ba1e8ef96683117199bf2719352ba88161fc0f2105165340599f1d2a52a390a7

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

456844b2101210da7476e2e51e8d2998.exe
Size

4.0MB
MD5

456844b2101210da7476e2e51e8d2998
SHA1

95802ce9f817333974c81b506324ee4e02ce07b3
SHA256

ba1e8ef96683117199bf2719352ba88161fc0f2105165340599f1d2a52a390a7
SHA512

244646020e5e67432fcd4f967def1a2732149a6008bc3613fd60af8ab12b78399236a4fd3db9145dff1d00b50e39c98adca97eb7a5f22d8e86e201aaf67eec20
SSDEEP

98304:PJzytbQjlRePmeeekWG3MBW4pOF+Fo58jWaCj:4QR+DPjW4nI8jWZj

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2552	RegistryOptimizer.exe
2284	RegistryOptimizer.tmp
2548	OptProStart.exe

Loads dropped DLL 9 IoCs

pid	Process
2536	456844b2101210da7476e2e51e8d2998.exe
2552	RegistryOptimizer.exe
2284	RegistryOptimizer.tmp
2284	RegistryOptimizer.tmp
2284	RegistryOptimizer.tmp
2284	RegistryOptimizer.tmp
2284	RegistryOptimizer.tmp
2284	RegistryOptimizer.tmp
2284	RegistryOptimizer.tmp

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-84-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/files/0x0006000000016cf6-83.dat	upx
behavioral1/memory/2284-81-0x0000000003A60000-0x0000000003AE1000-memory.dmp	upx
behavioral1/files/0x0006000000016cf6-76.dat	upx
behavioral1/files/0x0006000000016cf6-74.dat	upx
behavioral1/files/0x0006000000016cf6-72.dat	upx
behavioral1/memory/2548-88-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-91-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-89-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-92-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-93-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-94-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-95-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-96-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-97-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-98-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-99-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-100-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-101-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-102-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral1/memory/2548-103-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe"	RegistryOptimizer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Optimizer Pro\unins000.dat	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-CDQOS.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-H037F.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-DH3VM.tmp	RegistryOptimizer.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\unins000.dat	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-70PKL.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-8EBID.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-955R5.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-J0PIJ.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-Q4S60.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-JBM18.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-H65JR.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-FPRJU.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-LTF2O.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-GEUSF.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-VV7P1.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-2LJTE.tmp	RegistryOptimizer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2284	RegistryOptimizer.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2552	2536	456844b2101210da7476e2e51e8d2998.exe	28
PID 2536 wrote to memory of 2552	2536	456844b2101210da7476e2e51e8d2998.exe	28
PID 2536 wrote to memory of 2552	2536	456844b2101210da7476e2e51e8d2998.exe	28
PID 2536 wrote to memory of 2552	2536	456844b2101210da7476e2e51e8d2998.exe	28
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2552 wrote to memory of 2284	2552	RegistryOptimizer.exe	29
PID 2284 wrote to memory of 2548	2284	RegistryOptimizer.tmp	31
PID 2284 wrote to memory of 2548	2284	RegistryOptimizer.tmp	31
PID 2284 wrote to memory of 2548	2284	RegistryOptimizer.tmp	31
PID 2284 wrote to memory of 2548	2284	RegistryOptimizer.tmp	31

C:\Users\Admin\AppData\Local\Temp\456844b2101210da7476e2e51e8d2998.exe
"C:\Users\Admin\AppData\Local\Temp\456844b2101210da7476e2e51e8d2998.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\Temp\RegistryOptimizer.exe
  /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\is-KSTMQ.tmp\RegistryOptimizer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KSTMQ.tmp\RegistryOptimizer.tmp" /SL5="$30120,3734389,54272,C:\Windows\Temp\RegistryOptimizer.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Program Files (x86)\Optimizer Pro\OptProStart.exe
      "C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"
      4⤵
      Executes dropped EXE
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
72KB

MD5
5637376b14490bb2d2c24b99d0c4c6e8

SHA1
dbc71d31bdb9a80ce8932327fd6a773b78f4cc9e

SHA256
0854d1caa37ec0926a2f38cec7cf7196b86f82409da17ca672c93c87c35fe3f3

SHA512
1c6c1ad426ccce58d883c38fb05ce0ac35f6acfdb5da6edc35f162c475be5e908abc87272597eb93e5974c87833f7823951344637d339051c9d418ec7c98b47f

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
125KB

MD5
093c0782b40fca1bda55e08da2176722

SHA1
3477d220576ab7bc131083559227d3d93bc14d31

SHA256
87f1fc551e1c0b2e86bc01f18eb7c3407e6ddea6de587ed3189f17b6fdf6985f

SHA512
af0a3e655cdc918bb703211a023b95fec297d4d57d891fa399672bd0d456b522552a96c2c3acffaf16c0dd748262ac8fa8062ce1c656f31f0fe287e7369d8a9e

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe

Filesize
76KB

MD5
613e10441ab74471cc3743fe7e9efe8c

SHA1
3204648fc7cc7d11a611546f098cc1c8f65c0bf3

SHA256
064133c48597afb6b3a940ea0acac39d6f3c7382a0da6c9eb31e2439c48afe5a

SHA512
fef596abea7b96556240d8bf5246c12c27cedf8232f157a209b97dd59c12bfa1b353dd48177173a507e81fdce30020b19efd8dbc1c8242149c27265212346fb0

