def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53

Analysis

max time kernel
169s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe
Size

8.5MB
MD5

663e2e8897e764c6853d936e6be2243b
SHA1

b19d36acab4474af88e3316d3afb71ad2a9b91f9
SHA256

def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53
SHA512

07fef6d438fd0287243aea945a02f9fb8fe57f983f9351e4f758c48bf65ec3b691521143d87ab7501828a97ae8a2bac682b7688dbd06ad58f8c66e3e5a783369
SSDEEP

196608:nSX0XZV9sWoOB0zaHfqa6leXKdhHSklX06F9ZyBSXPgoSbuJAW8:nSkzZ2za/N+eX+H5Xx9Z6SopAAW8

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

supoptsetup.exesupoptsetup.tmpSupOptStart.exe

pid process

220 supoptsetup.exe
2536 supoptsetup.tmp
4212 SupOptStart.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
220	supoptsetup.exe
2536	supoptsetup.tmp
4212	SupOptStart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

supoptsetup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	supoptsetup.tmp

Loads dropped DLL 3 IoCs

Processes:

supoptsetup.tmprundll32.exerundll32.exe

pid process

2536 supoptsetup.tmp
3804 rundll32.exe
2316 rundll32.exe

pid	process
2536	supoptsetup.tmp
3804	rundll32.exe
2316	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

supoptsetup.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	supoptsetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Super Optimizer = "C:\\Program Files (x86)\\Super Optimizer\\SupOptLauncher.exe"	supoptsetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 33 IoCs

Processes:

supoptsetup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Super Optimizer\is-6DST8.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\unins000.dat	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptLauncher.exe	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptUninstaller.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-HT8P2.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-VN949.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-I96QO.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\SupOptCrash.dll	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptSmartScan.exe	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\sqlite3.dll	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptStart.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-VLGA1.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptHelper.dll	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-03AA8.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-JDEQT.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\unins000.msg	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptSchedule.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\unins000.dat	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-A0AEC.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-GGR7K.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-O49O9.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptGuard.exe	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SuperOptimizer.chm	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-T8G60.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-4C0BO.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-N9HA0.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SuperOptimizer.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-FPLV7.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-D04SS.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-J12E1.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-TIFSC.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-K5B8T.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptReminder.exe	supoptsetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 53 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900300031004400300036004f003000700078003100670030003200490030006e006c0031002b003000370078003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031005000300037003800300070006c003100680030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f0078003100590030003600680030006900300031004a0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f00300036006c0030007000780031005200300036007400300071006c0030005a003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f0030003600340030006f00550031002b003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f00780031005900300037006200300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005200300036006c0030007100780031004f0030003600340030006900550031002b0030003600380030006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900550031002b00300036003800300071006c00310044003000360049003000700055003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c0031004e0030003700740030006d00300031002b0030003700380030006d00550031002b00300037007800300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031002b00300037007800300061006c0031004400300036004900300070006c00310054003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\6185d035 = "VP/h/CP/V//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\iiid = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f6ad6fa6 = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\3efeb33e = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\060df2cd = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAp/YP/UxAs/X6/aP////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c99a5f5c = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\493c7345 = 6d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d00300037006200300061006c0031004400300036004900300070006c0031005400300030002500250000006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003700780030006f00780031005a00300036007400300061006c00310053003000360074003000690030003000250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1c311243 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7367429f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e46c271e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\48bd1aff = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\65114b36 = "VP/+////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c24899a6 = "Vx/g/C//M/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\72758a5d = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\370856c7 = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\51d2f2ea = "JlA+/Y//GPAf/B//IlAl/YP/HPAi/Xt/dxAu/YZ/Z//e/B2/N//l/B2/Vx/l/CD/NP////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d94388d2 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

supoptsetup.tmp

pid process

2536 supoptsetup.tmp
2536 supoptsetup.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

supoptsetup.tmp

pid process

2536 supoptsetup.tmp

pid	process
2536	supoptsetup.tmp
2536	supoptsetup.tmp

pid	process
2536	supoptsetup.tmp

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exesupoptsetup.exesupoptsetup.tmprundll32.exe

