3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
Size

4.1MB
MD5

f23b6c38ca549e8a617e0d994a2e223f
SHA1

7e8f9da9e6d7d4829ccd96a235152749e57bde20
SHA256

3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc
SHA512

696aabe3ec4da5d2eb4457633ae2da93c6b0e180366071626b50222722583fea735ef939778f098df978d744c91f04e75a9bc9ab851cb5ed2f2c926e3b1ae062
SSDEEP

98304:+R0pI/IQlUoMPdmpSpR4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm25n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVU\\aoptiloc.exe"	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMR\\bodxec.exe"	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
2912	aoptiloc.exe
2912	aoptiloc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 2912	220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe	90
PID 220 wrote to memory of 2912	220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe	90
PID 220 wrote to memory of 2912	220	3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe	90

C:\Users\Admin\AppData\Local\Temp\3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe
"C:\Users\Admin\AppData\Local\Temp\3e99df557a0920bb7488a4a41af20aa1a28abc70ea812dc6f1ee73d7ba9226dc.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:220
- C:\UserDotVU\aoptiloc.exe
  C:\UserDotVU\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotVU\aoptiloc.exe

Filesize
4.1MB

MD5
85a31f4f832a51f7ffdd916f956b3ce9

SHA1
b13cbd4f8b70fe118aabcf2fb44fe03553e4847c

SHA256
a30d914974fd705424c531c025edecf0d3a384d55cc15c3e3c3feaee5c45ec7b

SHA512
5f23e115916871d32aa85a691776aa070328a910244b837b0e60f74ce40c1759b411d698cdbe9016950ccd72ea9b1d3b99f6cf9e17dd515ca25a2b8c8c81d716

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
9bbe0a5f5e77f3f503fa14d4387d549a

SHA1
08d01e341dd91ce0864ca99b2f66de6837128714

SHA256
d8d77c9bc67bdc74d471f03a014ba1484eb8410cf564b64e6e66e058552836dc

SHA512
b8530fb0c5ca67a6ee34046c2955a9c97a281d39fc104804f30661ac05f627419f4916ffede139c0e4148136372fa0323034078433982143e4f26bc92e24944b

Download Submit
C:\VidMR\bodxec.exe

Filesize
4.1MB

MD5
a58755773076d31d9206346075dfd8e3

SHA1
203d9a6f828a76dcd18ec7e4849b30f5ca9b575e

SHA256
a79217e01a4c1df726764601311c4239f9d08eb0be9ffaff3566225143ad81b3

SHA512
8d513a2e76f5b8d6c992ab6fd8cdd3999597dfde546421f7efb6ccfb16a933e7f5c58efdd62a662d8279e08b91bbbf66d4144b972557bba857e9aaa7a3715bed

Download Submit