eff2bee0b268751b4fd0c77715d9fa3f5bb820054ebf61bd5a73fac6da90aafc

Analysis

max time kernel
119s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3925fd9da556d26c0ef2e1c6577fd060N.exe
Size

2.6MB
MD5

3925fd9da556d26c0ef2e1c6577fd060
SHA1

b4ffe721246913ebe9ff7d277ceeaa72aed7a5e9
SHA256

eff2bee0b268751b4fd0c77715d9fa3f5bb820054ebf61bd5a73fac6da90aafc
SHA512

ee411911889511161c4cd2382e374ead742b6d4012858d85f2642924c85ff91c06a47a187916e7594552b31c9d23fc317c26c94a9890006a1a79a64834f5b78d
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4S:+R0pI/IQlUoMPdmpSpi4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5084	aoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTR\\aoptiloc.exe"	3925fd9da556d26c0ef2e1c6577fd060N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxE6\\dobxsys.exe"	3925fd9da556d26c0ef2e1c6577fd060N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
5084	aoptiloc.exe
5084	aoptiloc.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe
3188	3925fd9da556d26c0ef2e1c6577fd060N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 5084	3188	3925fd9da556d26c0ef2e1c6577fd060N.exe	86
PID 3188 wrote to memory of 5084	3188	3925fd9da556d26c0ef2e1c6577fd060N.exe	86
PID 3188 wrote to memory of 5084	3188	3925fd9da556d26c0ef2e1c6577fd060N.exe	86

C:\Users\Admin\AppData\Local\Temp\3925fd9da556d26c0ef2e1c6577fd060N.exe
"C:\Users\Admin\AppData\Local\Temp\3925fd9da556d26c0ef2e1c6577fd060N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3188
- C:\UserDotTR\aoptiloc.exe
  C:\UserDotTR\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxE6\dobxsys.exe

Filesize
25KB

MD5
026b5b3bccf5ba08eba11a75edf428a9

SHA1
985adb24f126dd515a736f15e0e0ef950d16074d

SHA256
16b103bb168152cc04e4001d70f47793753bccb663ae111930c81e7aeb1b3b74

SHA512
cb6f00bffd6b94341601e36d76a2ab6cf2be99277668d045a37d5a02cc79635fb16b795cbae3578a7d30d2f3cb655c7bdca28503b445e3868e929c2854409c6e

Download Submit
C:\UserDotTR\aoptiloc.exe

Filesize
2.6MB

MD5
e6024376302211cb7b05d0eb937dc370

SHA1
4eec186a26290aa7e2460e8800dffda51d74f9eb

SHA256
f091466023d976c338c698861ab99863a43bc7f4b450a643b786988db61f1a23

SHA512
1844b5839cab0d130f55c0f7e5f80287ba64a2d2da9b0fc04817711f27d624f42e0ae8bcf6a338a69f086ae1f03cf844c7a1a30ee38106de2a5ebdc330b38cfb

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
75921ad89d384de3c517a473c27f7ac2

SHA1
62a7f7bab0e117bfde0efc5c92eb390da4ff5d01

SHA256
d3aa4568019d8b7e6fa9e788732768546e62e1f09e9c819a86d67686b0c93023

SHA512
57161b2fdfa54ab9553d0666542da42cc78580e07075e60dabf9d609c47858943c462609c4b7204d9958af363713538f3294034f0f3e41f67f248ca40ee0028c

Download Submit