Analysis
-
max time kernel
84s -
max time network
90s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
16-11-2023 14:15
General
-
Target
https://github.com/hellzerg/optimizer/releases
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Control Panel 6 IoCs
-
Modifies registry class 4 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/hellzerg/optimizer/releases1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb410c46f8,0x7ffb410c4708,0x7ffb410c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,18165999083184515085,8517000063017268216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Optimizer-16.2.exe"C:\Users\Admin\Downloads\Optimizer-16.2.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled3⤵
-
C:\Windows\system32\sc.exesc config "RemoteRegistry" start= disabled4⤵
- Launches sc.exe
-
-
-
-
C:\Users\Admin\Downloads\Optimizer-16.2.exe"C:\Users\Admin\Downloads\Optimizer-16.2.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52c8737fcde5bbb285ec715fa1094a455
SHA11421b21d6c019729698106d849d49bf382f1fe6f
SHA256808c2d995be006ad2cde265d20391bbda6224ceceab6655ecc3ecbdce6e4f023
SHA5126fc08a77f182d94018cb913b02268e58edc495cff2504ba36b7e8e24a96af21c9fd5224eb8736dfd5caa65c49c21339b3bb7db51407faaccc3aed8f1aedcfb52
-
Filesize
292B
MD5748c4089f531fb9f15ae09b51f51e9e2
SHA149226142c3e14b91fe6ce7aafddb4bfc44fae229
SHA25676465a512a417929736e968bde8291de37a416730ce46624e2b588a72bc15944
SHA51220a3a9ffe1a3c50d705624d8627ad4a1fb0492c896e29950dbf0b647e4710e89573b90470f74581822d49753a8ca40e6e74b536af3f2d52e982ad42a58e6142e
-
Filesize
859B
MD5e204f3d12abd1691ce1f149399441188
SHA1798042095539abfe857e456fca4e1035f67d29bf
SHA256685f70bf685f654651dcd0acc495b6f52f02f73cc3ca8b3d2c8433aac9ba144d
SHA512804c5ea57a59f86fd0c34479be4c479230bff79093548e8461758829928969da565c211ccc9cb9befa0fef15f0400a5b1f17d5ddf88aef6ff01b67a191176b9f
-
Filesize
11KB
MD5ab140ead99a4ec43505aa3df338f31bc
SHA19a4ce9c96113703cadee22773c9b9ead8181a527
SHA25689ff8a7fc7471ee187e00602f28e31557eb684ee9b2eb31106355054071985b9
SHA512d7d18c1b37e6d51bd0911e4331d9db4495234823c388b3afc87c13905ee4643569012095ae126b3c0f36734b9df4d9f22bee8fdd4507d90d55d5736a4dcb4b83
-
Filesize
152B
MD5aed593b08b94f34dd8f68fd369652ac2
SHA13ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA2565c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA51216b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137
-
Filesize
1KB
MD513a1db8d17284b87a82471d462fb2b3b
SHA180fab229b37e392a6e49a1d51968394a4d855a3c
SHA256692e70d7718cda0b572012fa73d2685c3d46cddb6c50d477d1f456a678298c8f
SHA5122c517153e21c31b46126edb07dd441200e4e44514665c10da13b86d4897b36053592d046e615ce72deaf1b22944213ed38ed223c7354877c6860946b181dd910
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
496B
MD5400254bc74a940e106ef367c6d86b29d
SHA16868b379c43d1e7afb4f734922451768bb73b579
SHA256545504b1d8e2aa9643ef341737938d9dfb25c195040529a02024180e9c2ddbe1
SHA512aa5d1d47b172ee28efdbae8621446360b67a72d10a12e595a00123d66b95935aba054fe2018c676717799a5d0886802fdca4e5ca1fced462c143519e70a58bea
-
Filesize
5KB
MD53cf9ab935030bb00a8a47aed7ee3518a
SHA166634984f2b25e85b412386e6c90dcfb9a89950b
SHA2568d6a53d0c25d40035a46235af7bd36f2228f02a7c963bf42e2ab615e6cf44270
SHA51284c7ec68585d826527858c552c9612dee27b2360c4dbe090788fa099dd68af31fc401feed08be3bd4571f904fa049e66f30753ea7cfd1168d8066bf846b9c7be
-
Filesize
5KB
MD51693847cd52223585f635c1549e8e593
SHA1bd71bea125e68de33a5ef54d07969a06e46850b0
SHA25659122aad71cbb8d440727ead0b4c1f8e5b44a928a0cf23db338c25c1c3db6004
SHA5123dc34869c6c49929f958202c48be143480b59f66e1ee1631d5ba51cbc76eb36a61b4c69f746e47878655bb2a43d82fcef1dea5bd70e5a096d54ad55e65233b94
-
Filesize
5KB
MD5523440a9cda5d144d2a62d40f149d8fe
SHA1eaa44783a3903987bfdbd80cf9b33b2b20351aaa
SHA2560ab85115ca7e1addfddbfa52abe8d3c0e3a256e4f74929f214966b38c1b27b00
SHA5120fa10e716e3e3ac2ed8168ef8d11d6d64821c995249511bae296acdd2b4b033ec29d29e4bb1abf15672e649490ad011ee7c60482e12c7c9791340d4f1246af1a
-
Filesize
5KB
MD5903c382baacda892b23b51a45a3e6afe
SHA17bc6654b248392c88cf8f71aa7e888dd06637da4
SHA256d87b692c36afe5743f0c88dc8aad9eed10d0e7604a907bdd8a0c44911294d20a
SHA512a7089360f39121fca688cb751bc5ad3ad216671f02de664ac79e0aaa48d57b266b7714faf221f3690439e1d065cf2d8e2f09a7fdbafa25fec54d0e69a321ce91
-
Filesize
24KB
MD5e2565e589c9c038c551766400aefc665
SHA177893bb0d295c2737e31a3f539572367c946ab27
SHA256172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80
SHA5125a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d
-
Filesize
872B
MD5ab4be03df536c0c460be9e0dbaa82ced
SHA1ca9a70012203871d475eb3ba16c36346ee91adfd
SHA256891ed13b9ee99a866ad4d00b1b2d5ce2352c1242d92f05648ecc7dbe69f4691f
SHA512cb1d346e1347f0141fc3c12e623281b95cc0bd39a8489536c928c05484b43d393fef894e70b1662f4fdfdd8a7a50147c95abd1d9d474949d7a7bffa6a611c783
-
Filesize
872B
MD55d0f30992d888d7dd088e509c4d21331
SHA16e99f9554b4afdc7e1d0c180d21e51ac05f9b855
SHA2563421f6fba0644200197ee022ea162337f9875a70d23c831b57b4e7966d655346
SHA51240adb3efbac405e39517a50c0893e56fb4b814fa15aab6ecdc27a9936bd12e869f93fd19a71860f43e91b407114de831fb08de24b47eeef066bfe36148aeb077
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fcfeec354f57ea9fd98764861802ac42
SHA1587656271d3fde9cfb0df2ecae3b0ee8667fbaf1
SHA256fa6a3ccd9bcdc6d5b1d512a2fdf3e5a938efd7d99368cc13371fad9a3de040a4
SHA512c84d119a7b0f29e2c4b2457a1627cadfd2eb10addfbbc860f60a336e2b5c56c06cf40282c1e690a0ccf600c0c168abe754c82b7aae76247e6d9a81039ee194bd
-
Filesize
10KB
MD5c08031720ab0827fd24179833e5543a7
SHA13b7bb72a51c638af460abda522f77f099c664d2b
SHA256542ee280dd569947e4aaf895723fa99812c9e12094c6f167fec4183352438c99
SHA512d7a5ecb2d993de4551e47d4c869cad0b76f656b7a5558423074c7a25b6edf4efa3632c2587aeb73a14efcd9b6d0679a7c9474df65b49dbd15aa37ca9cc214204
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.3MB
MD5a806a06bb01fd05fe4b684926eced231
SHA16f847968172f872e847bf782a9b7e320b4f42c1f
SHA256d97a8782b1563f7c7ca71b9094f90c1737e8a04119501196e5c7ea7f30857393
SHA512da773db62f89a504adb23d1627d7447d348c10edaabff396169bb48609ddfc4d7d007ecec515949a2f0e0d6a1c7fc43b0d1915618d6ad6aa3b2168cf38d47052
-
Filesize
2.3MB
MD5a806a06bb01fd05fe4b684926eced231
SHA16f847968172f872e847bf782a9b7e320b4f42c1f
SHA256d97a8782b1563f7c7ca71b9094f90c1737e8a04119501196e5c7ea7f30857393
SHA512da773db62f89a504adb23d1627d7447d348c10edaabff396169bb48609ddfc4d7d007ecec515949a2f0e0d6a1c7fc43b0d1915618d6ad6aa3b2168cf38d47052
-
Filesize
2.3MB
MD5a806a06bb01fd05fe4b684926eced231
SHA16f847968172f872e847bf782a9b7e320b4f42c1f
SHA256d97a8782b1563f7c7ca71b9094f90c1737e8a04119501196e5c7ea7f30857393
SHA512da773db62f89a504adb23d1627d7447d348c10edaabff396169bb48609ddfc4d7d007ecec515949a2f0e0d6a1c7fc43b0d1915618d6ad6aa3b2168cf38d47052
-
Filesize
2.3MB
MD5a806a06bb01fd05fe4b684926eced231
SHA16f847968172f872e847bf782a9b7e320b4f42c1f
SHA256d97a8782b1563f7c7ca71b9094f90c1737e8a04119501196e5c7ea7f30857393
SHA512da773db62f89a504adb23d1627d7447d348c10edaabff396169bb48609ddfc4d7d007ecec515949a2f0e0d6a1c7fc43b0d1915618d6ad6aa3b2168cf38d47052
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.3MB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
712KB
-
Filesize
10.8MB
-
Filesize
10.8MB