ba1e8ef96683117199bf2719352ba88161fc0f2105165340599f1d2a52a390a7

General

Target

456844b2101210da7476e2e51e8d2998.exe
Size

4.0MB
MD5

456844b2101210da7476e2e51e8d2998
SHA1

95802ce9f817333974c81b506324ee4e02ce07b3
SHA256

ba1e8ef96683117199bf2719352ba88161fc0f2105165340599f1d2a52a390a7
SHA512

244646020e5e67432fcd4f967def1a2732149a6008bc3613fd60af8ab12b78399236a4fd3db9145dff1d00b50e39c98adca97eb7a5f22d8e86e201aaf67eec20
SSDEEP

98304:PJzytbQjlRePmeeekWG3MBW4pOF+Fo58jWaCj:4QR+DPjW4nI8jWZj

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4560	RegistryOptimizer.exe
2452	RegistryOptimizer.tmp
1344	OptProStart.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1344-67-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/files/0x000600000002322d-66.dat	upx
behavioral2/files/0x000600000002322d-65.dat	upx
behavioral2/memory/1344-72-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-74-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-73-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-75-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-76-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-77-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-78-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-79-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-80-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-81-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-82-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-83-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-84-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/1344-85-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe"	RegistryOptimizer.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Optimizer Pro\is-HCGFE.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-4MIBF.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-IMB8C.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-82F9V.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-NNCFF.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-84SGI.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-1OQCH.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-G4AKK.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-IKQTA.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\unins000.dat	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-LCPQ0.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-0BIKF.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-U1QAB.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-DNO55.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-BR6H3.tmp	RegistryOptimizer.tmp
File created	C:\Program Files (x86)\Optimizer Pro\is-TAR9J.tmp	RegistryOptimizer.tmp
File opened for modification	C:\Program Files (x86)\Optimizer Pro\unins000.dat	RegistryOptimizer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2452	RegistryOptimizer.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4560	412	456844b2101210da7476e2e51e8d2998.exe	85
PID 412 wrote to memory of 4560	412	456844b2101210da7476e2e51e8d2998.exe	85
PID 412 wrote to memory of 4560	412	456844b2101210da7476e2e51e8d2998.exe	85
PID 4560 wrote to memory of 2452	4560	RegistryOptimizer.exe	86
PID 4560 wrote to memory of 2452	4560	RegistryOptimizer.exe	86
PID 4560 wrote to memory of 2452	4560	RegistryOptimizer.exe	86
PID 2452 wrote to memory of 1344	2452	RegistryOptimizer.tmp	92
PID 2452 wrote to memory of 1344	2452	RegistryOptimizer.tmp	92
PID 2452 wrote to memory of 1344	2452	RegistryOptimizer.tmp	92

C:\Users\Admin\AppData\Local\Temp\456844b2101210da7476e2e51e8d2998.exe
"C:\Users\Admin\AppData\Local\Temp\456844b2101210da7476e2e51e8d2998.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\Temp\RegistryOptimizer.exe
  /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\is-A33SP.tmp\RegistryOptimizer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-A33SP.tmp\RegistryOptimizer.tmp" /SL5="$501DE,3734389,54272,C:\Windows\Temp\RegistryOptimizer.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Program Files (x86)\Optimizer Pro\OptProStart.exe
      "C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"
      4⤵
      Executes dropped EXE
      PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
171KB

MD5
f88080099181c4c257cb4fbaebc7b6fa

SHA1
6d642cfd8b18795f20bfaf5db8513610461fdf84

SHA256
d1b1bf623774567e0e892a2a707150098524066c2d523f149fa722ee644f69f6

SHA512
3be2c1a772f9c64b2eb340e13bd2f2ab0499716b13b6652e207892af81db962cfe9274a2607adff4b23ff02975d981fb54f5ee1a75267efe83e4ea38176b6ad6

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptProStart.exe

Filesize
123KB

MD5
60566afb3daa7d9d8db0b08b648733ed

SHA1
14dc1b3c61a0fa6b4f0c2f0e67b3021ec55cda81

SHA256
cad7ac9cd0ec7d40f3dc893755598567c8d132bc825d1b947b578c5a865624dd

SHA512
df8b07231b07ad1df1a8f8b7013ee4d19bac7397a22e7e0023760c7d874f468d67b35a7a386e6dd43064836952e992f4f417cbfbb395e0142fc7bfaa11f1c1bf

Download Submit
C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe

Filesize
293KB

MD5
140318efc54a9d117b7fa6d27288cafa

SHA1
93125c113f06965731a3962a17a2451443ce1a0f

SHA256
b5ff69e462e7c48a9860963abb950f13245e9fcb8c0aa195bc4fa3788662d4a1

SHA512
a1363a001749165656507ab21d7e0968022826e4810e3d6bad956394b66b5b2048704e826cb2591df17f7346c1bb32988f695dc63a63792dbfa9360753091e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A33SP.tmp\RegistryOptimizer.tmp

Filesize
70KB

MD5
bfb102990bc75efdfb64588fbb0b789d

SHA1
ea5a2a4f70342c0b5274a0b5c924213be2d1e5d9

SHA256
e27875fd6592d2d86aeef9341195f465b11265f2b402ed0bf9fb32a8480a49cb

SHA512
e40c4efcc18cb5f198a51e3c589dbf1817bc2970694c47e5a5f08262df15b07f9818a4cdb4ec342ae6a49be2c2919d835f2de0b507bb5772dcb55692efd66f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A33SP.tmp\RegistryOptimizer.tmp

Filesize
66KB

MD5
a389128dfa1c71d8f6957425fee241cf

SHA1
76155c1a119817b2da49526dfb1a9cf46005400c

SHA256
b8c4eb02346a459ce866963591cb17de6461048e135138c2d7035bfda52a62a4

SHA512
63607a556231aa2024d5d697beb84923d22ef9a957f12dcb609922f84e9bc65743d604870ecc071f41e3dda78aed03da84267c732c5677fe2cb9adda01f65d08

Download Submit
C:\Windows\Temp\RegistryOptimizer.exe

Filesize
130KB

MD5
ca0c98558263208bf5b26d4a3607514b

SHA1
b92d79f451f29a12e25d4343e6c542ef3aaf1a81

SHA256
28b80d4d3df378780d5ced3f006b282336eb05a7c0722c3bf76c8ce0f8e52a87

SHA512
dbdc2b72b31dd8956a3d8e31b8d3fd3f2fff25a8150f97ed33867d67621106b8e588a9aa64877c659ed1c2fcf79964b2e347cfc18b3e9da1624cf575b85a4f1c

Download Submit
C:\Windows\Temp\RegistryOptimizer.exe

Filesize
105KB

MD5
1e7ed61ab7ba95e740318d1803881aa4

SHA1
549879858ef862805a18db4b44e55473e25f6b75

SHA256
e608ccb2bdd944e3813cde88db015ceef5d004edb027c8ed32c693883a76edd8

SHA512
d70e04792cd62858a1111b12301279d913f15eaf0a68dc6a4002f6753339cf93bb408d350d34173fcff48ad6aba83fc1ae3392ef353b9ae640c419114f5e03f6

Download Submit
memory/412-71-0x0000000000400000-0x00000000007FF000-memory.dmp

Filesize
4.0MB

Download
memory/1344-78-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-81-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-67-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-70-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1344-85-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-74-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-84-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-83-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-72-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-73-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-75-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-76-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-77-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-82-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-79-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1344-80-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2452-11-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2452-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/4560-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4560-4-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4560-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads