2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 08:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
Size

4.1MB
MD5

0725cef6b88f88d7272f33eb276d014f
SHA1

25a933f7473b49a694eae738def7f1ef58d59e67
SHA256

2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e
SHA512

44d167a3cc534afce9048f02a4d6a2cb6b20d8ce524eaee720f08c96c74c4456f8082f3ca93165a30bf8f85afbe54f4a877fbd3f302fd68d3705efeeb7e4cd60
SSDEEP

98304:+R0pI/IQlUoMPdmpSps4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmb5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	aoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8U\\aoptiec.exe"	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3S\\boddevsys.exe"	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
2644	aoptiec.exe
2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2644	2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe	28
PID 2984 wrote to memory of 2644	2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe	28
PID 2984 wrote to memory of 2644	2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe	28
PID 2984 wrote to memory of 2644	2984	2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe	28

C:\Users\Admin\AppData\Local\Temp\2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe
"C:\Users\Admin\AppData\Local\Temp\2b737286502a18b9d34227a6f1f51de13879cfe411936f574353798ad39f428e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\UserDot8U\aoptiec.exe
  C:\UserDot8U\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax3S\boddevsys.exe

Filesize
4.1MB

MD5
edaf557cf07e5c87a55f66718713ce9c

SHA1
491869a94569e60c94720463fbc6ff9075526505

SHA256
32796f5b20c3377ae2aed4c210449aee87afb315a4f85fa0740df7c6755d252b

SHA512
95b41ad3f5416ef0d1ee18849c0bdc1c3a26cc327869c06a8531f02c4cb230320ee8a998f8cbf7c6ca3e76cbd21348f4c46c385bed712e7ff3a3d70ca22ec65c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
207B

MD5
07afaa652992fc12b9a8becfa9cb3370

SHA1
3186892b2b99dc91cf4eedbbb0200588257e25ac

SHA256
9768596eb8f7842ebcb5eca641951696f9281a262a16ecc9bd1892f6e7e499b4

SHA512
ad0617c7f394291e779a2730e29a85afead214b4167c69104a5d48449b84289fbf333e965c562b05d05a51fa835c7b849ca9d1332378e16d1b088b322c422e94

Download Submit
\UserDot8U\aoptiec.exe

Filesize
4.1MB

MD5
8048cab26d598e1272e46c921cfc6a7b

SHA1
e34968a2fd75e628e98575ba403b276d3f0567cc

SHA256
b7673e7ddd8930f34739854b25d8b5c9019eaf64f23790b1b584b1a20f3886e7

SHA512
6b158113228812c8e664cda98dc5ea31c48921f5eef7cb3ae7d57b7a6a18afc85d34de783fcd5e5a78eb2278771ff6a19dfd5b2b744f560127f9ac5f68a7409c

Download Submit