6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
Size

2.7MB
MD5

30385591058d62e4b1d1aa9b77c3857e
SHA1

bb8d843fe6c2cbb77f300cd70c8c72bdfa53709d
SHA256

6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42
SHA512

bc2e469fc4e1bfbe7595a20d9f6b1a3f8e2e1d1d58a3d77416568d4612855cd66725569073d3f0ea239fa8753f5cc0c3219ecd7e1d6ab828cc7ad0861f30a523
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBw9w4Sx:+R0pI/IQlUoMPdmpSp64

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3320	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVU\\aoptisys.exe"	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax22\\bodasys.exe"	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3320	aoptisys.exe
3320	aoptisys.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 3320	3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe	85
PID 3816 wrote to memory of 3320	3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe	85
PID 3816 wrote to memory of 3320	3816	6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe	85

C:\Users\Admin\AppData\Local\Temp\6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe
"C:\Users\Admin\AppData\Local\Temp\6c18a99744d71cf80197746dbb23338e8bbf268845f5d6d0d4d38e1a9ea1bd42.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3816
- C:\IntelprocVU\aoptisys.exe
  C:\IntelprocVU\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax22\bodasys.exe

Filesize
2.7MB

MD5
afa130acca55159f94be9053aec8abff

SHA1
57e6dece5cc2ff669adf91a29091500be7d06f5d

SHA256
1af5d7f44b1dcfad91f938f74797240006e20451f513b037392f608f469cfb8f

SHA512
a661bcbba33e823ccdf6d9c6c512409c5d8005b7cb252ee7734645d036ff3fb870f37e9641f63211164f9443ae7c5235b415427c6ee1f77fde806b81c4a87863

Download Submit
C:\IntelprocVU\aoptisys.exe

Filesize
2.7MB

MD5
607c094a844d461b6dcdff72b91505d6

SHA1
59e93ff591b88f6746ddbeb26d740594e7bff236

SHA256
360f7e847784a2d6704fd74be0224d2bc965bbe2af33a86a231ed83ccb5dc340

SHA512
b2a939be25bdc626f8a6930c09fd64f3e9046caa37caaf38b16bb317eaa0225a106953775e07b880789d39ffeb36bc250c31fc51e6717c5f51fe6b1bdf202c04

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
208B

MD5
1f6aa399b6e23097dc16fe051231d9fd

SHA1
59b383d567e4847fb918ba64a7c2c4683e98e999

SHA256
68e031cb5822270a83ff194508233d81930a94aa5d3966844c2ff7b046f3172a

SHA512
1e641749e8edc462d7ed7ad0bb927c55c74ed579669419e10d226be5faf0b6b5df06ebc2d6f17a40f9d239947c406c142dd060241f8e87b1a824d5e9d1bfc6c2

Download Submit