ef41da8449ca75dd3500e630b5a054b70577e59d2f7c0a60599feb9074a17bf8

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed9197ac62411600660f681912578cf0N.exe
Size

2.7MB
MD5

ed9197ac62411600660f681912578cf0
SHA1

1232042bb6fadc5470308cbc3bdd5a121bb2b1c1
SHA256

ef41da8449ca75dd3500e630b5a054b70577e59d2f7c0a60599feb9074a17bf8
SHA512

5e87ece22a6061b2785a6da0c340641c5b1f7ccd58d618b13d099db71891cc990b6cec9e74ddcc6e87cf36b2c4cb98fc1e9c10ee49434ec0bb562aaaf662c70a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4932	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCP\\devoptisys.exe"	ed9197ac62411600660f681912578cf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR6\\dobaloc.exe"	ed9197ac62411600660f681912578cf0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe
4932	devoptisys.exe
4932	devoptisys.exe
3816	ed9197ac62411600660f681912578cf0N.exe
3816	ed9197ac62411600660f681912578cf0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 4932	3816	ed9197ac62411600660f681912578cf0N.exe	89
PID 3816 wrote to memory of 4932	3816	ed9197ac62411600660f681912578cf0N.exe	89
PID 3816 wrote to memory of 4932	3816	ed9197ac62411600660f681912578cf0N.exe	89

C:\Users\Admin\AppData\Local\Temp\ed9197ac62411600660f681912578cf0N.exe
"C:\Users\Admin\AppData\Local\Temp\ed9197ac62411600660f681912578cf0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3816
- C:\AdobeCP\devoptisys.exe
  C:\AdobeCP\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeCP\devoptisys.exe

Filesize
2.7MB

MD5
ab2f49f5c18899475717ded6c5895ecb

SHA1
ad1f27cb518e06a9df798887bdf86be6c03e189e

SHA256
d7e3758f92d6a1cb59918be8bb6ca515a574a9a57956324a55db0f8bcc563df1

SHA512
f94847fe5f223673158b9e6016bbbba39ebe5033a441c8d21dbd7add87243e2deddd690825bbebe1cc0507bc5d4568a2ee1f1bd2651a312dfd64814da8526e38

Download Submit
C:\MintR6\dobaloc.exe

Filesize
3KB

MD5
c7b51062c87a208f9442963c2b20d250

SHA1
0e547612586c272a27827db5dbbed56d37a255e7

SHA256
e3b4eadabd908d54c7c9252808b2cf750431927782a3b7b3e596467be1bde3e0

SHA512
fa80cfdd204d057f6913115178e8c1aa005c35300a166dbe3f278d747a2bd73b6ffc6df2602db45993d1fb681a48db8e6b9a5567228ee5007c7d933035c55e9c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
80e4041ef72b7355c7e6dcce44285aec

SHA1
cbb5c2a907d53829d6d768cbd9cc7950b713f87f

SHA256
c26a2d187b160327f9fa792d5a27b98c50c001489ed938fada4cef6b170b24de

SHA512
1cc067939a2158d466189b851922fb33f468bd25db7b92adb673d034f6cede774e5d3140b76cdcf31fdeb3fa7883163c238adc51e1e17fc229daff65757f9da0

Download Submit