4d1b6346c8bc068c413a20cd8e9f814eb9c0fd94f2526edb271bbbb166feb744

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b45f17b13d799e6c4005d204fe8730N.exe
Size

2.7MB
MD5

59b45f17b13d799e6c4005d204fe8730
SHA1

7bbd074484a03778f4c5a50f0e88ce5bf0e0c222
SHA256

4d1b6346c8bc068c413a20cd8e9f814eb9c0fd94f2526edb271bbbb166feb744
SHA512

88da31497b4f37aaee139168f8a077387057af5a6463f518b14bad9aa4112f24d0f22b221657132a91ed69961a54d4b554478b3d5791917eb74a6ed972d01e58
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBp9w4S+:+R0pI/IQlUoMPdmpSp54X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2668	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	59b45f17b13d799e6c4005d204fe8730N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocIP\\devoptiloc.exe"	59b45f17b13d799e6c4005d204fe8730N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW4\\bodxec.exe"	59b45f17b13d799e6c4005d204fe8730N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe
2668	devoptiloc.exe
2976	59b45f17b13d799e6c4005d204fe8730N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2668	2976	59b45f17b13d799e6c4005d204fe8730N.exe	30
PID 2976 wrote to memory of 2668	2976	59b45f17b13d799e6c4005d204fe8730N.exe	30
PID 2976 wrote to memory of 2668	2976	59b45f17b13d799e6c4005d204fe8730N.exe	30
PID 2976 wrote to memory of 2668	2976	59b45f17b13d799e6c4005d204fe8730N.exe	30

C:\Users\Admin\AppData\Local\Temp\59b45f17b13d799e6c4005d204fe8730N.exe
"C:\Users\Admin\AppData\Local\Temp\59b45f17b13d799e6c4005d204fe8730N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976
- C:\IntelprocIP\devoptiloc.exe
  C:\IntelprocIP\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBW4\bodxec.exe

Filesize
2.7MB

MD5
ad9b85fe2a66d989cb4a1f846a1798ba

SHA1
2d1ebb78eaa6a08e8169965254cc2b623a06c655

SHA256
32cab10d2345fcbb80dd8430bf0e639371130872da27d48ec74b5baf766e3846

SHA512
7fb679a5eecc2c5925efff9d591eda932e4f35d3958f6f77c03fba17c375e61d0877ad300a0bccc794948df0508ee080be276dac562f26a5b207daa26bc62ac3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
6e09c6668c1a205b55e2840f95314526

SHA1
1fe0c4e4e404a04859c27af6a6d1f1f2a1578553

SHA256
f3b5b3ade0b5dcd9f7a5832c28bd209efa244adb37392bb4cf0762e59070fe40

SHA512
c114413557ecb0048404abb8e84587b80db0d9225aa0ad9a8eafdbdc3a805acf2c80387eda660315f515bb7b3ef5634ddb4f7f6e7ddcbcc6ada2efdb1c1ec542

Download Submit
\IntelprocIP\devoptiloc.exe

Filesize
2.7MB

MD5
e953f78bcbfab5e07ebbe8c93ef8c7ae

SHA1
0b63245f8c3415d8815e13b52e85a88d4b153b37

SHA256
7f7501aa70d5382f3702deb9262664a7036bfbbf64860b56dcf59442299bc965

SHA512
786ff394df85fbc907caa50fa91a50e3bbb74fc0989ad8256d00073d1eae64bb40a611f314607e2c156e091f7080fbb62e528cbc2d151a580ef5e34c98e20f13

Download Submit