Download Submit
C:\Windows\Temp\RegistryOptimizer.exe

Filesize
820KB

MD5
374a8e7a551c25effd48a60a274d912a

SHA1
e7ee8fefb250e43e94d53bf422914387cc6f5f18

SHA256
1912606c353dadbc68f08070849742c332a90f481fd44b443a57d8e095f0498f

SHA512
84f7d4677aafc42a122435ba387559fc244b0976861338cff84acf4ffe115b30c6517d06810aac55ed1724c247b0d742407612cba05931b3d1d4e86a8e2260d6

Download Submit
C:\Windows\Temp\RegistryOptimizer.exe

Filesize
791KB

MD5
36a31b59fbba3a3aa158841c503c76a5

SHA1
eeae93b87b2f9876c44f1ee1bacb754b11345f4f

SHA256
4e5893c94bdab067f798d059a131a57222427dcd1d2793a3a2fecc05f706857c

SHA512
4f7798a82d970e3d75fb39a811bfc5a51bd5583178a7be64bf58561602ceb2ac677c38b903cc821999fb3f146f71b995fe0d0b8651498a785bba0bb86b392a56

Download Submit
\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
123KB

MD5
17ae0f87108cf3b145ee967bbf370eb8

SHA1
01a8d92355f51f542c43197da498df4906456a8b

SHA256
c952eaa4800c6b85a99225fbf05977116f9793d43e8e409ebd0b37e7ce173b2d

SHA512
1ca169d758715b8360b870631e994a3f0e56cfe705840908f275cbc075b217b26a6971b03e895e3d7851d3ca5cddc6044a65e4061297ccf5f92dc96ac7b0749c

Download Submit
\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
99KB

MD5
6cd2c00f2cd2ce41c525e8c2cc755c79

SHA1
9e2b4d2dd97b20f5a616eec1d6a1e3e12ecf1bc5

SHA256
8169b2dbb535b6ea95a9070865ca8b32485f50676480ef4951846818cca36fc1

SHA512
3a101a3967b27cc8ac453d5c27d06cf15a1bd7bef0f907f673fb6b63551cc0f82c78e7012fee16ffe17439c92b13ccff40e9f8a77d22beeb068df0676338d310

Download Submit
\Program Files (x86)\Optimizer Pro\OptimizerPro.exe

Filesize
117KB

MD5
2aefb3dc1159de2cf350656e86111b2a

SHA1
73d69f10f956635b781161b7d67e1c57868148b5

SHA256
4798e7e2052a36060684587aee1797c42b87550ecac10555940f350317db6ac3

SHA512
c3f8dc1f2e5f8c351194c03da38254d19f4a45020fe5762555b666b9930356533a39c7b1db63262ba06aa43a4dbc1138bcc68b936f96e6d03548c06ec3e826f0

Download Submit
\Program Files (x86)\Optimizer Pro\OptimizerPro.exe

Filesize
53KB

MD5
427bc7012874a12566cdd70e7d54a7b2

SHA1
90d41d64b335099251e4e7903b87d06fd652acb9

SHA256
de23ece88ed98f4dfb17bf4f1f2dd31347cc0828f7bbe8be496573ea218e3185

SHA512
86399741bc4c592b3512e3fd328c1e42381a29d1f034ad07f29100c688c6442f34d59ff4040dcd8011dc9eb38922288c96f3f361c9fa227a17d06d6a9d9bf422

Download Submit
\Program Files (x86)\Optimizer Pro\unins000.exe

Filesize
158KB

MD5
f97e249ba36979afdac08b186c566797

SHA1
bc7fea0df17bec54cfa47b6ca54e8b98009e9b07

SHA256
cf26827a46f82a02240cefd84b6618a1f766acf0153b0e7e6a5a3a83be48b558

SHA512
0d83af4d014152953c518a7cb4d6dfef5aed8e39162fb218a8f26092cb7b656fb04aaffcdc04f6486104156d15f6c1b6e1d19eb7d7858b818fa6982fe4d67aae

Download Submit
\Users\Admin\AppData\Local\Temp\is-2BDQ7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KSTMQ.tmp\RegistryOptimizer.tmp

Filesize
680KB

MD5
ed69e64731547eba52476a2d2a2f7882

SHA1
cbcd56bbb5230d11a01f18e9bf59f97802bb475b

SHA256
427fa988a8a8c63393693ffeb61ddec195f000220ee55fd5112ec91682e933b0

SHA512
04202de8dafb4c8964230d94eb44ad8ffd1d138b24f445aa3d707f4d9a9e9520d3d6f80cb0731ab9ebb7143011fe0d856d7e262d9672272876958d5e8ad55afe

Download Submit
\Windows\Temp\RegistryOptimizer.exe

Filesize
925KB

MD5
2ed86328e1cb97e6456a28c4af94bc20

SHA1
7b87f1d310df713a06e04915fa76ceeae7e411bb

SHA256
13e1093df86b15ad12fa03b2a6761c331828fae7faf5330b67c4a30fa9600d72

SHA512
ec55e5c89b306472a72bbb54145e210c40a60e929a15a2516d2240faa6b2bbccf79c32ec73f04bf7deda51cb033f71f6c5abe6ef03c31a4759c07c727f91c514

Download Submit
memory/2284-81-0x0000000003A60000-0x0000000003AE1000-memory.dmp

Filesize
516KB

Download
memory/2284-63-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/2284-82-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2284-90-0x0000000003A60000-0x0000000003AE1000-memory.dmp

Filesize
516KB

Download
memory/2284-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2284-57-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/2536-87-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/2548-91-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-97-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-85-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2548-103-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-88-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-102-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-89-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-92-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-93-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-94-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-95-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-96-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-101-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-98-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-99-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2548-100-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2552-8-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2552-86-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2552-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads