bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
Size

3.1MB
MD5

334fea6e07d86851cca897bac4320aaa
SHA1

060b59254cd7b72d21347e691087a7b9ff484435
SHA256

bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5
SHA512

3004f7c46821da831e973d352ffdb9d3df7818988bf38be38aee6d02a39a11575efe314c8204ba2124fe5f6e23c942e78f58483e36b3de5dc889d60d40b386c8
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBn9w4Su+LNfej:+R0pI/IQlUoMPdmpSpf4JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	devoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXH\\devoptisys.exe"	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQF\\optidevloc.exe"	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devoptisys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
2900	devoptisys.exe
2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2900	2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe	31
PID 2460 wrote to memory of 2900	2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe	31
PID 2460 wrote to memory of 2900	2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe	31
PID 2460 wrote to memory of 2900	2460	bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe	31

C:\Users\Admin\AppData\Local\Temp\bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe
"C:\Users\Admin\AppData\Local\Temp\bf630450ac7d6720c7806648f779528c42a884f46c470884c112c992c39a2de5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460
- C:\FilesXH\devoptisys.exe
  C:\FilesXH\devoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQF\optidevloc.exe

Filesize
3.1MB

MD5
374183eecfd891e657127b29a51cb5c3

SHA1
3e514b8018dcd7ba7f83443f99a4e05980f534a1

SHA256
f7b4383ee695c8a358f22c79917a795708c573ad190e98b91a9140d14cdf421d

SHA512
7eafc4f56c88a2f4965b3441211fd998d7684721e9ba9dd916b93b2e7c70773eb621d282b2f399470dfe84231a44631e5331019c7dfb91d41465e7599653e5fa

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
df1f5f864fef8fc3cb0a23fb7528c26c

SHA1
486c4e2fd633bc4f7ccd9fbb4e8f585e245ed2d3

SHA256
d100f18ea2c3a687bbdad8eb4e2722b12dd186d4e18b15f63aa512c9e3a97881

SHA512
0c0effa5f5fe89508bfac31167a1cb209ede3cdfc673ab3857bd54be6668a45cad7b949102e7fa86c900eae1866cbd8f5969997a13e02b8cbcc6923e4a51893f

Download Submit
\FilesXH\devoptisys.exe

Filesize
3.1MB

MD5
ecf40da39f0313352309d912412c89f9

SHA1
171e229813d13c76244e312a7355c98f7a3cdb74

SHA256
765c44a18c12975fd9380ec3ed73b4cb48c4811ec26c06bc300545f8016dd3f4

SHA512
b9acbe668db4a3de19617b3bcc8c602e8f3cbbee3fc31aed43e40d0af0b0129592080d2e9552359565578be6f8d5d48e1f515524c14e3bfd5076d94efc0e48bd

Download Submit