2f7c7beb47d09ff84c9955ba4577bdcc2e111915f22a1972e3524f2c7b5f7fd9

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
Size

4.1MB
MD5

f5d9228029de41fa5f0b6a0849e43fe0
SHA1

f4c928155ecd0ab55f0ffe641a1bd7a5beea671f
SHA256

2f7c7beb47d09ff84c9955ba4577bdcc2e111915f22a1972e3524f2c7b5f7fd9
SHA512

0378d7ac16c27e9de28e4948695b00858e6e8a83d79f84bb2621e53400450aab53c11dcfd8f6b004ab0baafc145d74acbae0ca491ae3a4a6fdb1ddceea3302dd
SSDEEP

98304:+R0pI/IQlUoMPdmpSpx4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmS5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4232	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7F\\aoptiloc.exe"	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQ6\\bodxec.exe"	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
4232	aoptiloc.exe
4232	aoptiloc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4232	2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe	93
PID 2228 wrote to memory of 4232	2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe	93
PID 2228 wrote to memory of 4232	2228	NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f5d9228029de41fa5f0b6a0849e43fe0.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228
- C:\UserDot7F\aoptiloc.exe
  C:\UserDot7F\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZQ6\bodxec.exe

Filesize
4.1MB

MD5
3a158d6b638c62f30d8bc9bd5e65e9ae

SHA1
5fd6f21f119ae0a6b788b9d117f31608bb3173c4

SHA256
e287fe2c3c2a83b359db8f2b801bcac9e008e81a41e2bb365ea1c17a25e83cb8

SHA512
186bc4089b5b86129510d66b03e764691b8562c2f164f1ca157334975dbf619acd17d041aa5c0dda08b324c3853bda418515e9c5bd8068d7c182b621dc594977

Download Submit
C:\UserDot7F\aoptiloc.exe

Filesize
4.1MB

MD5
0cf4c6f38df203d103344c5a5f435009

SHA1
b2e4af52cd83ff8245ebd7f5a5b38ad7994796e2

SHA256
d343003454f93283a3a22edda343ee89d159448f3129871d3cdd7c592c8fa2f2

SHA512
cf85afd22bd9af4b20e02c68d2eef4c431c4ea660e62c0311fb26ed8a2c7e9c6d471b111db6c7a0e7ed516eb0c49c5abc6384407295c99cd1fd738792cee6809

Download Submit
C:\UserDot7F\aoptiloc.exe

Filesize
4.1MB

MD5
0cf4c6f38df203d103344c5a5f435009

SHA1
b2e4af52cd83ff8245ebd7f5a5b38ad7994796e2

SHA256
d343003454f93283a3a22edda343ee89d159448f3129871d3cdd7c592c8fa2f2

SHA512
cf85afd22bd9af4b20e02c68d2eef4c431c4ea660e62c0311fb26ed8a2c7e9c6d471b111db6c7a0e7ed516eb0c49c5abc6384407295c99cd1fd738792cee6809

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
6fb6862e788d69649ab2c3eebb8ec7c4

SHA1
3ad541935aa0bb192af6bd837a5a6ccd3b316911

SHA256
2a5b94400cd98bc3988da62787abd37522377565ff1c1f6cea7cfa570069e1cb

SHA512
24ee2d22aa0b0ab1db33f0f230b2200d9f524845d5f5c8de6e7434bd606b5a8fb9208873c125aea547f8b3650f512625519b8d238bbc14f8a7c0b7e7943cca51

Download Submit