220541e9e9dc8d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSp04

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2760	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2280	27626ce203ca48bb276f020211df2e20N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTX\\devoptisys.exe"	27626ce203ca48bb276f020211df2e20N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxF3\\boddevec.exe"	27626ce203ca48bb276f020211df2e20N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	27626ce203ca48bb276f020211df2e20N.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe
2760	devoptisys.exe
2280	27626ce203ca48bb276f020211df2e20N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2760	2280	27626ce203ca48bb276f020211df2e20N.exe	30
PID 2280 wrote to memory of 2760	2280	27626ce203ca48bb276f020211df2e20N.exe	30
PID 2280 wrote to memory of 2760	2280	27626ce203ca48bb276f020211df2e20N.exe	30
PID 2280 wrote to memory of 2760	2280	27626ce203ca48bb276f020211df2e20N.exe	30

C:\Users\Admin\AppData\Local\Temp\27626ce203ca48bb276f020211df2e20N.exe
"C:\Users\Admin\AppData\Local\Temp\27626ce203ca48bb276f020211df2e20N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\FilesTX\devoptisys.exe
  C:\FilesTX\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxF3\boddevec.exe

Filesize
2.7MB

MD5
51ed98a100ffb0021cdff078bd33d907

SHA1
57a400d9a746316d90006ed927db02a5c7688be8

SHA256
deb99216309d0327163f64b1caa5df5fe1eafb559dbeb0590781d28207d9f94b

SHA512
eaadff8ded719e3da9dddc84669df8d490164a6abda184f72149828520dcc56d6aa8b2f298c08e47ab7a175014cd1f6188e57227c4393d95c8e31b6f7c6703d9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
e60354f3af977dcdd43132d1ee9731cf

SHA1
83adb84589bcfa74820820e4c87d159d0c27a2af

SHA256
dae4fc45418733344f717adb28b7603b7bb7b6fe22f6b9c7b24b343119e01a2e

SHA512
60f71c929781dc6f95d5eeed51116ec146f7b53d373d06333b963c74f010cf8b082b1835d7f37d3860e8d97603cca4b9b146c2c080427b20fc17559bad43cb4f

Download Submit
\FilesTX\devoptisys.exe

Filesize
2.7MB

MD5
621e73df7fe5e551483b403f26bfdac9

SHA1
0d2de34e410a0b9332df60060ebe15a015351016

SHA256
d6787dd899ff91d2188c3f7ebca5f1783c72a4ea7f23e228c617da12c1a13601

SHA512
46ecb2f42bb56914de2482c75d0cd39a83fcb77417ce1531496843736f9000506e64e7c2953fbf73a8641044b4cfeef0147a4420374ce47929ebbacb4713e9ab

Download Submit