69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe
Size

4.0MB
MD5

87dd9a924d5c984a2fb097202757c3eb
SHA1

66cd472f720f4f9b47fb8bebefdcbd62221c3be4
SHA256

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee
SHA512

20e1638338f838e146ccf9e44d1ac6df9b829fafb9cb2f73dde6177b82412ee09cacb402e21fa1769ac8517655c3aa5ca9f8d52668c6651736f48f762ba5782a
SSDEEP

98304:73S/a/VqVI0hME0Q4uDBB/U6Lx4BO8mCiSdKe5:zS/QwVIu4uDHh4BO1CBdh5

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

optprosetup.exeoptprosetup.tmpOptProStart.exe

pid process

2032 optprosetup.exe
2040 optprosetup.tmp
604 OptProStart.exe

pid	process
2032	optprosetup.exe
2040	optprosetup.tmp
604	OptProStart.exe

Loads dropped DLL 11 IoCs

Processes:

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exeoptprosetup.exeoptprosetup.tmp

pid	process
1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe
2032	optprosetup.exe
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp
2040	optprosetup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

optprosetup.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe"	optprosetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	optprosetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 35 IoCs

Processes:

optprosetup.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-2MI0L.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-E1FK2.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-71BE1.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-GQNQR.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProStart.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProGuard.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-3AT4J.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProHelper.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.dat	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-2TSUU.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-85MR6.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-NMMVH.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-7M80P.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.msg	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSchedule.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-M0GIG.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-JFEHR.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-NSD7B.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProUninstaller.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.chm	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-J7E9R.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-CGNFE.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\itdownload.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-G3M9Q.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\unins000.dat	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\sqlite3.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-S8IT4.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-VG4K7.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-EINS8.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-JEIIG.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-D70C7.tmp	optprosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

optprosetup.tmp

pid process

2040 optprosetup.tmp
2040 optprosetup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

optprosetup.tmp

pid process

2040 optprosetup.tmp

pid	process
2040	optprosetup.tmp
2040	optprosetup.tmp

pid	process
2040	optprosetup.tmp

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exeoptprosetup.exeoptprosetup.tmp

description	pid	process	target process
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 1724 wrote to memory of 2032	1724	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2032 wrote to memory of 2040	2032	optprosetup.exe	optprosetup.tmp
PID 2040 wrote to memory of 604	2040	optprosetup.tmp	OptProStart.exe
PID 2040 wrote to memory of 604	2040	optprosetup.tmp	OptProStart.exe
PID 2040 wrote to memory of 604	2040	optprosetup.tmp	OptProStart.exe
PID 2040 wrote to memory of 604	2040	optprosetup.tmp	OptProStart.exe

C:\Users\Admin\AppData\Local\Temp\69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe
"C:\Users\Admin\AppData\Local\Temp\69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
C:\Users\Admin\AppData\Local\Temp\\optprosetup.exe /VERYSILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\is-7UISF.tmp\optprosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7UISF.tmp\optprosetup.tmp" /SL5="$70122,3513242,85504,C:\Users\Admin\AppData\Local\Temp\optprosetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2040

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe
"C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"
4⤵
- Executes dropped EXE
PID:604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe
Filesize
645KB

MD5
4907726aac79f4de2c586ff7a00ed4a2

SHA1
3139d373051e57742ca7880d1997881ce45269d3

SHA256
1f5fd63f7bff857d4c5925ec6b3f111ac0efd2cb72665439436177dd6a2e4d9d

SHA512
2d25f45224cb46dd30ac7b97186486caeed2ae14fc92e6adf78fb003715f43d6e2cf969c2272791b84347bcaf4ff68e65ab519705c729220fe1b3181c640b9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UISF.tmp\optprosetup.tmp
Filesize
1.1MB

MD5
ef7f8bae72830ceaf53ad9b8425534ca

SHA1
c863cf8a9bbbbc46b6b64ce184c999d06ce5ced8

SHA256
f4c0503beaa358e281b685c80ef4fe23b51c3dd5cbae4aa26da8c33d9f412766

SHA512
a657ccf1197710a427e7e434634ca613156856fe27e5cd39f336a3e3c1e00c40cef164a332d8d2269a43bbd24a3c6d57c1ebff9c00386c24e0db9f072fe95a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7UISF.tmp\optprosetup.tmp
Filesize
1.1MB

MD5
ef7f8bae72830ceaf53ad9b8425534ca

SHA1
c863cf8a9bbbbc46b6b64ce184c999d06ce5ced8

SHA256
f4c0503beaa358e281b685c80ef4fe23b51c3dd5cbae4aa26da8c33d9f412766

SHA512
a657ccf1197710a427e7e434634ca613156856fe27e5cd39f336a3e3c1e00c40cef164a332d8d2269a43bbd24a3c6d57c1ebff9c00386c24e0db9f072fe95a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
Filesize
3.8MB

MD5
37bfa3862c28a623f8eb0e9fa5999c11

SHA1
d89cf1b775c1f31b1981822187066d1360170a55

SHA256
8c9baf760abcb505713dfe97d6ae13f1aee565deeb55ae30bbb773167c5a799a

SHA512
c6fe6ace03713b6be3dd13898282fd5c0a8c9df11c8c6b57af1816524670ce3f34331f84e1a593558814f70bef72a0b0bce31a047a0ee3cf2758b2b4fc2aab6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
Filesize
3.8MB

MD5
37bfa3862c28a623f8eb0e9fa5999c11

SHA1
d89cf1b775c1f31b1981822187066d1360170a55

SHA256
8c9baf760abcb505713dfe97d6ae13f1aee565deeb55ae30bbb773167c5a799a

SHA512
c6fe6ace03713b6be3dd13898282fd5c0a8c9df11c8c6b57af1816524670ce3f34331f84e1a593558814f70bef72a0b0bce31a047a0ee3cf2758b2b4fc2aab6c

Download Submit
\Program Files (x86)\Optimizer Pro\OptProStart.exe
Filesize
645KB

MD5
4907726aac79f4de2c586ff7a00ed4a2

SHA1
3139d373051e57742ca7880d1997881ce45269d3

SHA256
1f5fd63f7bff857d4c5925ec6b3f111ac0efd2cb72665439436177dd6a2e4d9d

SHA512
2d25f45224cb46dd30ac7b97186486caeed2ae14fc92e6adf78fb003715f43d6e2cf969c2272791b84347bcaf4ff68e65ab519705c729220fe1b3181c640b9f6

Download Submit
\Program Files (x86)\Optimizer Pro\OptProStart.exe
Filesize
645KB

MD5
4907726aac79f4de2c586ff7a00ed4a2

SHA1
3139d373051e57742ca7880d1997881ce45269d3

SHA256
1f5fd63f7bff857d4c5925ec6b3f111ac0efd2cb72665439436177dd6a2e4d9d

SHA512
2d25f45224cb46dd30ac7b97186486caeed2ae14fc92e6adf78fb003715f43d6e2cf969c2272791b84347bcaf4ff68e65ab519705c729220fe1b3181c640b9f6

Download Submit
\Program Files (x86)\Optimizer Pro\OptimizerPro.exe
Filesize
3.1MB

MD5
54e036c1de402575f5c5dc2abc62e027

SHA1
f5d3a332a21ba3baf0285323dee02c66ae040e62

SHA256
b7af11a0078a76e5bc98a1e0f90902334ca5bef842fd1ec2953b8d170405e214

SHA512
dbe30aba56b49efae6609b9c14aa53a6a02789ab216947d1950aead4c30fe68098d82bec4c4610c065ddf809cfd0a01aa11e677588d45d12e8cbdc54079d60a7

Download Submit
\Program Files (x86)\Optimizer Pro\OptimizerPro.exe
Filesize
3.1MB

MD5
54e036c1de402575f5c5dc2abc62e027

SHA1
f5d3a332a21ba3baf0285323dee02c66ae040e62

SHA256
b7af11a0078a76e5bc98a1e0f90902334ca5bef842fd1ec2953b8d170405e214

SHA512
dbe30aba56b49efae6609b9c14aa53a6a02789ab216947d1950aead4c30fe68098d82bec4c4610c065ddf809cfd0a01aa11e677588d45d12e8cbdc54079d60a7

Download Submit
\Program Files (x86)\Optimizer Pro\OptimizerPro.exe
Filesize
3.1MB

MD5
54e036c1de402575f5c5dc2abc62e027

SHA1
f5d3a332a21ba3baf0285323dee02c66ae040e62

SHA256
b7af11a0078a76e5bc98a1e0f90902334ca5bef842fd1ec2953b8d170405e214

SHA512
dbe30aba56b49efae6609b9c14aa53a6a02789ab216947d1950aead4c30fe68098d82bec4c4610c065ddf809cfd0a01aa11e677588d45d12e8cbdc54079d60a7

Download Submit
\Program Files (x86)\Optimizer Pro\unins000.exe
Filesize
1.1MB

MD5
ef7f8bae72830ceaf53ad9b8425534ca

SHA1
c863cf8a9bbbbc46b6b64ce184c999d06ce5ced8

SHA256
f4c0503beaa358e281b685c80ef4fe23b51c3dd5cbae4aa26da8c33d9f412766

SHA512
a657ccf1197710a427e7e434634ca613156856fe27e5cd39f336a3e3c1e00c40cef164a332d8d2269a43bbd24a3c6d57c1ebff9c00386c24e0db9f072fe95a2a

Download Submit
\Users\Admin\AppData\Local\Temp\is-7UISF.tmp\optprosetup.tmp
Filesize
1.1MB

MD5
ef7f8bae72830ceaf53ad9b8425534ca

SHA1
c863cf8a9bbbbc46b6b64ce184c999d06ce5ced8

SHA256
f4c0503beaa358e281b685c80ef4fe23b51c3dd5cbae4aa26da8c33d9f412766

SHA512
a657ccf1197710a427e7e434634ca613156856fe27e5cd39f336a3e3c1e00c40cef164a332d8d2269a43bbd24a3c6d57c1ebff9c00386c24e0db9f072fe95a2a

Download Submit
\Users\Admin\AppData\Local\Temp\is-F2UKN.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F2UKN.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F2UKN.tmp\itdownload.dll
Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\optprosetup.exe
Filesize
3.8MB

MD5
37bfa3862c28a623f8eb0e9fa5999c11

SHA1
d89cf1b775c1f31b1981822187066d1360170a55

SHA256
8c9baf760abcb505713dfe97d6ae13f1aee565deeb55ae30bbb773167c5a799a

SHA512
c6fe6ace03713b6be3dd13898282fd5c0a8c9df11c8c6b57af1816524670ce3f34331f84e1a593558814f70bef72a0b0bce31a047a0ee3cf2758b2b4fc2aab6c

Download Submit
memory/604-77-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-57-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2032-55-0x0000000000000000-mapping.dmp

Download
memory/2032-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-69-0x0000000074181000-0x0000000074183000-memory.dmp

Filesize
8KB

Download
memory/2040-68-0x0000000002090000-0x00000000020CC000-memory.dmp

Filesize
240KB

Download
memory/2040-62-0x0000000000000000-mapping.dmp

Download