678b5eaaad793b7036cbff3572a38ee4153e4a7e0fca757ad2ac35bcc193589f

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59b63d0e3702529c84a23e34a93776d0N.exe
Size

2.7MB
MD5

59b63d0e3702529c84a23e34a93776d0
SHA1

c89a2401c7737766b0ddd131906d7dbf1c533e3d
SHA256

678b5eaaad793b7036cbff3572a38ee4153e4a7e0fca757ad2ac35bcc193589f
SHA512

0ac55eafa0f57617f29099c6b96bdbbc496a4ef423980289ea0af4a5d3097abffa2244613452728a0c106f49e761387bc263560a819da65394c9fce78667c5d1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBq9w4Sx:+R0pI/IQlUoMPdmpSpc4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1128	aoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2556	59b63d0e3702529c84a23e34a93776d0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGK\\aoptiec.exe"	59b63d0e3702529c84a23e34a93776d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOT\\bodaec.exe"	59b63d0e3702529c84a23e34a93776d0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	59b63d0e3702529c84a23e34a93776d0N.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe
1128	aoptiec.exe
2556	59b63d0e3702529c84a23e34a93776d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 1128	2556	59b63d0e3702529c84a23e34a93776d0N.exe	30
PID 2556 wrote to memory of 1128	2556	59b63d0e3702529c84a23e34a93776d0N.exe	30
PID 2556 wrote to memory of 1128	2556	59b63d0e3702529c84a23e34a93776d0N.exe	30
PID 2556 wrote to memory of 1128	2556	59b63d0e3702529c84a23e34a93776d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\59b63d0e3702529c84a23e34a93776d0N.exe
"C:\Users\Admin\AppData\Local\Temp\59b63d0e3702529c84a23e34a93776d0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556
- C:\UserDotGK\aoptiec.exe
  C:\UserDotGK\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
293ad16dcce952961e5b2af28531ffc6

SHA1
085a94f53ec9428670fc6662c584858025e1ec11

SHA256
c7edee53be23e81f4470325a2f184964663b41f3acb446df9674b008fa1ffa8e

SHA512
cac0e810feb43a2120e574f2da703208e86a32347e3bdff0236bb91dc01043f241b7aed406f741e76b0ec49d6732f3b43bf80af36a223bdb96b4b7572a37470c

Download Submit
C:\VidOT\bodaec.exe

Filesize
9KB

MD5
bf965ee8f9d95b943a5ea888a522c44e

SHA1
69326314abf4da6764942ada42d063b44fb707c9

SHA256
13c64f8ad509d213565146a5459b79218788b601d1d572943dfbacb755233c7e

SHA512
c5b066aa1f9c4aa2d78f788c9be796bc4016f479bb94a04aa8acc989526f1637cb18b97eefb4cc366cf3b29b7f7860dfe7860a23ddf51ae21401c53b0004d60b

Download Submit
\UserDotGK\aoptiec.exe

Filesize
2.7MB

MD5
1b87c000b537921771be3d92c2972ce5

SHA1
95399cd5aa566ccb1fc3d8fe7550a2c16464fb56

SHA256
9eaac6014149eb5a99f0ec7b38ae9f436c2830efdae0c062c163014387b322b7

SHA512
b9246bf3161ac8951d16e195b042933c504c1ea9f9709363eb03edc9c3537b0c1ab775b6fbc459a23b133b547b064e2c93a066e51711b54c8f9fed7ceaf4a048

Download Submit