a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55

General

Target

a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
Size

2.7MB
MD5

031d97ac9ce9a3fe11368395edf8aef2
SHA1

c3dd9f745b537c319e9cf20e3b1a9f8c7c1fd9d7
SHA256

a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55
SHA512

4a96780d432d4a1b7ad328eb4e0b5b6d89e79fb78b6109a0261986d947e5f3de5c928ddbe6731ba779a821d465ed9af06a060a6efe30513ca4bdfe92589029d4
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

aoptisys.exe

pid process

2672 aoptisys.exe

pid	process
2672	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxF2\\dobaec.exe"	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot5X\\aoptisys.exe"	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exeaoptisys.exe

pid	process
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
2672	aoptisys.exe
2672	aoptisys.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe

description	pid	process	target process
PID 724 wrote to memory of 2672	724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe	aoptisys.exe
PID 724 wrote to memory of 2672	724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe	aoptisys.exe
PID 724 wrote to memory of 2672	724	a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe	aoptisys.exe

C:\Users\Admin\AppData\Local\Temp\a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe
"C:\Users\Admin\AppData\Local\Temp\a50a73c75501bcb20bebdc2972dae8bc41c48c619de60457890f26d62fa96e55.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:724

C:\UserDot5X\aoptisys.exe
C:\UserDot5X\aoptisys.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3980,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
1⤵
PID:2196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxF2\dobaec.exe
Filesize
2.7MB

MD5
57e9a8214a64922e70eb6084bacbc302

SHA1
e95278642015ec87538cd9c2ac08c303a4fbcf54

SHA256
16a0a78fc6dd4c0d315f557dde50813a7eaa0f2471a77f62732d0f1199b6003d

SHA512
3c934f350d729ccd39ac349dd4289fef989303ae34bd5b8c2afeb66ffb21b7d4ff1c5f631b301a141b294a8a2b33f5ddda6e004b7d0686be3d9967f23ffa04d4

Download Submit
C:\UserDot5X\aoptisys.exe
Filesize
2.7MB

MD5
305ad9f6cf81c9b0989d57c3aae941b8

SHA1
1d056a91f31b2f2483de55f336dcef7ad081e049

SHA256
6dd6df4726dba04d50e8ea3d9a111bcdf27cdd57d0b927f92c4c42618b4e4e49

SHA512
8933c88a6d0160a736c75085accd9e3a2873c21e99f428bb4b53ce91bfdaa43128bf3e56e48483e63dec59ebded9c5eab87e7fef52de57b7ce3afed933556971

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
204B

MD5
425aabf6f05438cce119b47c9e5b2ca8

SHA1
8a0c203d8e9f1776073092f640584a650cf954e4

SHA256
2cdd2b5d50ce4ba37908ed4779b33b702cd80724023cd3959b6348437e3f1f3b

SHA512
ab10338bb31163c63d50b36320be12ea0cbf369273c8764bbf175c24b055b5f15bc89c89dd1ffdee9c6f0797231dc6b8a5cae7569bd04cda664bd2a08fe3d0fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads