c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
Size

2.7MB
MD5

6e8824e96e5ba1fe3ce8f37624e0eab8
SHA1

db80266fe1bf57c06897c2b7c4e4dc4f04d289fc
SHA256

c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f
SHA512

c6e30488a3c4668ed44df2fafdcca4b881fb7a59ea73384845ea6cb576c95fb27df289a5a42dbf5bd1dbeab2d990cda66f811cf51cb787ea2470b030f81ce5db
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBS9w4Sx:+R0pI/IQlUoMPdmpSpw4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4928	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNO\\aoptisys.exe"	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHU\\optidevec.exe"	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4928	aoptisys.exe
4928	aoptisys.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4928	4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe	86
PID 4812 wrote to memory of 4928	4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe	86
PID 4812 wrote to memory of 4928	4812	c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe	86

C:\Users\Admin\AppData\Local\Temp\c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe
"C:\Users\Admin\AppData\Local\Temp\c90c6a0defb5450a7d1865f710bae626e31259bf1560f4a2db8ef116c5c6a81f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4812
- C:\SysDrvNO\aoptisys.exe
  C:\SysDrvNO\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\SysDrvNO\aoptisys.exe

Filesize
2.7MB

MD5
36da5b8dcdeefc937ff9d1458faf7d8d

SHA1
799baeae311d7d2b25428970eaf3aeea613cf751

SHA256
005f75c5faf81927f31540074a9c02b95796629d62006f8ab3b4a16fee178b1e

SHA512
2821488fca309eec8328d6f2e77e89093ee56052afd44d4346fd9eac8ae965e1631de2df6100af9d30592a0c9db76bc4cd1cc52a1faf8ec7737888e3e8d077cf

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
0abb1e6046fa40d5ee17bede15dfb811

SHA1
6e2d05c1ed322f307b09ba749ffb9a374518c046

SHA256
d7181b95fdeeb62c994d04ead1b36bc485830575b0a2ce7e5f993709c3532ce7

SHA512
7fe616e722ccae869f5f15de9f41351f02fa40e5452daf560750e33c4f9241a333c67201234567fa4431b1448c2d7948e3232f54ce0ab13070a05c138b371d13

Download Submit
C:\VidHU\optidevec.exe

Filesize
848KB

MD5
cf56933a497111720b21a72a26a26170

SHA1
fca91861d48c6c6fd7ee78215401b4e925cc8b35

SHA256
8fbcbcd3e3aeb55214ecdd2c3470a3e9b8a5147a612cad01876617d3c35e7d66

SHA512
ff8c79f2b3664edf04c49195252f5ee24bc5c24dee5426081d747bae2fa413ab76f1eb4e1a49729d5d49fbdd1a14588df12a1f69e028a9abcae90df2a59a2eb4

Download Submit
C:\VidHU\optidevec.exe

Filesize
2.7MB

MD5
843789a777f054ea5a2fdbed24295df4

SHA1
481d836cfd8fc2fa3583ab9eaf9d00ae8de8dcd2

SHA256
815e7dbacfac3702e5da220273bad56586ea19f8e05cb572559afd04ebf8b347

SHA512
48e851732aca3dd49c3679ae11ddf27b88dcc7878dddffcd63783050fc5b2191559e52f26bb35aa1a7c3419f4be980f9d95de68cb82d8c0047409068d2d85172

Download Submit