3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce

Analysis

max time kernel
153s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
Size

2.7MB
MD5

09522f8c71c3b1ad4496cc3a095feea5
SHA1

ed7147f5e3b3a45631079819a4501645e761a90a
SHA256

3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce
SHA512

30c15e2808f1ecdf874358f0a485ecb9f3cdf7a46f4b06587a7e7b4196c713963afc7456cf53fdb30465417ac42706e146f56061b9f3b66f9f0175853a5b6e0d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBW9w4Sx:+R0pI/IQlUoMPdmpSpM4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4944	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAN\\dobxsys.exe"	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFS\\aoptisys.exe"	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
4944	aoptisys.exe
4944	aoptisys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4944	5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	94
PID 5084 wrote to memory of 4944	5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	94
PID 5084 wrote to memory of 4944	5084	3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe	94

C:\Users\Admin\AppData\Local\Temp\3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe
"C:\Users\Admin\AppData\Local\Temp\3bf782a254e9010f18bb6afe73268e6b34ef71b6dee20d6042e9cba0996629ce.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084
- C:\SysDrvFS\aoptisys.exe
  C:\SysDrvFS\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3496 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZAN\dobxsys.exe

Filesize
2.7MB

MD5
87168582619d4f4971fa5b92ea698f0f

SHA1
25c98638cc9e5284a39fadd61dcb2da72636e04f

SHA256
a647376fcce6da1d481d72eb2c5e4293e645b93127239e5f5af176048ef9f01a

SHA512
62103d2b521e4d87ffd0455d52f571230cea98add4f749bb6b16756a531bc4bc1ecaf42c1ef77c0f0697560955762adb15403e64a587a6ea6c0ba157ea34df2c

Download Submit
C:\SysDrvFS\aoptisys.exe

Filesize
2.7MB

MD5
a09fc9e92e2d5ec82a41ae9782de5a8b

SHA1
0b2771245db2c7af80b89a7b9db3d2a12f89f331

SHA256
ca0a7c8bf48f84529d11ad118d38b080de3e9b215cc13dec523bcaf220c3d0a3

SHA512
cbbc7e9c9a66f38a593bd94bed127b3275a7ce8f602b91f2a49cf6f7a739aba6e9e9456e2bd65ff8ba8125d0ed2f169f3736d8cad598c3f6930cfcb7f7f01075

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
6eb77a07ba248c2d8e4d3f8a10d67496

SHA1
8dfb8a8f2267904428a56f78d0bd75bcf35573b3

SHA256
ef1b78c6f541af089a9aa685eab2a89fd5bf69cc988d6c85c332c055d96be64f

SHA512
b71095eefa178971f3cafb7e7f26045878d2e21c18e713c70f17aa0011c7f5e1b0c7a088734a21167974f3f14591f9930c590d945e10dacbd9e2cf3c1448bedf

Download Submit