db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad

Analysis

max time kernel
138s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe
Size

8.5MB
MD5

9cb2d3290db3855f8453c75761932e29
SHA1

d0991476007d5f0dd45e93a956246454d7138783
SHA256

db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad
SHA512

05c2056d9ccbdee7445b12ef120bab0c57031988a3ee1000fc93166ff2097e15eb15349b8554e0969a734c88eca8d6fc2392d18984fb49d3c69d320e5e8f414f
SSDEEP

196608:hSX0XZV9sWoOB0zaHfqa6leXKdhHSklX06F9ZyBSXPgoSbuJAWk:hSkzZ2za/N+eX+H5Xx9Z6SopAAWk

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

supoptsetup.exesupoptsetup.tmpSupOptStart.exe

pid process

1260 supoptsetup.exe
1132 supoptsetup.tmp
1356 SupOptStart.exe
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1260	supoptsetup.exe
1132	supoptsetup.tmp
1356	SupOptStart.exe

Loads dropped DLL 20 IoCs

Processes:

db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exesupoptsetup.exesupoptsetup.tmprundll32.exerundll32.exe

pid	process
1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe
1260	supoptsetup.exe
1132	supoptsetup.tmp
1132	supoptsetup.tmp
1132	supoptsetup.tmp
1132	supoptsetup.tmp
1132	supoptsetup.tmp
1132	supoptsetup.tmp
1132	supoptsetup.tmp
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe
392	rundll32.exe
392	rundll32.exe
392	rundll32.exe
392	rundll32.exe
1132	supoptsetup.tmp
1132	supoptsetup.tmp
392	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

supoptsetup.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	supoptsetup.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Super Optimizer = "C:\\Program Files (x86)\\Super Optimizer\\SupOptLauncher.exe"	supoptsetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 33 IoCs

Processes:

supoptsetup.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptHelper.dll	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SuperOptimizer.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-EEGPQ.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-GK1P8.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-R6BE5.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-II083.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-98O94.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\sqlite3.dll	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-VU4TO.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SuperOptimizer.chm	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptStart.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\unins000.dat	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-7TPVM.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-0AS07.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-EBLUP.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-SSBES.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptLauncher.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-BU0RN.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-TCHRH.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptGuard.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-OQ48C.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-BF8OH.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-4AFRD.tmp	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\unins000.dat	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-B5NFV.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\unins000.msg	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptSchedule.exe	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptUninstaller.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\SupOptCrash.dll	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptReminder.exe	supoptsetup.tmp
File opened for modification	C:\Program Files (x86)\Super Optimizer\SupOptSmartScan.exe	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-O04N4.tmp	supoptsetup.tmp
File created	C:\Program Files (x86)\Super Optimizer\is-RO68P.tmp	supoptsetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 51 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\48bd1aff = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\72758a5d = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c99a5f5c = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d94388d2 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\65114b36 = "VP/+////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e46c271e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f6ad6fa6 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\51d2f2ea = "JlA+/Y//GPAf/B//IlAl/YP/HPAi/Xt/dxAu/YZ/Z//e/B2/N//l/B2/Vx/l/CD/NP////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7367429f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\493c7345 = 6d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d00300037006200300061006c0031004400300036004900300070006c0031005400300030002500250000006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003700780030006f00780031005a00300036007400300061006c00310053003000360074003000690030003000250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\060df2cd = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAp/YP/UxAs/X6/aP////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\6185d035 = "VP/h/CP/V//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c24899a6 = "Vx/g/C//M/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900300031004400300036004f003000700078003100670030003200490030006e006c0031002b003000370078003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031005000300037003800300070006c003100680030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f0078003100590030003600680030006900300031004a0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f00300036006c0030007000780031005200300036007400300071006c0030005a003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f0030003600340030006f00550031002b003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f00780031005900300037006200300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005200300036006c0030007100780031004f0030003600340030006900550031002b0030003600380030006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900550031002b00300036003800300071006c00310044003000360049003000700055003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c0031004e0030003700740030006d00300031002b0030003700380030006d00550031002b00300037007800300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031002b00300037007800300061006c0031004400300036004900300070006c00310054003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\3efeb33e = 00000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\370856c7 = 00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1c311243 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\iiid = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

supoptsetup.tmprundll32.exe

pid process

1132 supoptsetup.tmp
1132 supoptsetup.tmp
392 rundll32.exe
392 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

supoptsetup.tmp

pid process

1132 supoptsetup.tmp

pid	process
1132	supoptsetup.tmp
1132	supoptsetup.tmp
392	rundll32.exe
392	rundll32.exe

pid	process
1132	supoptsetup.tmp

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exesupoptsetup.exesupoptsetup.tmprundll32.exe

description	pid	process	target process
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1632 wrote to memory of 1260	1632	db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe	supoptsetup.exe
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1260 wrote to memory of 1132	1260	supoptsetup.exe	supoptsetup.tmp
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1132 wrote to memory of 572	1132	supoptsetup.tmp	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1600 wrote to memory of 392	1600	rundll32.exe	rundll32.exe
PID 1132 wrote to memory of 1356	1132	supoptsetup.tmp	SupOptStart.exe
PID 1132 wrote to memory of 1356	1132	supoptsetup.tmp	SupOptStart.exe
PID 1132 wrote to memory of 1356	1132	supoptsetup.tmp	SupOptStart.exe
PID 1132 wrote to memory of 1356	1132	supoptsetup.tmp	SupOptStart.exe

C:\Users\Admin\AppData\Local\Temp\db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe
"C:\Users\Admin\AppData\Local\Temp\db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\{BCD43444-C963-43BC-B6A9-EEE390145562}\supoptsetup.exe
/VERYSILENT
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\is-A0FVL.tmp\supoptsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A0FVL.tmp\supoptsetup.tmp" /SL5="$60116,7226305,643584,C:\Users\Admin\AppData\Local\Temp\{BCD43444-C963-43BC-B6A9-EEE390145562}\supoptsetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT -install
4⤵
- Loads dropped DLL
PID:572

C:\Program Files (x86)\Super Optimizer\SupOptStart.exe
"C:\Program Files (x86)\Super Optimizer\SupOptStart.exe"
4⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT
1⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Super Optimizer\SupOptStart.exe
Filesize
1.1MB

MD5
d5ba50dcf68c6a32a6454143737cd7d1

SHA1
962fd06b079a90cb782f2617b70bd2778460208f

SHA256
a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f

SHA512
0d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A0FVL.tmp\supoptsetup.tmp
Filesize
1.6MB

MD5
0b6042a0d575c24ca67657fefb70649a

SHA1
58bca3c01571945cc60904e7c4274070a8c1c564

SHA256
b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef

SHA512
3d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A0FVL.tmp\supoptsetup.tmp
Filesize
1.6MB

MD5
0b6042a0d575c24ca67657fefb70649a

SHA1
58bca3c01571945cc60904e7c4274070a8c1c564

SHA256
b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef

SHA512
3d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BCD43444-C963-43BC-B6A9-EEE390145562}\supoptsetup.exe
Filesize
7.5MB

MD5
74a2f97a1ad83d19a9ba09826846ccf7

SHA1
25fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4

SHA256
57dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f

SHA512
e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{BCD43444-C963-43BC-B6A9-EEE390145562}\supoptsetup.exe
Filesize
7.5MB

MD5
74a2f97a1ad83d19a9ba09826846ccf7

SHA1
25fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4

SHA256
57dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f

SHA512
e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f

Download Submit
\??\c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Program Files (x86)\Super Optimizer\SupOptStart.exe
Filesize
1.1MB

MD5
d5ba50dcf68c6a32a6454143737cd7d1

SHA1
962fd06b079a90cb782f2617b70bd2778460208f

SHA256
a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f

SHA512
0d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26

Download Submit
\Program Files (x86)\Super Optimizer\SupOptStart.exe
Filesize
1.1MB

MD5
d5ba50dcf68c6a32a6454143737cd7d1

SHA1
962fd06b079a90cb782f2617b70bd2778460208f

SHA256
a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f

SHA512
0d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26

Download Submit
\Program Files (x86)\Super Optimizer\SuperOptimizer.exe
Filesize
4.3MB

MD5
4d7ccc28bd91b405eddff13ffdc2e498

SHA1
bb9afbd2efe1be437777e0d4b3ac3fa7625da782

SHA256
b4a7948070262b6a84fe43839586da2117b698d389fa86892a0323c59947132e

SHA512
226936c3daf5803d97f41dd4919a019b6a2a82b6b536158628ffd5e63955bec61a4e766bf89a1cff220bdbc63ddfb1b4f3bc00d1b6fd592b71b27828909bd0bc

Download Submit
\Program Files (x86)\Super Optimizer\SuperOptimizer.exe
Filesize
4.3MB

MD5
4d7ccc28bd91b405eddff13ffdc2e498

SHA1
bb9afbd2efe1be437777e0d4b3ac3fa7625da782

SHA256
b4a7948070262b6a84fe43839586da2117b698d389fa86892a0323c59947132e

SHA512
226936c3daf5803d97f41dd4919a019b6a2a82b6b536158628ffd5e63955bec61a4e766bf89a1cff220bdbc63ddfb1b4f3bc00d1b6fd592b71b27828909bd0bc

Download Submit
\Program Files (x86)\Super Optimizer\SuperOptimizer.exe
Filesize
4.3MB

MD5
4d7ccc28bd91b405eddff13ffdc2e498

SHA1
bb9afbd2efe1be437777e0d4b3ac3fa7625da782

SHA256
b4a7948070262b6a84fe43839586da2117b698d389fa86892a0323c59947132e

SHA512
226936c3daf5803d97f41dd4919a019b6a2a82b6b536158628ffd5e63955bec61a4e766bf89a1cff220bdbc63ddfb1b4f3bc00d1b6fd592b71b27828909bd0bc

Download Submit
\Program Files (x86)\Super Optimizer\unins000.exe
Filesize
1.6MB

MD5
0b6042a0d575c24ca67657fefb70649a

SHA1
58bca3c01571945cc60904e7c4274070a8c1c564

SHA256
b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef

SHA512
3d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328

Download Submit
\Users\Admin\AppData\Local\Temp\is-8O2GU.tmp\SupOptCrash.dll
Filesize
3.8MB

MD5
87a2604a3b414f8817016d33b06a31f9

SHA1
96b5db8bc388fdb38b197bdd140fc25528c2bf10

SHA256
1e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88

SHA512
cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662

Download Submit
\Users\Admin\AppData\Local\Temp\is-8O2GU.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-8O2GU.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-A0FVL.tmp\supoptsetup.tmp
Filesize
1.6MB

MD5
0b6042a0d575c24ca67657fefb70649a

SHA1
58bca3c01571945cc60904e7c4274070a8c1c564

SHA256
b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef

SHA512
3d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328

Download Submit
\Users\Admin\AppData\Local\Temp\{BCD43444-C963-43BC-B6A9-EEE390145562}\supoptsetup.exe
Filesize
7.5MB

MD5
74a2f97a1ad83d19a9ba09826846ccf7

SHA1
25fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4

SHA256
57dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f

SHA512
e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f

Download Submit
memory/392-92-0x0000000000000000-mapping.dmp

Download
memory/392-98-0x00000000009A0000-0x0000000000CE7000-memory.dmp

Filesize
3.3MB

Download
memory/572-87-0x0000000001FA0000-0x00000000022E7000-memory.dmp

Filesize
3.3MB

Download
memory/572-80-0x0000000000000000-mapping.dmp

Download
memory/1132-63-0x0000000000000000-mapping.dmp

Download
memory/1132-74-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1132-72-0x0000000003BE0000-0x0000000003F27000-memory.dmp

Filesize
3.3MB

Download
memory/1260-62-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1260-58-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1260-57-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1260-108-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1260-55-0x0000000000000000-mapping.dmp

Download
memory/1356-105-0x0000000000000000-mapping.dmp

Download