5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda

Analysis

max time kernel
134s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exe
Size

5.7MB
MD5

a267d8bf3dd57078016798d9dfeefa1b
SHA1

45ac2f5bceef72ae1f9b405f8efe5c0dd3f981c9
SHA256

5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda
SHA512

265ebb37556c91c0f52d73db4e625eac5d490d46f046bb8f02186cc82d5ebc73d65c034b590036628978712c3b71d7ef814d202fbce049bb9c6d1b93fd3d3845
SSDEEP

98304:DL+p957/mfkAb0JOyEmi+thHGAa0P9CQOGCfRJ2jlTDZ2l4wdcACdcruV95czo:/89J/ANzywiJlgQNUJ2BTDYiqcAViVwM

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

optprosetup.exeoptprosetup.tmpOptProStart.exeOptimizerPro.exe

pid process

2948 optprosetup.exe
2384 optprosetup.tmp
5064 OptProStart.exe
3156 OptimizerPro.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
2948	optprosetup.exe
2384	optprosetup.tmp
5064	OptProStart.exe
3156	OptimizerPro.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

optprosetup.tmpOptProStart.exeOptimizerPro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	optprosetup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	OptProStart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	OptimizerPro.exe

Loads dropped DLL 7 IoCs

Processes:

optprosetup.tmprundll32.exerundll32.exe

pid process

2384 optprosetup.tmp
2384 optprosetup.tmp
2384 optprosetup.tmp
2064 rundll32.exe
232 rundll32.exe
232 rundll32.exe
232 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2384	optprosetup.tmp
2384	optprosetup.tmp
2384	optprosetup.tmp
2064	rundll32.exe
232	rundll32.exe
232	rundll32.exe
232	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

optprosetup.tmp

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe"	optprosetup.tmp
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	optprosetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 36 IoCs

Processes:

optprosetup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Optimizer Pro\is-TI4AT.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-O2MIU.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-O2LKV.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProStart.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProGuard.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSchedule.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-OSP2F.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-M3D9V.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-BPHDD.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.msg	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-VVUG3.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-HMB8S.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProHelper.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-4ACRQ.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-S9B14.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-P8EER.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-23Q2L.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\itdownload.dll	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-59AF1.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-DS83D.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-18JNG.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-7L4IO.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\sqlite3.dll	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProUninstaller.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.chm	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-O9M1D.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-62PPA.tmp	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\unins000.dat	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.dat	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-CAEU6.tmp	optprosetup.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-JC621.tmp	optprosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1952 schtasks.exe

pid	process
1952	schtasks.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\7367429f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\d94388d2 = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\493c7345 = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\060df2cd = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\iiid = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\48bd1aff = "VP/l/C//N//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f6ad6fa6 = "VP/l/C//V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003100550030003700380030006e0055003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003100550030003700380030006e0055003000530030003600680030006e006c00310041003000360045003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100550030003700380030006e00550031004d0030003600740030006e007800310054003000370071003000710078003100590030003200490030006f0078003100530030003600710030006e0055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100550030003700380030006e00550031004d0030003600740030006e007800310054003000370071003000710078003100590030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003000530030003600680030006e006c00310041003000360045003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c24899a6 = "Vx/g/C//M/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\e46c271e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\65114b36 = "VP/+////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\72758a5d = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\51d2f2ea = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CZ/V//l/CZ////%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\370856c7 = 6e0055003100550030003700780030006d00300031004d00300036004500300071006c0031004d0030003600450030006900550031004e0030003600740030006d006c003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c00310044003000360049003000700055003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006900780031004f0030003600680030006e0030003100440030003700780030006a0078003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c003000530030003600680030006e006c0031004100300036004500300000000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\3efeb33e = 6e0055003100550030003700780030006d00300031004d00300036004500300071006c0031004d0030003600450030006900550031004e0030003600740030006d006c003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c00310044003000360049003000700055003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006900780031004f0030003600680030006e0030003100440030003700780030006a0078003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c003000530030003600680030006e006c0031004100300036004500300000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\1c311243 = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\6185d035 = "VP/h/CP/V//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c99a5f5c = "///%"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

optprosetup.tmprundll32.exe

pid process

2384 optprosetup.tmp
2384 optprosetup.tmp
232 rundll32.exe
232 rundll32.exe
232 rundll32.exe
232 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

optprosetup.tmp

pid process

2384 optprosetup.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OptimizerPro.exe

pid process

3156 OptimizerPro.exe

pid	process
2384	optprosetup.tmp
2384	optprosetup.tmp
232	rundll32.exe
232	rundll32.exe
232	rundll32.exe
232	rundll32.exe

pid	process
2384	optprosetup.tmp

pid	process
3156	OptimizerPro.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exeoptprosetup.exeoptprosetup.tmprundll32.exeOptProStart.exeOptimizerPro.exe

description	pid	process	target process
PID 2148 wrote to memory of 2948	2148	5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exe	optprosetup.exe
PID 2148 wrote to memory of 2948	2148	5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exe	optprosetup.exe
PID 2148 wrote to memory of 2948	2148	5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exe	optprosetup.exe
PID 2948 wrote to memory of 2384	2948	optprosetup.exe	optprosetup.tmp
PID 2948 wrote to memory of 2384	2948	optprosetup.exe	optprosetup.tmp
PID 2948 wrote to memory of 2384	2948	optprosetup.exe	optprosetup.tmp
PID 2384 wrote to memory of 2064	2384	optprosetup.tmp	rundll32.exe
PID 2384 wrote to memory of 2064	2384	optprosetup.tmp	rundll32.exe
PID 2384 wrote to memory of 2064	2384	optprosetup.tmp	rundll32.exe
PID 488 wrote to memory of 232	488	rundll32.exe	rundll32.exe
PID 488 wrote to memory of 232	488	rundll32.exe	rundll32.exe
PID 488 wrote to memory of 232	488	rundll32.exe	rundll32.exe
PID 2384 wrote to memory of 5064	2384	optprosetup.tmp	OptProStart.exe
PID 2384 wrote to memory of 5064	2384	optprosetup.tmp	OptProStart.exe
PID 2384 wrote to memory of 5064	2384	optprosetup.tmp	OptProStart.exe
PID 5064 wrote to memory of 3156	5064	OptProStart.exe	OptimizerPro.exe
PID 5064 wrote to memory of 3156	5064	OptProStart.exe	OptimizerPro.exe
PID 5064 wrote to memory of 3156	5064	OptProStart.exe	OptimizerPro.exe
PID 3156 wrote to memory of 1952	3156	OptimizerPro.exe	schtasks.exe
PID 3156 wrote to memory of 1952	3156	OptimizerPro.exe	schtasks.exe
PID 3156 wrote to memory of 1952	3156	OptimizerPro.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exe
"C:\Users\Admin\AppData\Local\Temp\5389159dd6c85df8258d70e9252e78522ada01b8b80b0b4ebedb45f24ab98dda.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2148

C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
C:\Users\Admin\AppData\Local\Temp\\optprosetup.exe /VERYSILENT
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\is-FK8O9.tmp\optprosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FK8O9.tmp\optprosetup.tmp" /SL5="$D0054,5286589,118784,C:\Users\Admin\AppData\Local\Temp\optprosetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT -install
4⤵
- Loads dropped DLL
PID:2064

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe
"C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe
"C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe" /START
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Optimizer Pro Schedule" /TR "\"C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe\"" /SC ONLOGON /RL HIGHEST /F
6⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT
1⤵
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Optimizer Pro\English.ini

Filesize
22KB

MD5
17c6915f5142b3d576c19dbe9615f1ea

SHA1
c2e4c3b15ae9744ea564bc3393923e3e12e38f09

SHA256
e0f54af0f070c5a37dc67182fbc53bbda664d714e0b100f398fddbe5bb817884

SHA512
346e7e982401b43ce5d8e19b2f77848802f3dfbb279d369031bb77388edd4b137dc52ec96066c79e27eb49cf621a3a9d8f81c7f8a3c04a8103aadfd46c12a66d

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll

Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll

Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll

Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll

Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
643KB

MD5
1713fa8e8ecdfb32c46dd466c63107c6

SHA1
3798f368de630f751d3c05de7f9cfe7134caa604

SHA256
8e8c99cbefb1e13e19b730c287f8a46b175f888d1959948bb9540008233dca2f

SHA512
71bf969af56061520a534ed5c25bed4fca5fbda02218fe79eab1bb32912c7e3da6bd3071ed5b3a1259205e145d1251ab4dd74cc2afc99ab708b50c39e98470c1

