57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8

Analysis

max time kernel
154s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
Size

2.7MB
MD5

8fe596f81a362abfd41fe74464b8e672
SHA1

4b1a892cb73a3b359ad6a4f9e322e33d06202cd7
SHA256

57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8
SHA512

9b9fcb90297263f01f6daf4de7f926476bd8ec20e022ad1585b3d5927bc71728c75659a3f3ded2649565c4df2cf3dfdfe0ee5505a661b47df444c880c94897b4
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBz9w4Sx:+R0pI/IQlUoMPdmpSpr4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4620	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeA5\\aoptisys.exe"	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBS5\\bodxec.exe"	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
4620	aoptisys.exe
4620	aoptisys.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4620	2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe	91
PID 2184 wrote to memory of 4620	2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe	91
PID 2184 wrote to memory of 4620	2184	57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe	91

C:\Users\Admin\AppData\Local\Temp\57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe
"C:\Users\Admin\AppData\Local\Temp\57d12c6d11971bf8c2c46ec2761b484189fb992989f9a6f25c2b80fc92b232e8.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184
- C:\AdobeA5\aoptisys.exe
  C:\AdobeA5\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeA5\aoptisys.exe

Filesize
2.7MB

MD5
d37fb1f7c2c9294c3c723b89a8ff1a47

SHA1
2f9d24437ae0904a350cf414dce94dfa5701b367

SHA256
1440992dce683d836b18e6abb35570e319e53ea7a1252e2b50fd15047ee3ea64

SHA512
0a7bf43b9181479a3411b0359b76d46beac7bdd4d7dee551b6092db6500f4b9529c5ba6d315d5a2346638c3d79273011e093ef365c889a60d374625d038f20e1

Download Submit
C:\KaVBS5\bodxec.exe

Filesize
2.7MB

MD5
75691ba49e691c5d4b81f176bd755666

SHA1
92b7c9459699a009a0f082657c9c2694b321082a

SHA256
2b9ea90eb2bac97aa7eb3554b25553b0a051d98c5e61b88c90b14d20293ef5dc

SHA512
1cbee836fb073f6ad9d18fa0204aea9257e3811a6024a077e4db10944ba14eca74d070869a6325317a0b8fa1f5b7c971791509cac7bbfa774e4329f3d0f31755

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
212a3048dc47d41b2cb3c8748b9ffd18

SHA1
8ff881ddd4389fe8de520d19e76c3056d07f2f8c

SHA256
7ffab7d76123cef60ec480b7b65922eac95f025ba03e6aec466761c37d37b725

SHA512
32f1bf3b4172e39ac81961795b64bf7e5baac96241cdb75b144654582b8abe497101d0eac9f3b5eda1a4188ed900fe126808b7a270ad2f5ddff8f4462d99c024

Download Submit