Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe
Resource
win10v2004-20221111-en
General
-
Target
def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe
-
Size
8.5MB
-
MD5
663e2e8897e764c6853d936e6be2243b
-
SHA1
b19d36acab4474af88e3316d3afb71ad2a9b91f9
-
SHA256
def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53
-
SHA512
07fef6d438fd0287243aea945a02f9fb8fe57f983f9351e4f758c48bf65ec3b691521143d87ab7501828a97ae8a2bac682b7688dbd06ad58f8c66e3e5a783369
-
SSDEEP
196608:nSX0XZV9sWoOB0zaHfqa6leXKdhHSklX06F9ZyBSXPgoSbuJAW8:nSkzZ2za/N+eX+H5Xx9Z6SopAAW8
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
supoptsetup.exesupoptsetup.tmpSupOptStart.exepid process 2004 supoptsetup.exe 1984 supoptsetup.tmp 2000 SupOptStart.exe -
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 20 IoCs
Processes:
def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exesupoptsetup.exesupoptsetup.tmprundll32.exerundll32.exepid process 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe 2004 supoptsetup.exe 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1324 rundll32.exe 1324 rundll32.exe 1324 rundll32.exe 1324 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1136 rundll32.exe 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1136 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
supoptsetup.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run supoptsetup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Super Optimizer = "C:\\Program Files (x86)\\Super Optimizer\\SupOptLauncher.exe" supoptsetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 33 IoCs
Processes:
supoptsetup.tmpdescription ioc process File created C:\Program Files (x86)\Super Optimizer\is-8DTHI.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\unins000.dat supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptHelper.dll supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SuperOptimizer.chm supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-CTQK9.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\unins000.msg supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-Q8C18.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-DT2JD.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-VTLC1.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-CE5M8.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-VKM1F.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-6NQM7.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-PI6MP.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SuperOptimizer.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptSmartScan.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-7EV9C.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-DRRUN.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-FV0JN.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-KGBQP.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptReminder.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptStart.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-6PQKG.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-C3584.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-10AS1.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptSchedule.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\sqlite3.dll supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptUninstaller.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-AG58G.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\unins000.dat supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-4QFHD.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\SupOptCrash.dll supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptLauncher.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptGuard.exe supoptsetup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 51 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\370856c7 = 00000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\060df2cd = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAp/YP/UxAs/X6/aP////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0dc3ee96 = "/P////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2d71d5ab = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c99a5f5c = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f1f24e29 = "Vl/l/C/////%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f6ad6fa6 = "V/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1520c6f1 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\340d3099 = "/P////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\414bc593 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7367429f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c6c5dd44 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e46c271e = "///%" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\493c7345 = 6d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d00300037006200300061006c0031004400300036004900300070006c0031005400300030002500250000006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003700780030006f00780031005a00300036007400300061006c00310053003000360074003000690030003000250000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0e93c3f3 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\587b5709 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\bbf88800 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c24899a6 = "Vx/g/C//M/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f0bf0bde = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\3c09c42b = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\8b9e4cbc = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a1dcff5b = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c5705860 = "Vx////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\6185d035 = "VP/h/CP/V//l////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\65114b36 = "VP/+////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\72758a5d = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a0743acc = "N/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0c230bcb = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\48bd1aff = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\51d2f2ea = "JlA+/Y//GPAf/B//IlAl/YP/HPAi/Xt/dxAu/YZ/Z//e/B2/N//l/B2/Vx/l/CD/NP////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\fe94ce1e = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a2e3b941 = "///%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\3efeb33e = 00000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900300031004400300036004f003000700078003100670030003200490030006e006c0031002b003000370078003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031005000300037003800300070006c003100680030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f0078003100590030003600680030006900300031004a0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f00300036006c0030007000780031005200300036007400300071006c0030005a003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f0030003600340030006f00550031002b003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f00780031005900300037006200300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005200300036006c0030007100780031004f0030003600340030006900550031002b0030003600380030006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900550031002b00300036003800300071006c00310044003000360049003000700055003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c0031004e0030003700740030006d00300031002b0030003700380030006d00550031002b00300037007800300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031002b00300037007800300061006c0031004400300036004900300070006c00310054003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2e22d94e = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7f69fa1f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1c311243 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\27ddcf6f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d1abcdb6 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d94388d2 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\iiid = "1" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
