42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468

General

Target

42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exe
Size

5.7MB
MD5

6fc92fd0c948026d90fd56ff56fc99fa
SHA1

bcf4b083fcc3011af696eb24fea547e1f2f96d42
SHA256

42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468
SHA512

e442cfe6a298bff101a97515dfecda1409c2a010e61238fd2ce794c04dcd151222575f64435c47b2ae7917b93ac6d475e505e727f4ce75c6e02d2e784ddacfd9
SSDEEP

98304:sL+wWs7EMO5L6LeyN4mB7ksBDfkPfurxqftiHaSWHD+JiQ0NSHtj5zM:QfE15eiyNqcDAfhVR+JifYtd4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

optprosetup.exeoptprosetup.tmp

pid process

860 optprosetup.exe
1612 optprosetup.tmp
Loads dropped DLL 3 IoCs

Processes:

optprosetup.tmp

pid process

1612 optprosetup.tmp
1612 optprosetup.tmp
1612 optprosetup.tmp

pid	process
860	optprosetup.exe
1612	optprosetup.tmp

pid	process
1612	optprosetup.tmp
1612	optprosetup.tmp
1612	optprosetup.tmp

Drops file in Program Files directory 12 IoCs

Processes:

optprosetup.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProStart.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSchedule.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProUninstaller.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProHelper.dll	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\itdownload.dll	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\sqlite3.dll	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptProGuard.exe	optprosetup.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\OptimizerPro.chm	optprosetup.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

optprosetup.tmp

pid process

1612 optprosetup.tmp
1612 optprosetup.tmp

pid	process
1612	optprosetup.tmp
1612	optprosetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exeoptprosetup.exe

description	pid	process	target process
PID 3776 wrote to memory of 860	3776	42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exe	optprosetup.exe
PID 3776 wrote to memory of 860	3776	42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exe	optprosetup.exe
PID 3776 wrote to memory of 860	3776	42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exe	optprosetup.exe
PID 860 wrote to memory of 1612	860	optprosetup.exe	optprosetup.tmp
PID 860 wrote to memory of 1612	860	optprosetup.exe	optprosetup.tmp
PID 860 wrote to memory of 1612	860	optprosetup.exe	optprosetup.tmp

C:\Users\Admin\AppData\Local\Temp\42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exe
"C:\Users\Admin\AppData\Local\Temp\42485a54736518a73551520f9c2cbba663040cab5458a01f2151146eb8e7d468.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
C:\Users\Admin\AppData\Local\Temp\\optprosetup.exe /VERYSILENT
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\is-BPH7I.tmp\optprosetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BPH7I.tmp\optprosetup.tmp" /SL5="$D01BC,5283427,118784,C:\Users\Admin\AppData\Local\Temp\optprosetup.exe" /VERYSILENT
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-BPH7I.tmp\optprosetup.tmp
Filesize
1.1MB

MD5
50488cf899d007d697893fc72a823fb0

SHA1
bc5512f623656ad69a054d558c35d463a5a8a6c1

SHA256
d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf

SHA512
2b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BPH7I.tmp\optprosetup.tmp
Filesize
1.1MB

MD5
50488cf899d007d697893fc72a823fb0

SHA1
bc5512f623656ad69a054d558c35d463a5a8a6c1

SHA256
d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf

SHA512
2b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LRAVR.tmp\OptProCrash.dll
Filesize
3.4MB

MD5
8565b14afbe6625e11065a3526c75192

SHA1
2eff65173426ca303dec447d66028552629836d5

SHA256
da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11

SHA512
2740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LRAVR.tmp\itdownload.dll
Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LRAVR.tmp\itdownload.dll
Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
Filesize
5.5MB

MD5
24bcaf1bbb1f29e0245416b5d2873e46

SHA1
ebf1d052c13b9f415afe09541bdab68f37429922

SHA256
fe4797861027b93ec089ffb3c3adcfc35c56a91839cfe5fcff79eeb8ea520d40

SHA512
aeff74eecba81fa8ca6afba44628e725e65334e8f712e5a7c0ab14fb48b1b495730d69a3264258ecbe01ae1693b3781db4b08221bc377d8a11e29e0c3766d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\optprosetup.exe
Filesize
5.5MB

MD5
24bcaf1bbb1f29e0245416b5d2873e46

SHA1
ebf1d052c13b9f415afe09541bdab68f37429922

SHA256
fe4797861027b93ec089ffb3c3adcfc35c56a91839cfe5fcff79eeb8ea520d40

SHA512
aeff74eecba81fa8ca6afba44628e725e65334e8f712e5a7c0ab14fb48b1b495730d69a3264258ecbe01ae1693b3781db4b08221bc377d8a11e29e0c3766d55c

Download Submit
memory/860-132-0x0000000000000000-mapping.dmp

Download
memory/860-135-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/860-137-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1612-138-0x0000000000000000-mapping.dmp

Download
memory/1612-143-0x00000000032E0000-0x000000000331C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing