Analysis
-
max time kernel
186s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 11:25
Static task
static1
Behavioral task
behavioral1
Sample
e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe
Resource
win10v2004-20221111-en
General
-
Target
e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe
-
Size
5.7MB
-
MD5
a710eb2b17da7731d5e4a8169da04d63
-
SHA1
2ab80868e67317e92b1f56a8825af984768b6bc8
-
SHA256
e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33
-
SHA512
202eeab5778eb3c83f44a0eca80e34e7346ade985c2229894dc22cec05e6dc42a251595b9cce518d6a9691840397f3810baffd7f1a6bddd64c2157d32c2c4305
-
SSDEEP
98304:1L+p957/mfkAb0JOyEmi+thHGAa0P9CQOGCfRJ2jlTDZ2l4wdcACdcruV95czq:B89J/ANzywiJlgQNUJ2BTDYiqcAViVwO
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
optprosetup.exeoptprosetup.tmppid process 208 optprosetup.exe 4588 optprosetup.tmp -
Loads dropped DLL 3 IoCs
Processes:
optprosetup.tmppid process 4588 optprosetup.tmp 4588 optprosetup.tmp 4588 optprosetup.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
optprosetup.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe" optprosetup.tmp Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run optprosetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 35 IoCs
Processes:
optprosetup.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProStart.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-JO74K.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-007F7.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-G7CNU.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-1HIIK.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-TC65I.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\unins000.dat optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-U879M.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProUninstaller.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProHelper.dll optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-0HEU2.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-35IR9.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-KEPTD.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\sqlite3.dll optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProGuard.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\itdownload.dll optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-PJ2GS.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-EC4SJ.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-2RRO4.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-0Q97P.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-DB9N4.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptimizerPro.chm optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-R76QR.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-8UFUG.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-A17Q4.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-K06EH.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-Q0JRJ.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\unins000.msg optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProSchedule.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\unins000.dat optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-Q1PET.tmp optprosetup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
optprosetup.tmppid process 4588 optprosetup.tmp 4588 optprosetup.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
optprosetup.tmppid process 4588 optprosetup.tmp -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exeoptprosetup.exedescription pid process target process PID 2144 wrote to memory of 208 2144 e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe optprosetup.exe PID 2144 wrote to memory of 208 2144 e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe optprosetup.exe PID 2144 wrote to memory of 208 2144 e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe optprosetup.exe PID 208 wrote to memory of 4588 208 optprosetup.exe optprosetup.tmp PID 208 wrote to memory of 4588 208 optprosetup.exe optprosetup.tmp PID 208 wrote to memory of 4588 208 optprosetup.exe optprosetup.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe"C:\Users\Admin\AppData\Local\Temp\e8d7808790a32107a98a2764f4012f2111d79ad0979d835fbc4b2d0e47158c33.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\optprosetup.exeC:\Users\Admin\AppData\Local\Temp\\optprosetup.exe /VERYSILENT2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-7CESD.tmp\optprosetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-7CESD.tmp\optprosetup.tmp" /SL5="$D01DC,5286589,118784,C:\Users\Admin\AppData\Local\Temp\optprosetup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-7CESD.tmp\optprosetup.tmpFilesize
1.1MB
MD550488cf899d007d697893fc72a823fb0
SHA1bc5512f623656ad69a054d558c35d463a5a8a6c1
SHA256d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf
SHA5122b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0
-
C:\Users\Admin\AppData\Local\Temp\is-7CESD.tmp\optprosetup.tmpFilesize
1.1MB
MD550488cf899d007d697893fc72a823fb0
SHA1bc5512f623656ad69a054d558c35d463a5a8a6c1
SHA256d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf
SHA5122b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0
-
C:\Users\Admin\AppData\Local\Temp\is-V3BI6.tmp\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
C:\Users\Admin\AppData\Local\Temp\is-V3BI6.tmp\itdownload.dllFilesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\is-V3BI6.tmp\itdownload.dllFilesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
C:\Users\Admin\AppData\Local\Temp\optprosetup.exeFilesize
5.5MB
MD53d31e999e8433d22b740ee0c55ac93ce
SHA173ad53e7f5198f124f70d31bf2b2c6511aa8caea
SHA256769ce23a88674e9ff07f08652c4fa2498dd6301359a2bc8fda5e50f59ebce6ba
SHA51285654a99bbb36c49490cdc91ad663bd25ca08b691c33002abc7258e9e0e3618734650dbbba51cfd915f80322253d0dd36eabce954a0da8f297d7072dabbc753b
-
C:\Users\Admin\AppData\Local\Temp\optprosetup.exeFilesize
5.5MB
MD53d31e999e8433d22b740ee0c55ac93ce
SHA173ad53e7f5198f124f70d31bf2b2c6511aa8caea
SHA256769ce23a88674e9ff07f08652c4fa2498dd6301359a2bc8fda5e50f59ebce6ba
SHA51285654a99bbb36c49490cdc91ad663bd25ca08b691c33002abc7258e9e0e3618734650dbbba51cfd915f80322253d0dd36eabce954a0da8f297d7072dabbc753b
-
memory/208-132-0x0000000000000000-mapping.dmp
-
memory/208-135-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/208-137-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4588-138-0x0000000000000000-mapping.dmp
-
memory/4588-143-0x0000000003310000-0x000000000334C000-memory.dmpFilesize
240KB