eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
Size

4.1MB
MD5

25b41cd2c03b1c669aa06c5f7eed17c9
SHA1

32fd257b0d3c8efc7b2f2448e2b0516aa1edb3d5
SHA256

eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48
SHA512

f3cf051644ca2d99a1253c06482b69288083d9e994d20b61df6c3dfcc258a96b15c291f60ecc47bd8b28feb14ca995ff9c4f9a3e2ebbb237f3cb93ea9b415c9e
SSDEEP

98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmg5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3756	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAM\\boddevloc.exe"	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRC\\aoptisys.exe"	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
3756	aoptisys.exe
3756	aoptisys.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3756	2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	90
PID 2660 wrote to memory of 3756	2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	90
PID 2660 wrote to memory of 3756	2660	eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe	90

C:\Users\Admin\AppData\Local\Temp\eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe
"C:\Users\Admin\AppData\Local\Temp\eb971db8cba100e34ed8dfbc87373093f24532d3e66fa9a75a4950889ef2dd48.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660
- C:\IntelprocRC\aoptisys.exe
  C:\IntelprocRC\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocRC\aoptisys.exe

Filesize
4.1MB

MD5
beeffaacfa0359f16f8a4b0455be532d

SHA1
f007e87907a3445a04bd34f96d8541af813e9602

SHA256
410d905f044cfdb42955c06c8bf625169904f30e01b9fb634eff6b4002907c87

SHA512
5e0aa32f7017162fdf5062f2bbdddb2505f986e0533b207cf77a886c94f154b4cbdf161a2217d859edbe10bfb7fd49b32b1bf587cf05b5bacbbf1e0fe5bf2702

Download Submit
C:\MintAM\boddevloc.exe

Filesize
4.1MB

MD5
0cee9021cfde65c1b9269d55ec901be3

SHA1
e1b843fbb6a4d56164cf8367ccf135596e061287

SHA256
73a01f929433085d9cdb85dbc09cda8d4b79e4af0b6a22adff7604cd052c4cc0

SHA512
a9da6e01932f6b21830b9c13f9429939b087685d24076e2c3a58b04e03df8be1e351dfdb678e7e5a2108e3cf1e8912134c25e91fc6cf46b2e1178e0ccd460d19

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
e68f0c48bd4305dc4668db7cc2e2ab30

SHA1
dfd89553193dde79719208a4e27ca94ff64ce8e6

SHA256
0ca5be8356575a411daa2bd7611c6937d7810cc9b2ed33f436300ae90dd87b94

SHA512
a8a347528a97af3d737f894b16ea4325de851e25b4fd85e2230affc778e9424987c4bff178d5e68d068cd61e00085e70c7c61d527789c57b2cf1f9971a7c2a89

Download Submit