Analysis
-
max time kernel
145s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 14:32
Static task
static1
Behavioral task
behavioral1
Sample
db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe
Resource
win10v2004-20220812-en
General
-
Target
db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe
-
Size
8.5MB
-
MD5
9cb2d3290db3855f8453c75761932e29
-
SHA1
d0991476007d5f0dd45e93a956246454d7138783
-
SHA256
db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad
-
SHA512
05c2056d9ccbdee7445b12ef120bab0c57031988a3ee1000fc93166ff2097e15eb15349b8554e0969a734c88eca8d6fc2392d18984fb49d3c69d320e5e8f414f
-
SSDEEP
196608:hSX0XZV9sWoOB0zaHfqa6leXKdhHSklX06F9ZyBSXPgoSbuJAWk:hSkzZ2za/N+eX+H5Xx9Z6SopAAWk
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
supoptsetup.exesupoptsetup.tmpSupOptStart.exepid process 4036 supoptsetup.exe 3396 supoptsetup.tmp 796 SupOptStart.exe -
Modifies AppInit DLL entries 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
supoptsetup.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation supoptsetup.tmp -
Loads dropped DLL 5 IoCs
Processes:
supoptsetup.tmprundll32.exerundll32.exepid process 3396 supoptsetup.tmp 2180 rundll32.exe 4016 rundll32.exe 4016 rundll32.exe 4016 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
supoptsetup.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run supoptsetup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Super Optimizer = "C:\\Program Files (x86)\\Super Optimizer\\SupOptLauncher.exe" supoptsetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 33 IoCs
Processes:
supoptsetup.tmpdescription ioc process File created C:\Program Files (x86)\Super Optimizer\is-0Q702.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-SN30V.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-3G2TF.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\unins000.msg supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptLauncher.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptSmartScan.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptStart.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-H0BL5.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-T728A.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptSchedule.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptUninstaller.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\unins000.dat supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-9R6Q5.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-V7KTD.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-RLNIV.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-H8641.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptHelper.dll supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-4V29E.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-1B2GK.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-2NK2R.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-69HQN.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\unins000.dat supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\sqlite3.dll supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptReminder.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-I8IF2.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-2ECEB.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SuperOptimizer.exe supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SuperOptimizer.chm supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-DV656.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-3HJKQ.tmp supoptsetup.tmp File opened for modification C:\Program Files (x86)\Super Optimizer\SupOptGuard.exe supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\is-BSKG8.tmp supoptsetup.tmp File created C:\Program Files (x86)\Super Optimizer\SupOptCrash.dll supoptsetup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 53 IoCs
Processes:
rundll32.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\370856c7 = 00000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e46c271e = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f0bf0bde = "///%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\3efeb33e = 00000000 rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\493c7345 = 6d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d00300037006200300061006c0031004400300036004900300070006c0031005400300030002500250000006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003700780030006f00780031005a00300036007400300061006c00310053003000360074003000690030003000250000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7f69fa1f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f1f24e29 = "Vl/l/C/////%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1520c6f1 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a2e3b941 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f6ad6fa6 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\060df2cd = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAp/YP/UxAs/X6/aP////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\51d2f2ea = "JlA+/Y//GPAf/B//IlAl/YP/HPAi/Xt/dxAu/YZ/Z//e/B2/N//l/B2/Vx/l/CD/NP////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a1dcff5b = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c6c5dd44 = "V/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d94388d2 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0e93c3f3 = "///%" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\iiid = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\587b5709 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c99a5f5c = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c5705860 = "Vx////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\65114b36 = "VP/+////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\72758a5d = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\8b9e4cbc = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\a0743acc = "N/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\bbf88800 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\340d3099 = "/P////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\48bd1aff = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\6185d035 = "VP/h/CP/V//l////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\7367429f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0c230bcb = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900300031004400300036004f003000700078003100670030003200490030006e006c0031002b003000370078003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031005000300037003800300070006c003100680030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f0078003100590030003600680030006900300031004a0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f00300036006c0030007000780031005200300036007400300071006c0030005a003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004f0030003600340030006f00550031002b003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003700780030006f00780031005900300037006200300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005200300036006c0030007100780031004f0030003600340030006900550031002b0030003600380030006d0055003100500030003700300030007000780031004d0030003600450030006d00300031004f0030003600680030006e0078003100440030003700430030007000780031004d0030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310065003000370062003000690078003100550030003600740030006d006c003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006900550031002b00300036003800300071006c00310044003000360049003000700055003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c0031004e0030003700740030006d00300031002b0030003700380030006d00550031002b00300037007800300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031004e0030003700740030006d00300031002b0030003700380030006e0055003100550030003700780030006f00780031005a0030003600680030006a006c0031002b0030003700380030006d00550031002b00300037007800300061006c0031004400300036004900300070006c00310054003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2d71d5ab = "V/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\00000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\2e22d94e = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\3c09c42b = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\27ddcf6f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\414bc593 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\c24899a6 = "Vx/g/C//M/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\fe94ce1e = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\0dc3ee96 = "/P////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\1c311243 = "blA+/Y//GPAf/X6/b/Ah/Xt/aPAp/Yq/GPAf/YV/cPAf/XF/UxAs/X6/aP////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_cae99edb\eae10f9d\d1abcdb6 = "///%" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
supoptsetup.tmprundll32.exepid process 3396 supoptsetup.tmp 3396 supoptsetup.tmp 4016 rundll32.exe 4016 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
supoptsetup.tmppid process 3396 supoptsetup.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exesupoptsetup.exesupoptsetup.tmprundll32.exedescription pid process target process PID 448 wrote to memory of 4036 448 db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe supoptsetup.exe PID 448 wrote to memory of 4036 448 db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe supoptsetup.exe PID 448 wrote to memory of 4036 448 db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe supoptsetup.exe PID 4036 wrote to memory of 3396 4036 supoptsetup.exe supoptsetup.tmp PID 4036 wrote to memory of 3396 4036 supoptsetup.exe supoptsetup.tmp PID 4036 wrote to memory of 3396 4036 supoptsetup.exe supoptsetup.tmp PID 3396 wrote to memory of 2180 3396 supoptsetup.tmp rundll32.exe PID 3396 wrote to memory of 2180 3396 supoptsetup.tmp rundll32.exe PID 3396 wrote to memory of 2180 3396 supoptsetup.tmp rundll32.exe PID 1668 wrote to memory of 4016 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 4016 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 4016 1668 rundll32.exe rundll32.exe PID 3396 wrote to memory of 796 3396 supoptsetup.tmp SupOptStart.exe PID 3396 wrote to memory of 796 3396 supoptsetup.tmp SupOptStart.exe PID 3396 wrote to memory of 796 3396 supoptsetup.tmp SupOptStart.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe"C:\Users\Admin\AppData\Local\Temp\db51b72a02b5c5d11e15c1a30a8e45b5390c82939621d336e2fb3401438222ad.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\{DB3F4AE1-E621-410C-96FD-D845D106EA6E}\supoptsetup.exe/VERYSILENT2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-MN0TA.tmp\supoptsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-MN0TA.tmp\supoptsetup.tmp" /SL5="$80060,7226305,643584,C:\Users\Admin\AppData\Local\Temp\{DB3F4AE1-E621-410C-96FD-D845D106EA6E}\supoptsetup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT -install4⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Super Optimizer\SupOptStart.exe"C:\Program Files (x86)\Super Optimizer\SupOptStart.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Super Optimizer\SupOptCrash.dll",ENT2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
C:\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
C:\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
C:\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
C:\Program Files (x86)\Super Optimizer\SupOptStart.exeFilesize
1.1MB
MD5d5ba50dcf68c6a32a6454143737cd7d1
SHA1962fd06b079a90cb782f2617b70bd2778460208f
SHA256a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f
SHA5120d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26
-
C:\Program Files (x86)\Super Optimizer\SupOptStart.exeFilesize
1.1MB
MD5d5ba50dcf68c6a32a6454143737cd7d1
SHA1962fd06b079a90cb782f2617b70bd2778460208f
SHA256a7f01c46b7d9b6b1dcc3f6f734b8b6eba7df52669a9fe9dda274ff92023db54f
SHA5120d6fea0101e7b8f92c7f2a65c1723422f3c74463756e96d1d833356b7dfdc5bc784aa08d889b1de94d64aa8098535a7736a2127c8d790b4186dc58a21e69fc26
-
C:\Users\Admin\AppData\Local\Temp\is-MN0TA.tmp\supoptsetup.tmpFilesize
1.6MB
MD50b6042a0d575c24ca67657fefb70649a
SHA158bca3c01571945cc60904e7c4274070a8c1c564
SHA256b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef
SHA5123d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328
-
C:\Users\Admin\AppData\Local\Temp\is-MN0TA.tmp\supoptsetup.tmpFilesize
1.6MB
MD50b6042a0d575c24ca67657fefb70649a
SHA158bca3c01571945cc60904e7c4274070a8c1c564
SHA256b2461953108aa78a1ed07ab0652bfa21e1902ea45d403e4789901027e3605cef
SHA5123d5b8737d21681c178fd82770589c14b4e09e7ed526e4b82d87d187030ac9b61212a046f697b7cb80b62771af88a9cc738388195b59c34c63d666f1624bdc328
-
C:\Users\Admin\AppData\Local\Temp\is-O9GS4.tmp\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
C:\Users\Admin\AppData\Local\Temp\{DB3F4AE1-E621-410C-96FD-D845D106EA6E}\supoptsetup.exeFilesize
7.5MB
MD574a2f97a1ad83d19a9ba09826846ccf7
SHA125fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4
SHA25657dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f
SHA512e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f
-
C:\Users\Admin\AppData\Local\Temp\{DB3F4AE1-E621-410C-96FD-D845D106EA6E}\supoptsetup.exeFilesize
7.5MB
MD574a2f97a1ad83d19a9ba09826846ccf7
SHA125fc422ea21b5de0bb14e9ec2b34edd0fbcbaff4
SHA25657dc6f82e0bbe3e456c16e4cd2625b80756ae6074489754d6c0e19b0319bfb1f
SHA512e4087dd7d441a487922b9e78f892d621b25384e5c7125e9112d9c84038038ab51cf427e89336bf8286f54142d325a57db868c2f27f5c38e6602d476995e4b12f
-
\??\c:\Program Files (x86)\Super Optimizer\SupOptCrash.dllFilesize
3.8MB
MD587a2604a3b414f8817016d33b06a31f9
SHA196b5db8bc388fdb38b197bdd140fc25528c2bf10
SHA2561e8808d8ce63b3a57f06f1de1dd861bdb39bb9b84c3708373e8e5cea22e64e88
SHA512cd4103c0b74b6397363df979bfe132f89dcdc45bdb09c33fe28de37574b5bb2eadae5c18e873ae6f0b7dbd866c62a9053d14a11b964a3bddb4e6d1fca247b662
-
memory/796-163-0x0000000000000000-mapping.dmp
-
memory/2180-148-0x0000000000000000-mapping.dmp
-
memory/2180-151-0x0000000002010000-0x0000000002357000-memory.dmpFilesize
3.3MB
-
memory/3396-138-0x0000000000000000-mapping.dmp
-
memory/3396-142-0x0000000006300000-0x0000000006647000-memory.dmpFilesize
3.3MB
-
memory/4016-156-0x0000000000000000-mapping.dmp
-
memory/4016-158-0x00000000019D0000-0x0000000001D17000-memory.dmpFilesize
3.3MB
-
memory/4036-137-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4036-132-0x0000000000000000-mapping.dmp
-
memory/4036-135-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4036-166-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/4036-147-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB