858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
Size

2.7MB
MD5

4a0b7dff0f067d6fc86f463ece62b17b
SHA1

4dfbd56823e5b9b8df86748dea260cd75fdc8583
SHA256

858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965
SHA512

0a21551d2c5b0b917ea455464b0aa5e9ea45b83e01dc203b77d5bc4451c51540f64880e21decc9dc9a7c74728b28e79bcabc67d10e16d7e435d02cde4bf7b851
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBj9w4Sx:+R0pI/IQlUoMPdmpSpD4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3048	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUE\\aoptiloc.exe"	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBG8\\optidevloc.exe"	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
3048	aoptiloc.exe
2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3048	2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	28
PID 2972 wrote to memory of 3048	2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	28
PID 2972 wrote to memory of 3048	2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	28
PID 2972 wrote to memory of 3048	2972	858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe	28

C:\Users\Admin\AppData\Local\Temp\858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe
"C:\Users\Admin\AppData\Local\Temp\858714dfa0a2a2c005b36c914ad1fa7231b3648e71e1189e964529d81ccce965.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\UserDotUE\aoptiloc.exe
  C:\UserDotUE\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBG8\optidevloc.exe

Filesize
14KB

MD5
b3a6d3620688000efd050884caf27886

SHA1
6f106d486a317188fe524044dfcadf0db24ba317

SHA256
287fc731de245d030e33849e020d75ce54eab1b694e517dfff01c594beaf5728

SHA512
fd813248ebd8b1ad1512e466a37c24005107be899404ebda1d65d3016441b3cc429b4bd11af0ffc52085297a92e5591150e67a9d6ce2f7ccc433b60759542131

Download Submit
C:\KaVBG8\optidevloc.exe

Filesize
2.7MB

MD5
5a7f9ccf94fcaac22b8e66b92c8c3186

SHA1
e639bf47ed25553801dcf2baa1ebaca1aeafc6a9

SHA256
4285ac52f4a4940cebc0415d211967434f010fae31216205d45a020bd10677bb

SHA512
9acc0d50d4821723ad210d4b48802f89e0c685df0bb877a5bc3a0fd606dbc0fff034e0f75af3e76a045e1b0a10bfebe6b510d78f5bea6aeb9e7335dacee77167

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
209B

MD5
b0aac2ecbc2e9bbc17ddbe0d54779a69

SHA1
944820c83758d853091751135f4d31efb9616b3f

SHA256
69148a6fe7780a1068479717b60d858618d10d466e7562887061a8f1ae92218f

SHA512
dd86bfca938d03d9433a71f5cb3654fc65250d24d04b76d76d66b1ba2fce9ab0140985709a6f026d56ba6ce07e6195401b60ffe0018cd821b414195bcef129c0

Download Submit
\UserDotUE\aoptiloc.exe

Filesize
2.7MB

MD5
f886ba883044c925ab9ba07e65a255db

SHA1
2f958ff1f242cabb539deb419699756bef0a3358

SHA256
cbb0b2c57931f627864be6c3a9124d58e35816bc3fcc9b8d1b742596f6b09908

SHA512
7c0721654e4ee3b8ffc79acbbfb92141a5ff6b0ed784fd1ee974502a7eb10f20b8dd8d782ad60360ec86249570b5d1a4447cfde73226b8e0bc7f85ce9b4748ac

Download Submit