70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2023, 04:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
Size

4.1MB
MD5

eed6c310c0f8b2a29f0d6c9f13fab206
SHA1

c0710bb3904bf28d7440ab1b7c289ebba6a73199
SHA256

70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df
SHA512

ac13e3eaeb09154ff06b18d8bdd3d12e55a9d97b987638c71641638f17554d885eef07db5eceaff442a821881ed5c5fe68cec21494d15ac50f05ca3d914f10f5
SSDEEP

98304:+R0pI/IQlUoMPdmpSp04ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmD5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4600	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP4\\aoptisys.exe"	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-528036852-1341495193-1175965888-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4D\\dobaec.exe"	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
4600	aoptisys.exe
4600	aoptisys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4600	1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe	86
PID 1740 wrote to memory of 4600	1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe	86
PID 1740 wrote to memory of 4600	1740	70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe	86

C:\Users\Admin\AppData\Local\Temp\70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe
"C:\Users\Admin\AppData\Local\Temp\70500ddbe38508a4e8576cd35ed8424016876e11c690333522e59bb13dfb05df.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\FilesP4\aoptisys.exe
  C:\FilesP4\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesP4\aoptisys.exe

Filesize
4.1MB

MD5
0e63085233da08e60654e1846db7dd1e

SHA1
2ce086c352153fc1720d8fc74525718b9a3cd100

SHA256
bd7babd706c0d024b86f0d9f739ca57472bd21a85cf14ab85ab27b4eca84815d

SHA512
ea12d993b55bc34959b94f7bfdbd163ed2a308850d78262d74258e0415b1a0a49247534c6de21f04b729182e8c1b0a61b60e2a6b0fa2ada8d49480638974290b

Download Submit
C:\FilesP4\aoptisys.exe

Filesize
4.1MB

MD5
0e63085233da08e60654e1846db7dd1e

SHA1
2ce086c352153fc1720d8fc74525718b9a3cd100

SHA256
bd7babd706c0d024b86f0d9f739ca57472bd21a85cf14ab85ab27b4eca84815d

SHA512
ea12d993b55bc34959b94f7bfdbd163ed2a308850d78262d74258e0415b1a0a49247534c6de21f04b729182e8c1b0a61b60e2a6b0fa2ada8d49480638974290b

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
9aeb75db0ba05edf932b1e38e15ec2bf

SHA1
20c3f6ef2ca356297b4b324a7e08775b23f90aa7

SHA256
7bf947ebebb9041aad695140a842792ed9bd935ffe48f70ca941c231c9e77da6

SHA512
3b3dc44e5cb33f053ed98926266f99faa666f2a8707bbe23bf76333fd6511e0030244e14e02909237b993d1374e4bd9b93f2a5d8828cf9ad61835ac5040dba3e

Download Submit
C:\Vid4D\dobaec.exe

Filesize
2.2MB

MD5
e6d63c3f5e1e3b44f080661fa3f444d1

SHA1
d3b45ba59b90aa0733f8dc1b4b2f663c28d145cb

SHA256
8af5e6fbe4d35f4fea1b09e7fcd6e8ae9e25d186b26527f19b373f0bd6422da4

SHA512
eac89b43e8088d3509b7d89fa0e93bcbbb4f9f7d1004cddbe267c3e1fdf958ca48800ea9d8e8c1cd4fe7d4e1292a1076775c0d7dbb5dca58e0162a55d1239d34

Download Submit
C:\Vid4D\dobaec.exe

Filesize
4.1MB

MD5
dec0c08926d6f88df411f2faa3664239

SHA1
2a082bb810cb6a2a71656567080a289eff27cdbe

SHA256
592acbe1eb6a18a1d43b3cb6a23b59939c549e16aa3750d2a706e723e3f94c94

SHA512
0fa023d1165ea9080cd35f9b71c9d296e2e1cfdeb472692e676d619025a6cf8976b287e44ee75eba90a84ea3bfeafcb564831f3ec437d66db01248d596eef0e8

Download Submit