e0b34d95f9dce958e106e9922e51a2a2a957d5bc693a8ddc531169affaa11c2c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
Size

2.7MB
MD5

572673098cc48a13cf80cd2ca6c9c2f0
SHA1

40eda75d7a03de4f4ebbd6d170c921799a5b28a8
SHA256

e0b34d95f9dce958e106e9922e51a2a2a957d5bc693a8ddc531169affaa11c2c
SHA512

fc1a06801fe74ceafdd51372a8c20f80f7cdf3119b109e4b37e4dc0357d0dbac07c929b3dc115c74010a49c7d25dc6cc908f47ed854bdafb621b48291cd40489
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSpy4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1568	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeO9\\aoptiloc.exe"	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBM0\\bodxsys.exe"	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\AdminF+ZZ.K^KF<YKWSXQF7SM\Y]YP^FASXNYa]F=^K\^ 7OX_F:\YQ\KW]F=^K\^_ZFsysadob.exe	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
1568	aoptiloc.exe
1568	aoptiloc.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 1568	4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe	87
PID 4552 wrote to memory of 1568	4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe	87
PID 4552 wrote to memory of 1568	4552	virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe	87

C:\Users\Admin\AppData\Local\Temp\virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_572673098cc48a13cf80cd2ca6c9c2f0.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4552
- C:\AdobeO9\aoptiloc.exe
  C:\AdobeO9\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeO9\aoptiloc.exe

Filesize
2.7MB

MD5
47e4f9d08a2d42aabd8ffd27fe168ffc

SHA1
f48105c80d485730da52c305e9fc054f3ce6a13f

SHA256
cb04c159cc0a508aa392ab10b7ccac4443bc53e07d1416d1b3acdde7e5062deb

SHA512
386ce06ee2d2db1ccc35b558b9ed551915be0198acc74e87f2929cb262d5b9e659fcabde02a64448f6288f1de458fecd315f67db339ebdfc8495ff6f9e1ab6ab

Download Submit
C:\KaVBM0\bodxsys.exe

Filesize
2.7MB

MD5
835f844c0908285ccc5f293ed4bf8f09

SHA1
3bc7376cd85b02402fa521490d2fd6f105216f7d

SHA256
713d0c447e044d3f35287e36baacf2b8828bc0be443a585f499aa0da6ece889a

SHA512
e7cd431e3029de6f45b4d8855a9c9729f6dbb7ee1f3a40b5042577c633b6d5242c0b122ea59e80c3bac75c49bc5ba28b119da360959a205b32194faed97edc93

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
e2a390a93e3f4b964452263218d6b1ae

SHA1
ac84e7286afe79123685725099471f7f152e8b03

SHA256
68f44380aae2a3cdb602180ced2b577b7456abca09f7442c487db3c88c54aa7c

SHA512
e5c34b8ff91e18ec91316285b98d25bbebf572fb8b4fe57e09741f8de2aa15a17005603287dd1093dc15d64592705613dd8e5b3967385ea7f4762dfde6db6a8e

Download Submit