a9e254d7bcaf5c33873f0b757e82ea736031bfc9e2b21605c6f16b9fd4f46895

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DevManager/DevManager.exe
Size

494KB
MD5

0109a891c39acb8c0c5285d8e67ccd7e
SHA1

cb06b1a79aa67752e0c288f04a239bee1811725a
SHA256

4c263a080f0b64531ce51df30afe78dac4127195d02fe94ebb768c026eb42d91
SHA512

c9fb5db57225c49e4cd639c8b5f56f809675ac57bc1f58b65a79e00af5ca4c2c644b5d3ae0810fdc4da619cb39f4792856ed43c55bf22805bcbfb505c53df18c
SSDEEP

12288:LjkArEN249AyE/rbaMct4bO2/xTMp6Ijswghf+gbwlaY0Wgr:AFE//Tct4bOsB06IjsdhfHslB0Wgr

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
952	devcon.exe
3132	devcon.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/memory/5076-23-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-24-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-25-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-27-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-29-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-30-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-32-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-33-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-34-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe
behavioral4/memory/5076-36-0x0000000000400000-0x00000000004B5000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\devcon.exe	DevManager.exe
File opened for modification	C:\Windows\SysWOW64\devcon.exe	DevManager.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/5076-0-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-23-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-24-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-25-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-27-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-29-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-30-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-32-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-33-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-34-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral4/memory/5076-36-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DevManager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	devcon.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5076	DevManager.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe
5076	DevManager.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3424	5076	DevManager.exe	85
PID 5076 wrote to memory of 3424	5076	DevManager.exe	85
PID 5076 wrote to memory of 3424	5076	DevManager.exe	85
PID 3424 wrote to memory of 952	3424	cmd.exe	87
PID 3424 wrote to memory of 952	3424	cmd.exe	87
PID 3424 wrote to memory of 952	3424	cmd.exe	87
PID 3424 wrote to memory of 3132	3424	cmd.exe	89
PID 3424 wrote to memory of 3132	3424	cmd.exe	89
PID 3424 wrote to memory of 3132	3424	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\DevManager\DevManager.exe
"C:\Users\Admin\AppData\Local\Temp\DevManager\DevManager.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c call C:\Windows\temp\Device.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\SysWOW64\devcon.exe
    devcon status PCI\CC_0300
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:952
- - C:\Windows\SysWOW64\devcon.exe
    devcon status PCI\VEN_10EC
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\devcon.exe

Filesize
145KB

MD5
60347ff68ccc6e18f49a7179b0f0eb3e

SHA1
7e0d09107661d3498c2a553c7a92c57aa28129f6

SHA256
e21eecee093b890c82a343931dc40436d5eabc7b2c8e26ebd3295b90fd6a514a

SHA512
5a970199330a7d0b43f304f587d18c4f73a5679851275a3ed86f09ebb3b4a8eaea7603d0ccf378ae8792cb08e5b795f89ce4942fe3155c794bb2ad22bd40d63a

Download Submit
C:\Windows\Temp\1.txt

Filesize
158B

MD5
ff882d2c9ce3c5ac9a5e070d4404f867

SHA1
4ec02171be22021d4f05c3179ace48f0787b2b46

SHA256
14f8ffd83b422bc5c45897cdb96624115df2bbca68d87904e1790988a1e2b879

SHA512
85b21ea12bf572ed5c16c2c1914a41670a427bc4fc07c310afa1ed6b44bd90cbbcd39305519f64313775a9dba3450d8b30d5f8537a53e8efdae480cabe0becd6

Download Submit
C:\Windows\Temp\Device.esp

Filesize
47B

MD5
c87bbee982e66caa23c93bbe1a5aa44d

SHA1
d85278a9cb4c5bb7734e19e1d7e61ba1088b4bb0

SHA256
014f43154531de91419a602883419ceab568355282b4a51c26b9a6eafa839e54

SHA512
f146cae4842f1b3371fd4473ac5cf1227a18563704b72ab28fc4240e19b7ee808f9e2458ae7ef3b74716781d8621eefcbc7383884c2c08a3ab5ba8d74928cd03

Download Submit
C:\Windows\temp\Device.bat

Filesize
82B

MD5
a528f867d6e9190007b2dc4b8d766400

SHA1
b8a0f6e746f130b973fcfa6025d236313a673ef0

SHA256
738d86e64213fae8b02ba3b0d37de5ea2bf56e1a3ec5f9804cc22d1624fc68c0

SHA512
5bb7d83970b157d1c914e4e81d9fff03e5eece158b6c3557957ba11d3613308b982ed03da5ae12c6d618d83726776c65ff8d8e7ef0c9dee63a0759fcd8432756

Download Submit
memory/5076-24-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-23-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-25-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-27-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-29-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-30-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-32-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-33-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/5076-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download