e3ec2c90684a479746ffee035ebd400f68d80aa749af1bdece3b82777b00a528

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 04:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31e86f36b8c54788725bd0497ad3d7e0N.exe
Size

4.1MB
MD5

31e86f36b8c54788725bd0497ad3d7e0
SHA1

426d8882a256d8b6dfd18bdbba6ac42e53510865
SHA256

e3ec2c90684a479746ffee035ebd400f68d80aa749af1bdece3b82777b00a528
SHA512

a851eaa05d4bc9420e56ad583b82a1bda8370b095b144414fd3f9cceed268e25a4bdd8e8dfccfb1ca1473896a2818bc3e7ac143b6e51a87c1cae90768dfae80a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpU4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmX5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4380	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files88\\aoptiloc.exe"	31e86f36b8c54788725bd0497ad3d7e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZR4\\optiasys.exe"	31e86f36b8c54788725bd0497ad3d7e0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
4380	aoptiloc.exe
4380	aoptiloc.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe
3768	31e86f36b8c54788725bd0497ad3d7e0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4380	3768	31e86f36b8c54788725bd0497ad3d7e0N.exe	88
PID 3768 wrote to memory of 4380	3768	31e86f36b8c54788725bd0497ad3d7e0N.exe	88
PID 3768 wrote to memory of 4380	3768	31e86f36b8c54788725bd0497ad3d7e0N.exe	88

C:\Users\Admin\AppData\Local\Temp\31e86f36b8c54788725bd0497ad3d7e0N.exe
"C:\Users\Admin\AppData\Local\Temp\31e86f36b8c54788725bd0497ad3d7e0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Files88\aoptiloc.exe
  C:\Files88\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files88\aoptiloc.exe

Filesize
4.1MB

MD5
2f0aab43359600847403d796878e75c1

SHA1
d9dc7ef36dc499b55cb7f2404f1f0da5d51fe3d3

SHA256
f8896939eda209a4e8dfea8f347b1d9c40a491a4ae5c6995ac9e129ba722bf64

SHA512
0ea1d3495256cb8de87a97ef805e1965f2da54de99e5fed3363b316a4cbc5fdb37127f85a6131a8f437c277b6c2924f41ad3b6c085de34b6a4010e1949fb07a4

Download Submit
C:\LabZR4\optiasys.exe

Filesize
4.1MB

MD5
69e0806984bf294f1d479bce7f73950e

SHA1
f57bd98c56b9a7f86fbcb65a5f3d602a6dc5485a

SHA256
0d4cb95c9961c805247ecd554ebab26fa647310c395fe60fb8d2a32c5143400f

SHA512
b32413c7cfc288894a3c511cf377accbb9ecafd68a242d5e502d57a56087eb4a1a3c6ca4a005dc9bad047ac293707c15db939fa5d1d2920115d845857005dfe1

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
53e0c43df5766e076a548edd9433dbd6

SHA1
c0c8221311058393ce2c05554de17fa121123c61

SHA256
5fd39544b5a88cc3a7a943b7e9b359d431dd772427036c6edee9c268e791eb09

SHA512
710457f66fe81b612aa59e9cc512b60e9066954e964842d12d6ef80894d948f686441ef02def47ca4d41060bd768bd1878e589a547a0142f7ac8d2111c29ac54

Download Submit