6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
Size

2.7MB
MD5

bb0f185838cb005467c702d14c9a7694
SHA1

7a184a5899845aca5e387268d35eedafa752d5ef
SHA256

6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa
SHA512

33885f317b3593838650701a0ab702ac5c9426077d60482c3a21ef99437d93b32a3c905ab42e4a358e0b66e02ce5d4d9696bf1def4ba51cbec659bdc630b3125
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSp84

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2336	devoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files6X\\devoptisys.exe"	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJ3\\bodxloc.exe"	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
2336	devoptisys.exe
2336	devoptisys.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2336	4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe	88
PID 4556 wrote to memory of 2336	4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe	88
PID 4556 wrote to memory of 2336	4556	6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe	88

C:\Users\Admin\AppData\Local\Temp\6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe
"C:\Users\Admin\AppData\Local\Temp\6ca6287e865ef445cfb93e7f2cdb2dbbd06909a5ad027884ef4540a9ab811efa.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Files6X\devoptisys.exe
  C:\Files6X\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files6X\devoptisys.exe

Filesize
2.7MB

MD5
56935158529b9a0d532107de76c07198

SHA1
31a744461017977ec15bf7a11459ccea92083e53

SHA256
5ff88c136f1e2a300946057126c73d5e6faf79e7c5eb4238f5881b08b173c0d9

SHA512
473312691b1a8507bea887ffed9816875bc8f3eb308f6148baaaf915cea7d4da302b9ceb9296747da7123a7f3eb016dbab814076825bf998d14f47019adc13f7

Download Submit
C:\KaVBJ3\bodxloc.exe

Filesize
2.7MB

MD5
ec179e841ad9d289096619d2b5d4281d

SHA1
a74d638e68a24a3e1faa17f00961cf08a3aea356

SHA256
53f5ead2640404258eadb218b5a54b0bf09c97e7d3112f1d1d1cb2e1c779684a

SHA512
132bd7a5370e6e6dee1038513e9bb2f0e6aa15bc5baabea645708e197626c9f1379c3e2bb565a9c6f414df8044f7c69f87d80c77de7221b44e914d556ad121a9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
bef5e45ea93a48b9800e074585f43e94

SHA1
fcb7fdba29adc81b2f191d01e3d7fd212ed54781

SHA256
c6a124a795cb7429371ee54150dc4253ec713901847108087f06bed2e6016cf4

SHA512
9c4511473003dc77e46588cf033b56f2196daa8580e332d785d80a9f735941462746f5d8652ce7a057b711f2d912beda5d41f8376185e331d81f7435551f11f7

Download Submit