c2d2fa7b008b7ad0c3676d12d77ad4f13d0c63d733282ad2a5688962480bcd36

Analysis

max time kernel
121s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f76e04df860ab9ead6a33140c9fafd0N.exe
Size

2.7MB
MD5

6f76e04df860ab9ead6a33140c9fafd0
SHA1

e1a9b228a0318244a97b8166a11fad063fa2577f
SHA256

c2d2fa7b008b7ad0c3676d12d77ad4f13d0c63d733282ad2a5688962480bcd36
SHA512

92088f83c000ece7d60da4b566f3c84843cf83669a965aeab015150e83cd69eb8a3ad84575a82b2f9dbea08556782dffb0badf86ae44a13b68f09c2235745133
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBu9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	devoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0G\\devoptiloc.exe"	6f76e04df860ab9ead6a33140c9fafd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZP\\bodxloc.exe"	6f76e04df860ab9ead6a33140c9fafd0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe
2828	devoptiloc.exe
1952	6f76e04df860ab9ead6a33140c9fafd0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2828	1952	6f76e04df860ab9ead6a33140c9fafd0N.exe	30
PID 1952 wrote to memory of 2828	1952	6f76e04df860ab9ead6a33140c9fafd0N.exe	30
PID 1952 wrote to memory of 2828	1952	6f76e04df860ab9ead6a33140c9fafd0N.exe	30
PID 1952 wrote to memory of 2828	1952	6f76e04df860ab9ead6a33140c9fafd0N.exe	30

C:\Users\Admin\AppData\Local\Temp\6f76e04df860ab9ead6a33140c9fafd0N.exe
"C:\Users\Admin\AppData\Local\Temp\6f76e04df860ab9ead6a33140c9fafd0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Intelproc0G\devoptiloc.exe
  C:\Intelproc0G\devoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZZP\bodxloc.exe

Filesize
2.7MB

MD5
a8c1be742deea177b3ad41bf51a2444f

SHA1
45d66565fa0e566e9160860d4c7e78455c0660c9

SHA256
d0bc2d5db2fe6e9f13974e3d447794d8d64abbd936f8770fd3a5ed3947ed73d1

SHA512
26158fb2f1792235c9ac5463549cf0c2b10c6b7449e78c6020b59cd28829243a4a4965fb60d07fba6ccec26c434ac043c71c4aa835f204f7ea6c576eb20ea2f4

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
1a989b6f2e68fc8822d6441b994aa2ce

SHA1
acc7836adfe4b36e19e91f9ef9fbe341c18fa59c

SHA256
72025f40172a0470516e85168138a30349f81e323aaeb16a1afbfa2f56f6dd79

SHA512
c452af3404f416d5df03cb341aa66a3ca0774867a47841d76275c21501abf7957620451cb8ee3ecec5b40d3d9cf76217756ae0c63dddaaeac52e0ca3c19504e4

Download Submit
\Intelproc0G\devoptiloc.exe

Filesize
2.7MB

MD5
7d48aba18c66a2f304b7311a6ca93a74

SHA1
cfe6a050beafa99c6e602e72ad70228661e77bae

SHA256
6190594f9a3d5c48184ad07a6ce293c177b1cef88aca475e2a5ad206ae1dabe6

SHA512
4b5ab2df39d669c5491f1dbbf224f01335416a4b65c4b171bcc6da5600c8e2c9ac885f71c5cad276654aa58a8e0e3f0358f6e41eb699ed45dd1ecb29d9111148

Download Submit