3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
Size

2.7MB
MD5

09522f8c71c3b1ad4496cc3a095feea5
SHA1

ed7147f5e3b3a45631079819a4501645e761a90a
SHA256

3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce
SHA512

30c15e2808f1ecdf874358f0a485ecb9f3cdf7a46f4b06587a7e7b4196c713963afc7456cf53fdb30465417ac42706e146f56061b9f3b66f9f0175853a5b6e0d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2560	aoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCS\\aoptiec.exe"	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRW\\dobaec.exe"	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
2560	aoptiec.exe
2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2560	2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	28
PID 2700 wrote to memory of 2560	2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	28
PID 2700 wrote to memory of 2560	2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	28
PID 2700 wrote to memory of 2560	2700	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	28

C:\Users\Admin\AppData\Local\Temp\3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
"C:\Users\Admin\AppData\Local\Temp\3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\AdobeCS\aoptiec.exe
  C:\AdobeCS\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintRW\dobaec.exe

Filesize
2.7MB

MD5
f0fad1caec7b9354dc99944072576e3d

SHA1
c48a1ec8fb0ebf50ad505c3ec9e321bd7eb74bdc

SHA256
210e0a59943224af3ee5abddc59ab4acaf4488dfbb161efa9f2e97f0db85451e

SHA512
eafdae408dad19ae8c57cc7130f9e22bcbfd079044dbf5dfe863c413b1e6cba017ae0fa97f7467d5f9b0e42b15dde15e1d69300bca82c74a072cdeca322acd40

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
199B

MD5
e8f17954ed523ae4c1704a5da604b56c

SHA1
460f9a33a13d5d29988e2b4bbcd558c62c550798

SHA256
1be2dc73567e78ae0ebc6cca6e5cbd7833a5e95b3a592cd3620967d1e9ac2fa9

SHA512
8aa94c5f9ae6aab89ed7a51eadf89d0667228b4fdd6c3fa533bb1ff57784254056c134bb1cebb4676c31f745c67c60cc792ac7a1944d1d7f31a3742625d6eb8b

Download Submit
\AdobeCS\aoptiec.exe

Filesize
2.7MB

MD5
1bc6abf3417744e14a787703b683c4ca

SHA1
fcab87be99c104282f02f088d11112cbd04d4e00

SHA256
07c8f1541ebc9b7748e68b6696d82ad79acc9d353270472c51df44730142319f

SHA512
6a3e8cc253c0ba0bd9864670e43afa839a2e1c40adda3d09f2af5556e644d0c609a7395be0f3a6117bde27faddc65794a8f9e18c489f2f74f94fc8e35d6e1ece

Download Submit