69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee

General

Target

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe
Size

4.0MB
MD5

87dd9a924d5c984a2fb097202757c3eb
SHA1

66cd472f720f4f9b47fb8bebefdcbd62221c3be4
SHA256

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee
SHA512

20e1638338f838e146ccf9e44d1ac6df9b829fafb9cb2f73dde6177b82412ee09cacb402e21fa1769ac8517655c3aa5ca9f8d52668c6651736f48f762ba5782a
SSDEEP

98304:73S/a/VqVI0hME0Q4uDBB/U6Lx4BO8mCiSdKe5:zS/QwVIu4uDHh4BO1CBdh5

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

optprosetup.exeoptprosetup.tmpOptProStart.exe

pid process

2708 optprosetup.exe
3588 optprosetup.tmp
2540 OptProStart.exe

pid	process
2708	optprosetup.exe
3588	optprosetup.tmp
2540	OptProStart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

optprosetup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	optprosetup.tmp

Loads dropped DLL 2 IoCs

Processes:

optprosetup.tmp

pid process

3588 optprosetup.tmp
3588 optprosetup.tmp

pid	process
3588	optprosetup.tmp
3588	optprosetup.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

optprosetup.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	optprosetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe"	optprosetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 35 IoCs

Processes:

optprosetup.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProGuard.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-1G2K9.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-DO6RS.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-L3VBS.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-1H1BE.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-HUF7B.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.dat	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-NVOP1.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-5R4EB.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-GPPO0.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.chm	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-FF4MB.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-23OQH.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-QPS4Q.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-QP89V.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\unins000.dat	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-QKADA.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-ODJLP.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-KCKNE.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.msg	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\sqlite3.dll	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProStart.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProUninstaller.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\itdownload.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-LRUQ5.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-8IEIN.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProHelper.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-SI9JC.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-4VSC5.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSchedule.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-I722S.tmp	optprosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

optprosetup.tmp

pid process

3588 optprosetup.tmp
3588 optprosetup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

optprosetup.tmp

pid process

3588 optprosetup.tmp

pid	process
3588	optprosetup.tmp
3588	optprosetup.tmp

pid	process
3588	optprosetup.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exeoptprosetup.exeoptprosetup.tmp

description	pid	process	target process
PID 5072 wrote to memory of 2708	5072	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 5072 wrote to memory of 2708	5072	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 5072 wrote to memory of 2708	5072	69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe	optprosetup.exe
PID 2708 wrote to memory of 3588	2708	optprosetup.exe	optprosetup.tmp
PID 2708 wrote to memory of 3588	2708	optprosetup.exe	optprosetup.tmp
PID 2708 wrote to memory of 3588	2708	optprosetup.exe	optprosetup.tmp
PID 3588 wrote to memory of 2540	3588	optprosetup.tmp	OptProStart.exe
PID 3588 wrote to memory of 2540	3588	optprosetup.tmp	OptProStart.exe
PID 3588 wrote to memory of 2540	3588	optprosetup.tmp	OptProStart.exe

C:\Users\Admin\AppData\Local\Temp\69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe
"C:\Users\Admin\AppData\Local\Temp\69c5cda07427383dfd835e0e35061f5178093201a6709cc14fc36834fcd3b7ee.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
C:\Users\Admin\AppData\Local\Temp\\optprosetup.exe /VERYSILENT
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\is-VG60Q.tmp\optprosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VG60Q.tmp\optprosetup.tmp" /SL5="$80056,3513242,85504,C:\Users\Admin\AppData\Local\Temp\optprosetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3588

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe
"C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"
4⤵
- Executes dropped EXE
PID:2540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
645KB

MD5
4907726aac79f4de2c586ff7a00ed4a2

SHA1
3139d373051e57742ca7880d1997881ce45269d3

SHA256
1f5fd63f7bff857d4c5925ec6b3f111ac0efd2cb72665439436177dd6a2e4d9d

SHA512
2d25f45224cb46dd30ac7b97186486caeed2ae14fc92e6adf78fb003715f43d6e2cf969c2272791b84347bcaf4ff68e65ab519705c729220fe1b3181c640b9f6

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
645KB

MD5
4907726aac79f4de2c586ff7a00ed4a2

SHA1
3139d373051e57742ca7880d1997881ce45269d3

SHA256
1f5fd63f7bff857d4c5925ec6b3f111ac0efd2cb72665439436177dd6a2e4d9d

SHA512
2d25f45224cb46dd30ac7b97186486caeed2ae14fc92e6adf78fb003715f43d6e2cf969c2272791b84347bcaf4ff68e65ab519705c729220fe1b3181c640b9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G7F3C.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G7F3C.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VG60Q.tmp\optprosetup.tmp

Filesize
1.1MB

MD5
ef7f8bae72830ceaf53ad9b8425534ca

SHA1
c863cf8a9bbbbc46b6b64ce184c999d06ce5ced8

SHA256
f4c0503beaa358e281b685c80ef4fe23b51c3dd5cbae4aa26da8c33d9f412766

SHA512
a657ccf1197710a427e7e434634ca613156856fe27e5cd39f336a3e3c1e00c40cef164a332d8d2269a43bbd24a3c6d57c1ebff9c00386c24e0db9f072fe95a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VG60Q.tmp\optprosetup.tmp

Filesize
1.1MB

MD5
ef7f8bae72830ceaf53ad9b8425534ca

SHA1
c863cf8a9bbbbc46b6b64ce184c999d06ce5ced8

SHA256
f4c0503beaa358e281b685c80ef4fe23b51c3dd5cbae4aa26da8c33d9f412766

SHA512
a657ccf1197710a427e7e434634ca613156856fe27e5cd39f336a3e3c1e00c40cef164a332d8d2269a43bbd24a3c6d57c1ebff9c00386c24e0db9f072fe95a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe

Filesize
3.8MB

MD5
37bfa3862c28a623f8eb0e9fa5999c11

SHA1
d89cf1b775c1f31b1981822187066d1360170a55

SHA256
8c9baf760abcb505713dfe97d6ae13f1aee565deeb55ae30bbb773167c5a799a

SHA512
c6fe6ace03713b6be3dd13898282fd5c0a8c9df11c8c6b57af1816524670ce3f34331f84e1a593558814f70bef72a0b0bce31a047a0ee3cf2758b2b4fc2aab6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe

Filesize
3.8MB

MD5
37bfa3862c28a623f8eb0e9fa5999c11

SHA1
d89cf1b775c1f31b1981822187066d1360170a55

SHA256
8c9baf760abcb505713dfe97d6ae13f1aee565deeb55ae30bbb773167c5a799a

SHA512
c6fe6ace03713b6be3dd13898282fd5c0a8c9df11c8c6b57af1816524670ce3f34331f84e1a593558814f70bef72a0b0bce31a047a0ee3cf2758b2b4fc2aab6c

Download Submit
memory/2540-143-0x0000000000000000-mapping.dmp

Download
memory/2708-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2708-132-0x0000000000000000-mapping.dmp

Download
memory/2708-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3588-142-0x0000000003320000-0x000000000335C000-memory.dmp

Filesize
240KB

Download
memory/3588-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads