e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
Size

4.1MB
MD5

2c71610a8af94a64842addc2fc1baff7
SHA1

f45f3090f9746115c015532e349caa4698bffb59
SHA256

e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943
SHA512

634dc913e929f705da619d5fd8ad773421f0578e0ef92a5e0f101c958a31b81eaf88aa023927c8cda4d303bd63519fbdecae51cb705669ec1c665b21dfc97aab
SSDEEP

98304:+R0pI/IQlUoMPdmpSpZ4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmO5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7R\\aoptiloc.exe"	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKK\\bodasys.exe"	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
2200	aoptiloc.exe
2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2200	2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe	30
PID 2584 wrote to memory of 2200	2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe	30
PID 2584 wrote to memory of 2200	2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe	30
PID 2584 wrote to memory of 2200	2584	e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe	30

C:\Users\Admin\AppData\Local\Temp\e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe
"C:\Users\Admin\AppData\Local\Temp\e8111e1716ee38bc5218cd7d3efd97e0fbc00a479ecb29e5eeb94131da2fb943.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\UserDot7R\aoptiloc.exe
  C:\UserDot7R\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxKK\bodasys.exe

Filesize
4.1MB

MD5
9b0b415898b6c8f501dd4d1b31564c2d

SHA1
9a6737cd98b4bda556b2818f4a417b721331787b

SHA256
999f7beeae8e7043748c84406508de89b7a2a0c15298b45ec211d63addcbae1a

SHA512
d4504e9f4c57f00d6e667cfc87ff2888f5300f7e3ebae2dc06b6c81cfa5c9f3b5be10a547af988e87ff7dbc06027fb97b52b0a397ee3fbb61dd56203c2346f5c

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b2a77e50949287751bc3d1fb65f7bfce

SHA1
873f9b223f8c1d146497f76d94b6d25cdcaa0a71

SHA256
21a09cdb5cbc1733691d30e8fd06ce613bfad74cafaa669b7ec9438880153a92

SHA512
183d3a93d35d7cc3a0c176b02d9ca288d6d619971254e98716ea97dbde70754f6b2c86aa3a7ec2e69b43caf2aa5d4757e0d39319ce739f8ff0763f76ae8c6a67

Download Submit
\UserDot7R\aoptiloc.exe

Filesize
4.1MB

MD5
d3969ac7dd9a0470fbf88205c4253602

SHA1
dbcff36595a8a5dc3294714dfe7fb75a847918e6

SHA256
f0c9fdfbf305f77d058c57418362b362433472ccc38acc9ac9c71333348947d8

SHA512
a9be274c8c208cd6981a960bf5861d49d60c8ed8d7f99071d3f8aeb81150c08c2169cee344a396435783d494398e2106e7201906471ef67e0ddd5105a8629958

Download Submit