6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/06/2024, 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
Size

4.1MB
MD5

12fdfaa437734d7f6cf88bea3f814cbd
SHA1

fb9c5e3ce07da5ba9eb3cd6394cd49b3e20407b7
SHA256

6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028
SHA512

af0eeb8a84cb6e5eb79256a902c507a89002a67e764ca435f24375e5f65ab45cc2bad3f2acf684561f17d3bb4b1c82d87770dd2b62617de44c857eb5ba7134f9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpb4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmo5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesLF\\aoptiloc.exe"	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJ2\\optixsys.exe"	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
1716	aoptiloc.exe
1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1716	1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe	28
PID 1792 wrote to memory of 1716	1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe	28
PID 1792 wrote to memory of 1716	1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe	28
PID 1792 wrote to memory of 1716	1792	6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe	28

C:\Users\Admin\AppData\Local\Temp\6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe
"C:\Users\Admin\AppData\Local\Temp\6bcb6bf192457e642d23d855848a1569838e93ae2c24c63e34cfd62f20b87028.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792
- C:\FilesLF\aoptiloc.exe
  C:\FilesLF\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintJ2\optixsys.exe

Filesize
4.1MB

MD5
245935de92400c28dc5209152331aace

SHA1
690e37470f2234631ed662afade947a0a2508ea2

SHA256
8b64914895502c685773ed72d39629e22f856b71e77fa64c5cb25611cc135c61

SHA512
0e73806f52dc10ac56dbcdf661ead1675cdc5f7ccd42c40c2ce495a8a08a4bdf455e09cef8666b626d446e600bc536db891d6bcfff2b7f80e94c3b15baf5c0b9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
265e06a3d67179916bfb7bd31cff7eab

SHA1
95448039435630c2997fe68ddbc56c86fbcbae98

SHA256
46e0d62b10f433619c062132d35e5aeced09e805b20b9f57e848a3a24d564660

SHA512
110e00cf0eb55c2d7979d33b96f68a39b911884f64bf90b889c041c8ccb7aa28fecbc153d90b75b04d579c4780f8784044109892a14e211b05ffdd80fdac5749

Download Submit
\FilesLF\aoptiloc.exe

Filesize
4.1MB

MD5
c0dabe48f0048e1f7b266bc1fb74ffc9

SHA1
1f68f30a8b658c9b073a972cfee0e0f18f710614

SHA256
fafc45bf1f87652dc8cc0fa6e039994830c5d25b0e90b7b46b01b935c686cf97

SHA512
ae6e89d6e773cf2ed9c07380754fe6a5e3182adf12948f91061b904f15b07f37404e369bd447bb4b09df184987440f5c4a8d106424d2c74cf2dba8c56eccf2cd

Download Submit