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
643KB

MD5
1713fa8e8ecdfb32c46dd466c63107c6

SHA1
3798f368de630f751d3c05de7f9cfe7134caa604

SHA256
8e8c99cbefb1e13e19b730c287f8a46b175f888d1959948bb9540008233dca2f

SHA512
71bf969af56061520a534ed5c25bed4fca5fbda02218fe79eab1bb32912c7e3da6bd3071ed5b3a1259205e145d1251ab4dd74cc2afc99ab708b50c39e98470c1

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe

Filesize
3.1MB

MD5
c2c83c1e16f8e452951257ef4e5421cf

SHA1
19dbd5ea6880f0ba2a2cbfae18c814a038d8a092

SHA256
0d826f5799d95619a997f252798fff9ed2f975c96ea7acf1c3c8463062a1ca39

SHA512
03941c2f82e353c98a704beed91194a9add36e9d7ed043b141f2d599d4dbce27f0c0dcc33a7c7648ccd61a6dd708e37e331ef25fa1c78f0d2650932055e708c0

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe

Filesize
3.1MB

MD5
c2c83c1e16f8e452951257ef4e5421cf

SHA1
19dbd5ea6880f0ba2a2cbfae18c814a038d8a092

SHA256
0d826f5799d95619a997f252798fff9ed2f975c96ea7acf1c3c8463062a1ca39

SHA512
03941c2f82e353c98a704beed91194a9add36e9d7ed043b141f2d599d4dbce27f0c0dcc33a7c7648ccd61a6dd708e37e331ef25fa1c78f0d2650932055e708c0

Download Submit
C:\Program Files (x86)\Optimizer Pro\Scan.gif

Filesize
55KB

MD5
6858a1ce31e5f92785fb525ce9725b8a

SHA1
6f666e761cb39ec0efa78038038706c6e09641ca

SHA256
d576f0c14f855954701b054d625f7a95a5bfcd97ace82d83a4f00bda7a4cc908

SHA512
b23b40e5f278dc12be7ebe0872acff893df84ff7c936f56de8111e0dfc442dd2797583d7bb5feb4157bb67292344ea078bce1f93f5a3f60a5bbe20032ccad9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B238V.tmp\OptProCrash.dll

Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B238V.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B238V.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FK8O9.tmp\optprosetup.tmp

Filesize
1.1MB

MD5
50488cf899d007d697893fc72a823fb0

SHA1
bc5512f623656ad69a054d558c35d463a5a8a6c1

SHA256
d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf

SHA512
2b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FK8O9.tmp\optprosetup.tmp

Filesize
1.1MB

MD5
50488cf899d007d697893fc72a823fb0

SHA1
bc5512f623656ad69a054d558c35d463a5a8a6c1

SHA256
d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf

SHA512
2b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe

Filesize
5.5MB

MD5
3d31e999e8433d22b740ee0c55ac93ce

SHA1
73ad53e7f5198f124f70d31bf2b2c6511aa8caea

SHA256
769ce23a88674e9ff07f08652c4fa2498dd6301359a2bc8fda5e50f59ebce6ba

SHA512
85654a99bbb36c49490cdc91ad663bd25ca08b691c33002abc7258e9e0e3618734650dbbba51cfd915f80322253d0dd36eabce954a0da8f297d7072dabbc753b

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe

Filesize
5.5MB

MD5
3d31e999e8433d22b740ee0c55ac93ce

SHA1
73ad53e7f5198f124f70d31bf2b2c6511aa8caea

SHA256
769ce23a88674e9ff07f08652c4fa2498dd6301359a2bc8fda5e50f59ebce6ba

SHA512
85654a99bbb36c49490cdc91ad663bd25ca08b691c33002abc7258e9e0e3618734650dbbba51cfd915f80322253d0dd36eabce954a0da8f297d7072dabbc753b

Download Submit
\??\c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll

Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
memory/232-148-0x0000000000000000-mapping.dmp

Download
memory/1952-157-0x0000000000000000-mapping.dmp

Download
memory/2064-145-0x0000000000000000-mapping.dmp

Download
memory/2384-143-0x00000000032D0000-0x000000000330C000-memory.dmp

Filesize
240KB

Download
memory/2384-137-0x0000000000000000-mapping.dmp

Download
memory/2948-140-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2948-156-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2948-132-0x0000000000000000-mapping.dmp

Download
memory/2948-135-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3156-154-0x0000000000000000-mapping.dmp

Download
memory/5064-150-0x0000000000000000-mapping.dmp

Download