228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2024, 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
Size

4.1MB
MD5

f333cbea59fa4b884f5f7f176f4e49bf
SHA1

ba357bdd4c94c35f09e0b8431412396379441b9a
SHA256

228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287
SHA512

98c31f55a8299a65f3415b4bdc2d4c792d04d8f54222fc1efa348eee7ba1b997cfa4b11f6af5f82305c435213e1e4494382995865d56e71de5828a4f12fe747b
SSDEEP

98304:+R0pI/IQlUoMPdmpSpw4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmz5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3408	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5I\\aoptisys.exe"	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ5\\dobaloc.exe"	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
3408	aoptisys.exe
3408	aoptisys.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 3408	1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	86
PID 1452 wrote to memory of 3408	1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	86
PID 1452 wrote to memory of 3408	1452	228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe	86

C:\Users\Admin\AppData\Local\Temp\228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe
"C:\Users\Admin\AppData\Local\Temp\228b25a60122631a6c02d014fb9bf6bb9a627056e40c5da9d0ef74cb12e94287.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Intelproc5I\aoptisys.exe
  C:\Intelproc5I\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxQ5\dobaloc.exe

Filesize
4.1MB

MD5
2750feb8796b0a4a0a8d0dd2c7850104

SHA1
dd916c85a5f9f64751144569662687f3ff0aede3

SHA256
3542300b3fdd9c1e2b3396be94fe6af46058f2b3462cf9d0660dd25485af1618

SHA512
3b62637bbb71353498bac107b070ee091eed69cfe0bf373228181b33ae5f949e84f09b8a20b5319851f6e60b2fb168c389e774a2e69151431d5046ce6783a3b7

Download Submit
C:\Intelproc5I\aoptisys.exe

Filesize
4.1MB

MD5
db1e62689eb3917b9a303c2c3cf7c583

SHA1
9aa54b85978e9071c89c75bea0a77f41fa6338fb

SHA256
bea47d6161eb396239acd21215c25d3bc1accad6e9ec271da884642ccdaf6d97

SHA512
6217834752c0fd227b6d1222ae10c8d6b52735d329aa2ce377dba7aef5d6291b317fa7c193d322d2d204b2850834cd6bfa8f9440763cc0c80dd1c31f3fdb8b93

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
207B

MD5
7e15d7230738397a81cad813e33906e7

SHA1
fea7877e1ba3f634782d86157ad11c467ad731d4

SHA256
d61041f9b21729d3ac39188c5829ebb567cf5bf80de60a82b6d29796c5e850d9

SHA512
6db3066b1e84b161f3cc10ab6e7b944965d5211d091fdec1f223a74e1fdccd29cd325703bae44efae4d4d8596c8262c0fca5fb6879ab76a308d605e0bebd8864

Download Submit