supoptsetup.tmprundll32.exepid process 1984 supoptsetup.tmp 1984 supoptsetup.tmp 1136 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
supoptsetup.tmppid process 1984 supoptsetup.tmp -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exesupoptsetup.exesupoptsetup.tmprundll32.exedescription pid process target process PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 1816 wrote to memory of 2004 1816 def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe supoptsetup.exe PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 2004 wrote to memory of 1984 2004 supoptsetup.exe supoptsetup.tmp PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1984 wrote to memory of 1324 1984 supoptsetup.tmp rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1136 1576 rundll32.exe rundll32.exe PID 1984 wrote to memory of 2000 1984 supoptsetup.tmp SupOptStart.exe PID 1984 wrote to memory of 2000 1984 supoptsetup.tmp SupOptStart.exe PID 1984 wrote to memory of 2000 1984 supoptsetup.tmp SupOptStart.exe PID 1984 wrote to memory of 2000 1984 supoptsetup.tmp SupOptStart.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe"C:\Users\Admin\AppData\Local\Temp\def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{103174E6-1DF5-4302-9636-25FE5292D7E4}\supoptsetup.exe/VERYSILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-BHDLK.tmp\supoptsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-BHDLK.tmp\supoptsetup.tmp" /SL5="$60124,7226305,643584,C:\Users\Admin\AppData\Local\Temp\{103174E6-1DF5-4302-9636-25FE5292D7E4}\supoptsetup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT -install4⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Super Optimizer\SupOptStart.exe"C:\Program Files (x86)\Super Optimizer\SupOptStart.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Super Optimizer\SupOptStart.exeFilesize
1.1MB
MD5d5ba50dcf68c6a32a6454143737cd7d1
SHA1962fd06b079a90cb782f2617b70bd2778460208f
SHA256a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f
SHA5120d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26
-
C:\Users\Admin\AppData\Local\Temp\is-BHDLK.tmp\supoptsetup.tmpFilesize
1.6MB
MD50b6042a0d575c24ca67657fefb70649a
SHA158bca3c01571945cc60904e7c4274070a8c1c564
SHA256b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef
SHA5123d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328
-
C:\Users\Admin\AppData\Local\Temp\is-BHDLK.tmp\supoptsetup.tmpFilesize
1.6MB
MD50b6042a0d575c24ca67657fefb70649a
SHA158bca3c01571945cc60904e7c4274070a8c1c564
SHA256b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef
SHA5123d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328
-
C:\Users\Admin\AppData\Local\Temp\{103174E6-1DF5-4302-9636-25FE5292D7E4}\supoptsetup.exeFilesize
7.5MB
MD574a2f97a1ad83d19a9ba09826846ccf7
SHA125fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4
SHA25657dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f
SHA512e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f
-
C:\Users\Admin\AppData\Local\Temp\{103174E6-1DF5-4302-9636-25FE5292D7E4}\supoptsetup.exeFilesize
7.5MB
MD574a2f97a1ad83d19a9ba09826846ccf7
SHA125fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4
SHA25657dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f
SHA512e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f
-
\??\c:\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Program Files (x86)\Super Optimizer\SupOptStart.exeFilesize
1.1MB
MD5d5ba50dcf68c6a32a6454143737cd7d1
SHA1962fd06b079a90cb782f2617b70bd2778460208f
SHA256a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f
SHA5120d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26
-
\Program Files (x86)\Super Optimizer\SupOptStart.exeFilesize
1.1MB
MD5d5ba50dcf68c6a32a6454143737cd7d1
SHA1962fd06b079a90cb782f2617b70bd2778460208f
SHA256a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f
SHA5120d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26
-
\Program Files (x86)\Super Optimizer\SuperOptimizer.exeFilesize
4.3MB
MD54d7ccc28bd91b405eddff13ffdc2e498
SHA1bb9afbd2efe1be437777e0d4b3ac3fa7625da782
SHA256b4a7948070262b6a84fe43839586da2117b698d389fa86892a0323c59947132e
SHA512226936c3daf5803d97f41dd4919a019b6a2a82b6b536158628ffd5e63955bec61a4e766bf89a1cff220bdbc63ddfb1b4f3bc00d1b6fd592b71b27828909bd0bc
-
\Program Files (x86)\Super Optimizer\SuperOptimizer.exeFilesize
4.3MB
MD54d7ccc28bd91b405eddff13ffdc2e498
SHA1bb9afbd2efe1be437777e0d4b3ac3fa7625da782
SHA256b4a7948070262b6a84fe43839586da2117b698d389fa86892a0323c59947132e
SHA512226936c3daf5803d97f41dd4919a019b6a2a82b6b536158628ffd5e63955bec61a4e766bf89a1cff220bdbc63ddfb1b4f3bc00d1b6fd592b71b27828909bd0bc
-
\Program Files (x86)\Super Optimizer\SuperOptimizer.exeFilesize
4.3MB
MD54d7ccc28bd91b405eddff13ffdc2e498
SHA1bb9afbd2efe1be437777e0d4b3ac3fa7625da782
SHA256b4a7948070262b6a84fe43839586da2117b698d389fa86892a0323c59947132e
SHA512226936c3daf5803d97f41dd4919a019b6a2a82b6b536158628ffd5e63955bec61a4e766bf89a1cff220bdbc63ddfb1b4f3bc00d1b6fd592b71b27828909bd0bc
-
\Program Files (x86)\Super Optimizer\unins000.exeFilesize
1.6MB
MD50b6042a0d575c24ca67657fefb70649a
SHA158bca3c01571945cc60904e7c4274070a8c1c564
SHA256b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef
SHA5123d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328
-
\Users\Admin\AppData\Local\Temp\is-BHDLK.tmp\supoptsetup.tmpFilesize
1.6MB
MD50b6042a0d575c24ca67657fefb70649a
SHA158bca3c01571945cc60904e7c4274070a8c1c564
SHA256b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef
SHA5123d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328
-
\Users\Admin\AppData\Local\Temp\is-KERPO.tmp\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
\Users\Admin\AppData\Local\Temp\is-KERPO.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-KERPO.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\{103174E6-1DF5-4302-9636-25FE5292D7E4}\supoptsetup.exeFilesize
7.5MB
MD574a2f97a1ad83d19a9ba09826846ccf7
SHA125fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4
SHA25657dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f
SHA512e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f
-
memory/1136-99-0x0000000000CD0000-0x0000000001017000-memory.dmpFilesize
3.3MB
-
memory/1136-93-0x0000000000000000-mapping.dmp
-
memory/1324-81-0x0000000000000000-mapping.dmp
-
memory/1324-88-0x0000000001FF0000-0x0000000002337000-memory.dmpFilesize
3.3MB
-
memory/1984-72-0x0000000003BF0000-0x0000000003F37000-memory.dmpFilesize
3.3MB
-
memory/1984-63-0x0000000000000000-mapping.dmp
-
memory/1984-74-0x0000000074691000-0x0000000074693000-memory.dmpFilesize
8KB
-
memory/2000-106-0x0000000000000000-mapping.dmp
-
memory/2004-62-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2004-76-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2004-58-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2004-57-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/2004-109-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2004-55-0x0000000000000000-mapping.dmp