description	pid	process	target process
PID 4328 wrote to memory of 220	4328	def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe	supoptsetup.exe
PID 4328 wrote to memory of 220	4328	def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe	supoptsetup.exe
PID 4328 wrote to memory of 220	4328	def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe	supoptsetup.exe
PID 220 wrote to memory of 2536	220	supoptsetup.exe	supoptsetup.tmp
PID 220 wrote to memory of 2536	220	supoptsetup.exe	supoptsetup.tmp
PID 220 wrote to memory of 2536	220	supoptsetup.exe	supoptsetup.tmp
PID 2536 wrote to memory of 3804	2536	supoptsetup.tmp	rundll32.exe
PID 2536 wrote to memory of 3804	2536	supoptsetup.tmp	rundll32.exe
PID 2536 wrote to memory of 3804	2536	supoptsetup.tmp	rundll32.exe
PID 1208 wrote to memory of 2316	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2316	1208	rundll32.exe	rundll32.exe
PID 1208 wrote to memory of 2316	1208	rundll32.exe	rundll32.exe
PID 2536 wrote to memory of 4212	2536	supoptsetup.tmp	SupOptStart.exe
PID 2536 wrote to memory of 4212	2536	supoptsetup.tmp	SupOptStart.exe
PID 2536 wrote to memory of 4212	2536	supoptsetup.tmp	SupOptStart.exe

C:\Users\Admin\AppData\Local\Temp\def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe
"C:\Users\Admin\AppData\Local\Temp\def365ceb940194df5ad51a76c02e2cf4e6f3dba24353347edb5f3fa58d62b53.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\{1E4D7FA8-1FD7-4620-A58C-3FAF74014CC5}\supoptsetup.exe
/VERYSILENT
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\is-VHNH5.tmp\supoptsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VHNH5.tmp\supoptsetup.tmp" /SL5="$80048,7226305,643584,C:\Users\Admin\AppData\Local\Temp\{1E4D7FA8-1FD7-4620-A58C-3FAF74014CC5}\supoptsetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT -install
4⤵
- Loads dropped DLL
PID:3804

C:\Program Files (x86)\Super Optimizer\SupOptStart.exe
"C:\Program Files (x86)\Super Optimizer\SupOptStart.exe"
4⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
C:\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
C:\Program Files (x86)\Super Optimizer\SupOptStart.exe
Filesize
1.1MB

MD5
d5ba50dcf68c6a32a6454143737cd7d1

SHA1
962fd06b079a90cb782f2617b70bd2778460208f

SHA256
a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f

SHA512
0d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26

Download Submit
C:\Program Files (x86)\Super Optimizer\SupOptStart.exe
Filesize
1.1MB

MD5
d5ba50dcf68c6a32a6454143737cd7d1

SHA1
962fd06b079a90cb782f2617b70bd2778460208f

SHA256
a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f

SHA512
0d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LM1LF.tmp\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VHNH5.tmp\supoptsetup.tmp
Filesize
1.6MB

MD5
0b6042a0d575c24ca67657fefb70649a

SHA1
58bca3c01571945cc60904e7c4274070a8c1c564

SHA256
b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef

SHA512
3d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VHNH5.tmp\supoptsetup.tmp
Filesize
1.6MB

MD5
0b6042a0d575c24ca67657fefb70649a

SHA1
58bca3c01571945cc60904e7c4274070a8c1c564

SHA256
b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef

SHA512
3d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1E4D7FA8-1FD7-4620-A58C-3FAF74014CC5}\supoptsetup.exe
Filesize
7.5MB

MD5
74a2f97a1ad83d19a9ba09826846ccf7

SHA1
25fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4

SHA256
57dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f

SHA512
e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1E4D7FA8-1FD7-4620-A58C-3FAF74014CC5}\supoptsetup.exe
Filesize
7.5MB

MD5
74a2f97a1ad83d19a9ba09826846ccf7

SHA1
25fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4

SHA256
57dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f

SHA512
e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f

Download Submit
\??\c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
memory/220-166-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/220-137-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/220-147-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/220-135-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/220-132-0x0000000000000000-mapping.dmp

Download
memory/2316-156-0x0000000000000000-mapping.dmp

Download
memory/2316-158-0x0000000001980000-0x0000000001CC7000-memory.dmp

Filesize
3.3MB

Download
memory/2536-142-0x0000000006440000-0x0000000006787000-memory.dmp

Filesize
3.3MB

Download
memory/2536-138-0x0000000000000000-mapping.dmp

Download
memory/3804-151-0x0000000002160000-0x00000000024A7000-memory.dmp

Filesize
3.3MB

Download
memory/3804-148-0x0000000000000000-mapping.dmp

Download
memory/4212-163-0x0000000000000000-mapping.dmp

Download