eda2a26b9570c53d24526244696e50fb928e7675c26d8932142f2daf1a63453b

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85d3dfc4eb655921f8a615ffceb46fe0N.exe
Size

2.7MB
MD5

85d3dfc4eb655921f8a615ffceb46fe0
SHA1

5ebff1f5ff9630524bcf8c43db9777aa0e009c8e
SHA256

eda2a26b9570c53d24526244696e50fb928e7675c26d8932142f2daf1a63453b
SHA512

054fe4c42221f0e588a5a7f31aced74bd726b1d6616a683a2bd76397ac644656ae5cc552b34bd31b79910b05958f56412cf449de5817a704ef623af43c6ae568
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4S+:+R0pI/IQlUoMPdmpSp84X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2216	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKL\\devoptiec.exe"	85d3dfc4eb655921f8a615ffceb46fe0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZB0\\boddevsys.exe"	85d3dfc4eb655921f8a615ffceb46fe0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe
2216	devoptiec.exe
3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2216	3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe	30
PID 3024 wrote to memory of 2216	3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe	30
PID 3024 wrote to memory of 2216	3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe	30
PID 3024 wrote to memory of 2216	3024	85d3dfc4eb655921f8a615ffceb46fe0N.exe	30

C:\Users\Admin\AppData\Local\Temp\85d3dfc4eb655921f8a615ffceb46fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\85d3dfc4eb655921f8a615ffceb46fe0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024
- C:\FilesKL\devoptiec.exe
  C:\FilesKL\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZB0\boddevsys.exe

Filesize
2.7MB

MD5
a1308d937ec17b94d272a14db0d1c488

SHA1
2889c0ccd6fa85dc223359128ebca9ad2572a89a

SHA256
ab63dfc5f364937b7b266bd6ba97caa3852eb3dfc896bce717398c8f848efd0d

SHA512
5d5fb1a1fb1ccdc4e134603c676635c00cc67a69569c955689b03329c5e88a6560b452517642700ebe44c876661969a8b8d14537148feb5baa7305e4c91c15b3

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
3cf586fc0522c41bc91df736fcb6bb88

SHA1
2f26d31c7b67a4b3b20a1905f529c06ba45b1adc

SHA256
597190ad7ade28987080ea73674b36a343f20dced8e98d4682ed05521c7a7e4a

SHA512
d3e2a8dc98609b0997fb7f431b54a3f824e551ec8801a49d8f69d0f6d49be61d14f5febbcb7aed680e5531a413f2e1f21faeeb9f72d6af9433892d77f3d9458b

Download Submit
C:\Users\Admin��

Filesize
2.7MB

MD5
5aba4fe38397651ecf49aa512774ed3e

SHA1
9d237f682ff2c1a4c11ff95c32a7217e8daf279e

SHA256
90ef63c951c7630ae2d4bdb62bfbb0eb28f2fb94a7166dad6191ce16b304bdf5

SHA512
04f85267d2c1e3a4e7d0d4d88e29bd6bc667b5af9996761ea395ee7424eb877e66224caa9ec1215ddd45a7db108c41325d5de3d21a65d8aa6c0e3c0c3e3ffc34

Download Submit
\FilesKL\devoptiec.exe

Filesize
2.7MB

MD5
8631f86f6dd12c6f85db483cd222055f

SHA1
a96857e518e0d043a94f3f85bb76836fc95ceca1

SHA256
476e39781cb9371c6397f52d6fe951e70f0a7642f7cdad6ba76bb680c2fb73ef

SHA512
7d574fd3c85e73efaf9326a42b8a8ff4ae8c19b43eef0e57c1b4e6a69c05dbcfac910976caf7f289906b64bf39d5e4f906b9b6d83010b3137391f5e743ba1315

Download Submit