bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce

Analysis

max time kernel
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
Size

4.1MB
MD5

ff63ab83b36fb8cffcf4116b48abaa2b
SHA1

06f7535e524bdd93bfd7e49131ce746c60438ff7
SHA256

bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce
SHA512

eb7bb395aab5dc5d241c166047b5f64c10fccc0b16a541d84bb0e2e3dd38d98226c33550d67de1d1cf5b1a87b7814bc799e83dd79768f462735ca66fc709ac95
SSDEEP

98304:+R0pI/IQlUoMPdmpSp/4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm45n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3212	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesEO\\aoptiloc.exe"	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRH\\dobaec.exe"	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
3212	aoptiloc.exe
3212	aoptiloc.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3212	4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe	83
PID 4488 wrote to memory of 3212	4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe	83
PID 4488 wrote to memory of 3212	4488	bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe	83

C:\Users\Admin\AppData\Local\Temp\bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe
"C:\Users\Admin\AppData\Local\Temp\bab739393e1415d2796132f41af291978efc8eb901e2cfc5a94b1e3ed46892ce.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4488
- C:\FilesEO\aoptiloc.exe
  C:\FilesEO\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesEO\aoptiloc.exe

Filesize
4.1MB

MD5
230aeb6b2dd872ca4e8b36ee8f908992

SHA1
9b6b03b45af7c4e1bf91ca2351b30d9ad4077c45

SHA256
bc6cce674356e6fd7395661343794fc45c3290e4903d1d9c71df7e1e33d3c279

SHA512
759cbac661d36fa792c7f8888085267c4922af5247e0b3c9f1cd9dc94ee3903b793b6ad4cf26b742b35d79696d9f6e02ca778d882743b12d480a1c8e8475303b

Download Submit
C:\MintRH\dobaec.exe

Filesize
130KB

MD5
b83d4b4481fe3378c219e626eef3f39c

SHA1
d336fab8ca6efae713239a5fd2fefb47dfb9a94a

SHA256
88efb85cdce95251a7fa6a604794474f60dd755673c407ad60f46a047f95b29a

SHA512
3e8e29045e1ad9f3a388d7a20809cafda7607189036f6bdd4400c1acc8e0ebac04f15aa38f31bde9eea8bffeeaee444def6889cb758dc3427ac8971af5b32d16

Download Submit
C:\MintRH\dobaec.exe

Filesize
4.1MB

MD5
25e612677166da34d1b1339512dddf01

SHA1
908add4edc2f3bd3ecdef343a38563cadfb808c8

SHA256
a19365f67915926488fb1e4cc26be3b26f71f5233a7393ef84bd20e9d547c820

SHA512
2a45e48db5977b4b9ac85ec74a644780fd251ee66d4a009267a9b2a3ec1e82805f1cc13b04354b3f4cbd214ec4fbcce3b693d4cccfdba55a8ef3b2153935fc83

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
419d368aa1390aee4de1307ef6e291c2

SHA1
248a1bf631f372c67d10c2c6b29f9525568635e7

SHA256
198ecb7adedbd71f5e5481b0b5774c3abaa73391a75b80d46dd6a93163f04e01

SHA512
48ab0d62c34e343313540a610e284955a128c4f0f70af69f110e9cbd69723609a712902842ef5f4541d712308986196ffaaa978c151aaa3ddc2fb03820ac39ae

Download Submit