5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008

Analysis

max time kernel
150s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
Size

4.1MB
MD5

2f16d1977233e2026f9c7adf8f52ed78
SHA1

81401764d2025b71fcc8a5f3d3025763c5d45b83
SHA256

5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008
SHA512

89b8208c1870a7cfb5d0e66f44bb4419a3584b64b1262183b91e82f68164c0b3b66d5cc0c451ea3ebd49df0b85f13abe3b5c958a07ebb63dce35adfa5c6d410e
SSDEEP

98304:+R0pI/IQlUoMPdmpSpg4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmH5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2096	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG5\\aoptiloc.exe"	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRN\\optiasys.exe"	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
2096	aoptiloc.exe
2096	aoptiloc.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2096	1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe	92
PID 1056 wrote to memory of 2096	1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe	92
PID 1056 wrote to memory of 2096	1056	5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe	92

C:\Users\Admin\AppData\Local\Temp\5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe
"C:\Users\Admin\AppData\Local\Temp\5b3f5fef6ff3d55ae78c6303008f1c7758a92516c9feb9f6ce6f277673b46008.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056
- C:\IntelprocG5\aoptiloc.exe
  C:\IntelprocG5\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocG5\aoptiloc.exe

Filesize
4.1MB

MD5
6a156448d2df756ab304ee6d1ec1f9cd

SHA1
2460247e0cfd3ac77d142d340ac1cd569627ad03

SHA256
3249de773f1292cecc4c3921b2128664541ed8eee017e84ce824a264e04f0bad

SHA512
02022ce4817abdd70bf783575fad8e0f17a7a1cd9f1416992b2113f7652b271a788a938330692d110a058a692e99bbc1c54d56c4e6702bf6e68fa5e51124fca4

Download Submit
C:\MintRN\optiasys.exe

Filesize
28KB

MD5
c0b5a335108a310fc6d5fd355a6901e3

SHA1
adcffc72bb6f2d986765a82a5b42cf7ef122f1a2

SHA256
652dba79b20ca7d8ab5f06aab64948bddef364ed1ee3b1e7cba3cc6c548004de

SHA512
2284a1315376c85f3ce3a235f6369457e0bdf0cc95223992585944f36cf3497ff6762e7ddcac6092600370aff03884a0542c3049e3f7fe96926b7ab4ef2b4bbb

Download Submit
C:\MintRN\optiasys.exe

Filesize
4.1MB

MD5
12a14b14de85f1a5dadb9cfe0eb7ed7f

SHA1
d924a69eacb64cda999834a787d077d84b560566

SHA256
e6e7826cfe01735e42b6024c22c1f6c091edc332e1f31472c85f621d9b7f6009

SHA512
3028d781fcd3503a36f3bfce28a5250f665d01be5d554a1b23dd8680e224b8e8809bbe95fe3932a45eef7ab6c57678d15da2774ecc1b0426de93c2c303e421f8

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
eb34b3159d4d9f9dc61df9f27fb4ef4c

SHA1
cb726b8d91325ec0d6f514a5a5d02e9f40bd54a7

SHA256
4a2ed5a75ce53a73826b7fed0de8b22b5bbc64489da19a46f64081aead130320

SHA512
13aba07a1b23f7ce7e262b755406997b198039d0f7ed90a52fe2fdf47104068f4c0c73767128107db755b8f1320cb785fa53a39b3794cb1fdb6e692f50be76f9

Download Submit