343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 09:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
Size

4.1MB
MD5

724c20f5e46ac4d10f2d704dc8b13907
SHA1

33c036a22fd7987ac13b38581fda85b9e1ba0b1f
SHA256

343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0
SHA512

441f935a8b15dfa7cdab23ea477e376b24277ea462c6ca947d8d5d2619d48e46a245639d64777d52dd5c90d468e9f59aacf26757105b049eb5ba21f6f43ca75e
SSDEEP

98304:+R0pI/IQlUoMPdmpSp84ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmP5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocL1\\aoptiloc.exe"	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8N\\boddevsys.exe"	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
2036	aoptiloc.exe
1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2036	1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	28
PID 1732 wrote to memory of 2036	1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	28
PID 1732 wrote to memory of 2036	1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	28
PID 1732 wrote to memory of 2036	1732	343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe	28

C:\Users\Admin\AppData\Local\Temp\343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe
"C:\Users\Admin\AppData\Local\Temp\343c8d29713d5b3474e76c7a1d426326a0bf0c8a9c7df4e3fda4370ce83804c0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\IntelprocL1\aoptiloc.exe
  C:\IntelprocL1\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocL1\aoptiloc.exe

Filesize
4.1MB

MD5
3030802fd2c5890b250362bcfdc5c14e

SHA1
feff70bc3d420c7ab8bc6c7b5fda8544aff8b7ac

SHA256
a1f9007e4b1bd05eeb6ad87bb667c79f39e63270ad96885edfef291615b41263

SHA512
b911671b16d5fa02860efb74ffdd5c247b1c4a07042ba00157bf148eeb96d39796eebd16157f2af67cc314fa8379fc87582c3868d50e1130da4df0f007906568

Download Submit
C:\IntelprocL1\aoptiloc.exe

Filesize
4.1MB

MD5
3030802fd2c5890b250362bcfdc5c14e

SHA1
feff70bc3d420c7ab8bc6c7b5fda8544aff8b7ac

SHA256
a1f9007e4b1bd05eeb6ad87bb667c79f39e63270ad96885edfef291615b41263

SHA512
b911671b16d5fa02860efb74ffdd5c247b1c4a07042ba00157bf148eeb96d39796eebd16157f2af67cc314fa8379fc87582c3868d50e1130da4df0f007906568

Download Submit
C:\IntelprocL1\aoptiloc.exe

Filesize
4.1MB

MD5
3030802fd2c5890b250362bcfdc5c14e

SHA1
feff70bc3d420c7ab8bc6c7b5fda8544aff8b7ac

SHA256
a1f9007e4b1bd05eeb6ad87bb667c79f39e63270ad96885edfef291615b41263

SHA512
b911671b16d5fa02860efb74ffdd5c247b1c4a07042ba00157bf148eeb96d39796eebd16157f2af67cc314fa8379fc87582c3868d50e1130da4df0f007906568

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
343f411ccb43a5a9ff6e6ecf5fa62f45

SHA1
bd4db62c3198ca8ea11839478cddeb4a17c05530

SHA256
fc582819cf95b7eb2b8e2dc953591e05ae98660056f9080d412a38a7ec03f6ee

SHA512
c359b25f666e9f924b47c030d9f9579a921a74cdd02f4d59b8afca8f16def31e14040f86a4e888c2fba641de1dc7bc53c3273e8c24cffdee815b21088b4964fc

Download Submit
C:\Vid8N\boddevsys.exe

Filesize
4.1MB

MD5
8bda5b84fb50a4bffc04d74e7a565c46

SHA1
4eab7ca104cce061a785e82034c6877493df2ad4

SHA256
9d5306f5f7af96a116545c44315db6111dbe57ba56a971cc3af1959dd3537cad

SHA512
edab27b83a598936947a2ea63700dd04f710d867604f13f845269c513b0b889dc2f6ece06efedf0bb121dcb1e84519eb8093af742c7db96a1e0aac6734d062bb

Download Submit
\IntelprocL1\aoptiloc.exe

Filesize
4.1MB

MD5
3030802fd2c5890b250362bcfdc5c14e

SHA1
feff70bc3d420c7ab8bc6c7b5fda8544aff8b7ac

SHA256
a1f9007e4b1bd05eeb6ad87bb667c79f39e63270ad96885edfef291615b41263

SHA512
b911671b16d5fa02860efb74ffdd5c247b1c4a07042ba00157bf148eeb96d39796eebd16157f2af67cc314fa8379fc87582c3868d50e1130da4df0f007906568

Download Submit