Analysis
-
max time kernel
119s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2024, 03:09
Static task
static1
Behavioral task
behavioral1
Sample
3925fd9da556d26c0ef2e1c6577fd060N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3925fd9da556d26c0ef2e1c6577fd060N.exe
Resource
win10v2004-20240709-en
General
-
Target
3925fd9da556d26c0ef2e1c6577fd060N.exe
-
Size
2.6MB
-
MD5
3925fd9da556d26c0ef2e1c6577fd060
-
SHA1
b4ffe721246913ebe9ff7d277ceeaa72aed7a5e9
-
SHA256
eff2bee0b268751b4fd0c77715d9fa3f5bb820054ebf61bd5a73fac6da90aafc
-
SHA512
ee411911889511161c4cd2382e374ead742b6d4012858d85f2642924c85ff91c06a47a187916e7594552b31c9d23fc317c26c94a9890006a1a79a64834f5b78d
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4S:+R0pI/IQlUoMPdmpSpi4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 5084 aoptiloc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTR\\aoptiloc.exe" 3925fd9da556d26c0ef2e1c6577fd060N.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxE6\\dobxsys.exe" 3925fd9da556d26c0ef2e1c6577fd060N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 5084 aoptiloc.exe 5084 aoptiloc.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3188 wrote to memory of 5084 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 86 PID 3188 wrote to memory of 5084 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 86 PID 3188 wrote to memory of 5084 3188 3925fd9da556d26c0ef2e1c6577fd060N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3925fd9da556d26c0ef2e1c6577fd060N.exe"C:\Users\Admin\AppData\Local\Temp\3925fd9da556d26c0ef2e1c6577fd060N.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\UserDotTR\aoptiloc.exeC:\UserDotTR\aoptiloc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5026b5b3bccf5ba08eba11a75edf428a9
SHA1985adb24f126dd515a736f15e0e0ef950d16074d
SHA25616b103bb168152cc04e4001d70f47793753bccb663ae111930c81e7aeb1b3b74
SHA512cb6f00bffd6b94341601e36d76a2ab6cf2be99277668d045a37d5a02cc79635fb16b795cbae3578a7d30d2f3cb655c7bdca28503b445e3868e929c2854409c6e
-
Filesize
2.6MB
MD5e6024376302211cb7b05d0eb937dc370
SHA14eec186a26290aa7e2460e8800dffda51d74f9eb
SHA256f091466023d976c338c698861ab99863a43bc7f4b450a643b786988db61f1a23
SHA5121844b5839cab0d130f55c0f7e5f80287ba64a2d2da9b0fc04817711f27d624f42e0ae8bcf6a338a69f086ae1f03cf844c7a1a30ee38106de2a5ebdc330b38cfb
-
Filesize
205B
MD575921ad89d384de3c517a473c27f7ac2
SHA162a7f7bab0e117bfde0efc5c92eb390da4ff5d01
SHA256d3aa4568019d8b7e6fa9e788732768546e62e1f09e9c819a86d67686b0c93023
SHA51257161b2fdfa54ab9553d0666542da42cc78580e07075e60dabf9d609c47858943c462609c4b7204d9958af363713538f3294034f0f3e41f67f248ca40ee0028c