d24b94b8442e2ab556693a6de5bbf1ad0d4799985ebdbcb8e61832616e2eb929

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93d97c7037414c4e44cfedb7a7a46460N.exe
Size

2.7MB
MD5

93d97c7037414c4e44cfedb7a7a46460
SHA1

04721c94dc8f6c523a81ff86c3e8dfad45c510df
SHA256

d24b94b8442e2ab556693a6de5bbf1ad0d4799985ebdbcb8e61832616e2eb929
SHA512

a49ab73714351630514509c8baa725a142f5a28df063933beb63d9f20f3a3f5524548549d4f6c23de6446956b61d05b8811ada2d87d3b5e3c2f060c4aa56d73f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4S+:+R0pI/IQlUoMPdmpSpJ4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	devoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1736	93d97c7037414c4e44cfedb7a7a46460N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4L\\devoptiec.exe"	93d97c7037414c4e44cfedb7a7a46460N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYF\\dobdevec.exe"	93d97c7037414c4e44cfedb7a7a46460N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93d97c7037414c4e44cfedb7a7a46460N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe
2324	devoptiec.exe
1736	93d97c7037414c4e44cfedb7a7a46460N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2324	1736	93d97c7037414c4e44cfedb7a7a46460N.exe	29
PID 1736 wrote to memory of 2324	1736	93d97c7037414c4e44cfedb7a7a46460N.exe	29
PID 1736 wrote to memory of 2324	1736	93d97c7037414c4e44cfedb7a7a46460N.exe	29
PID 1736 wrote to memory of 2324	1736	93d97c7037414c4e44cfedb7a7a46460N.exe	29

C:\Users\Admin\AppData\Local\Temp\93d97c7037414c4e44cfedb7a7a46460N.exe
"C:\Users\Admin\AppData\Local\Temp\93d97c7037414c4e44cfedb7a7a46460N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Adobe4L\devoptiec.exe
  C:\Adobe4L\devoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBYF\dobdevec.exe

Filesize
2.7MB

MD5
c43452d6bb597a04fe6aaadb001fc751

SHA1
758ea3d1c8f7d36a4c073894017da389ecf38cb7

SHA256
0191d0df75b4f4f0f7aaf1eaf1d40dd78269f3e0525fd9097f8d1c3d64b2a2ff

SHA512
1760a3d0cdf97432db30259299b589560ccba6200e4b570513fdfffbd954a9d6db6aa80207a3c9c7c51f964066a74d771232e652f26d91efc765505e84736587

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
b7669b653d3afb7694f3341172cc30f1

SHA1
3615375c96668d1082d68484a11b78b183078956

SHA256
1c1ee0da0edc4710254ef13d158f78904d5f353c46943abf2e26f2329c870f08

SHA512
9c2440537358f6074a72cf4e153863bf1ec8a0a1f100d8a3f852aa36f70f2a7c9e7f54867c4591d3812f7a3405923ab2f93313bdc2b0398abe6a5da4fa7fe953

Download Submit
\Adobe4L\devoptiec.exe

Filesize
2.7MB

MD5
74e687fe2e12b1a4fb06f787069bc2c5

SHA1
5c6e4e940b80c1251f29df426063067ce93c3c3f

SHA256
c25b02546515fcae4c4745809316cc2a06ad1968cc7a18f53aa964667077681d

SHA512
c65791ab5be34e1ba8dbec2608d7e06cd1768f18465cd636ad5c81aa1f74d214fee8a5217e2634209845afa9e98e570456b564e64d160f3df135648a4a4c824a

Download Submit