af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
Size

2.7MB
MD5

4400ee5f21abd31f7f81c75b8c82a21e
SHA1

d4eb785477099081c64d28307f9b23ac3e1b8409
SHA256

af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692
SHA512

1f15cca7f39947156a7a634087562c1bc77d92cedfc2c43e17b5456dd7060180a08a007f7a9c0445a58f3c1c70850d54893c20eb8302e4d255580273b134dc74
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBO9w4Sx:+R0pI/IQlUoMPdmpSpY4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1396	aoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUG\\aoptisys.exe"	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVA\\bodaec.exe"	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
1396	aoptisys.exe
2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1396	2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	28
PID 2936 wrote to memory of 1396	2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	28
PID 2936 wrote to memory of 1396	2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	28
PID 2936 wrote to memory of 1396	2936	af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe	28

C:\Users\Admin\AppData\Local\Temp\af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe
"C:\Users\Admin\AppData\Local\Temp\af08e825b3eca073a6c5bbcb80e111a5d38c48ecfeae24a6c411631509f40692.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936
- C:\IntelprocUG\aoptisys.exe
  C:\IntelprocUG\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBVA\bodaec.exe

Filesize
2.7MB

MD5
f8f93457c48b23affd43ff3c73353e84

SHA1
16a1b1366eb1f43f75c68e0df6190d54a79144d7

SHA256
5bb5dd9b8066739b057b46d6418ac41c039bc594b3f6fb766ccd3791d6a8009d

SHA512
623d8653402f94b0ab05a52e330aade0b72e2ad9c0affbfdf27af1bc3ca7b62b4adee6f37aa790b34d3899aa754254758acf618cbf800d876ee61aa9e04ac36f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
daf680c7dc5ebc85ac48d69d2c1f4632

SHA1
d9bad17cb2f9df8a322d68b97822cfcd8d9bb147

SHA256
07371177d38341690c252969ea6d30111346d4e2344d51750ca798baef9127bc

SHA512
312125b81d71d1c97f07d02d8fae2e8cdb20b491253df9f426751735dd6995c65afcb5f40ac86c1e8e8d26561ba6b862b2382b87c77e560a5e7e65a80227a73c

Download Submit
\IntelprocUG\aoptisys.exe

Filesize
2.7MB

MD5
51a630f25dc4ab38ce9b4f44877e47e4

SHA1
30fcff1b08018f1bc302c0c372ff0565b03288b3

SHA256
cb54db3aaff0a004082acb33c6a2f9c18596d2b7796b5239d884acb5e66c6744

SHA512
35ff47b0c981e5a97c211c940d197f54a2083393567aa038c38f63b9cc7163caf1c6f83c9ac4a7d770968585dcd60171ef41c3aacda63027463420ed2b090437

Download Submit