74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
Size

4.1MB
MD5

673e2e1613e0c6216b3685214ff17a8c
SHA1

71fd0e478a580de1171b3ca608089ef3da1b3079
SHA256

74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069
SHA512

4a45cfd7a337e7c2543f6cdcd65890331ed414dc8a12d163eb602ce9f5c22edfee7bb6eea9f244b73e908ec84536a5ea9b427dcf079f42312c87247c71f58aa9
SSDEEP

98304:+R0pI/IQlUoMPdmpSpn4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmg5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2248	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePQ\\aoptiec.exe"	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAA\\optiasys.exe"	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
2248	aoptiec.exe
2248	aoptiec.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2248	400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe	93
PID 400 wrote to memory of 2248	400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe	93
PID 400 wrote to memory of 2248	400	74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe	93

C:\Users\Admin\AppData\Local\Temp\74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe
"C:\Users\Admin\AppData\Local\Temp\74737cbf6bacc3f8d2616bfb280c3a39bfb19487657d19618d2bf7a82df98069.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400
- C:\AdobePQ\aoptiec.exe
  C:\AdobePQ\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4184,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
1⤵
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobePQ\aoptiec.exe

Filesize
4.1MB

MD5
8b218d9b77345b998e39c690fd660946

SHA1
c0f52bb1681d8fad04520b141bb757fc193c4a83

SHA256
a999a4c6c1152e999fc4a652124b2f9355b87f38e40d29df1159e658115a2c19

SHA512
12c220b56ec9d65fa67834ca9bb5c991c568b15c01e07ac639875947720eec29c7a6279721f281ec12455f730481eaba2caf9934820a63e2a1b4d63bf378d72a

Download Submit
C:\LabZAA\optiasys.exe

Filesize
235KB

MD5
f1cbff9979bde9eb6f70ec419238c97c

SHA1
e50ce052f38d809d82b8f4257fb1089e9f7d0799

SHA256
6e2a40971b3b4e3c7573e90e05805b719ee820848b243f6d0ee0945f160742df

SHA512
2248ccedc7d1fde4efba3faab8f046237f3cc94e1861a70b1c04a6fefd427e6f4368802c6d06ece96487f165b8053558289cfce2f5072e6f994de7aa3782c2e2

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
917d3f15160ac2cff2008eb2b316fd47

SHA1
1023f808e71cda2e164bc61ef0674676da4de546

SHA256
b5568f31dde9b9de9cf2399aa11cd2fbef1dbc7e948be85213ec3d4ea2e60ee8

SHA512
f8d1e16fcdcd6653f8dd565514a71e91845ddd47d9a20a8430159f40e87558aee3f7f8eac301461745240755d6ae82c90e9774383606054c689996e152d9188c

Download Submit