Analysis
-
max time kernel
48s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Optimizer-16.4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Optimizer-16.4.exe
Resource
win10v2004-20240221-en
General
-
Target
Optimizer-16.4.exe
-
Size
2.3MB
-
MD5
9352623ba2fee1206079ce3d81bf0132
-
SHA1
9c398c2d975d82ba1e46f3bcc0e6298a2b713b8d
-
SHA256
f4775567ca9941b4fb3224d97b0741ae669eedfcb0d8b3c71106b21bdb1aee28
-
SHA512
a38cef70819524a3ba8d7583b763da3fac71a9b67e832165f14f60568f7a2a07f67418bb7f7a544b32aa3d76a4fa9a6b142a3998cf362a116171ed4fae05187e
-
SSDEEP
24576:QqsJmQYTZZ4GKTnbv7DO9JvvEC8ZJC3Bjk38WuBcAbwoA/BkjSHXP36RMG:QMH4VTnbv7uEC8Zw3CSA/Bkj0
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Optimizer-16.4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 raw.githubusercontent.com 3 raw.githubusercontent.com -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3068 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\MenuShowDelay = "0" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Mouse\MouseHoverTime = "0" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\AutoEndTasks = "1" Optimizer-16.4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\HungAppTimeout = "1000" Optimizer-16.4.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To Optimizer-16.4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To\ = "{C2FBB631-2971-11D1-A18C-00C04FD75D13}" Optimizer-16.4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To Optimizer-16.4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To\ = "{C2FBB630-2971-11D1-A18C-00C04FD75D13}" Optimizer-16.4.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Optimizer-16.4.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Optimizer-16.4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2184 Optimizer-16.4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2924 2184 Optimizer-16.4.exe 29 PID 2184 wrote to memory of 2924 2184 Optimizer-16.4.exe 29 PID 2184 wrote to memory of 2924 2184 Optimizer-16.4.exe 29 PID 2924 wrote to memory of 3068 2924 cmd.exe 31 PID 2924 wrote to memory of 3068 2924 cmd.exe 31 PID 2924 wrote to memory of 3068 2924 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies Control Panel
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\sc.exesc config "RemoteRegistry" start= disabled3⤵
- Launches sc.exe
PID:3068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56b67d4971607b5050f86886ce9eeac6e
SHA111e812da278994cef6c50171c7494379dd34057a
SHA2561cf9b8c1ab1a3f3b0535e9176b3434793364ad4cd5a40175e390184f1fe5f60c
SHA5126b63200bb2773792c652496a6a1899ad6b58450a467b62294aef699cd2b3e75aa780012e6eb6bfafb62ab3aeeca2dc2084557718b52037852cf91a5ff388bb4c
-
Filesize
297B
MD5bb04e9af50309df0fdff67ea9cc5027c
SHA1ed67ba3c74f7661f7aa8540b7f0c2049f3ef937b
SHA256e1adfc78d8c11e74b5c7f001fa6b1b85b65ecdede8dd1bc79296e389e1e23506
SHA512a055305978fadffbd4595dfbc3f328669df064c01d6621af0c1421e8e29f5a23a279820fe39eec56c52dcfa2f7a5205cd54cec5d05c75f77c9fc6bd90b647eeb