4d2276f6c1c36f57d6bbfea5eb972a5caf734287eb36b7e19c6413727cfd44d4

Analysis

max time kernel
120s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 09:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a36dbc34c80e27d52394c9def2756f0N.exe
Size

2.7MB
MD5

7a36dbc34c80e27d52394c9def2756f0
SHA1

429bfeee3cbedd1840072ac519cd4d76107af731
SHA256

4d2276f6c1c36f57d6bbfea5eb972a5caf734287eb36b7e19c6413727cfd44d4
SHA512

9272409b57111a194c03d35d3f8dfc8a88d8dc4b1e917867c1cd53658af33929d86fd29dc3ff760abad8a0d12119b74d6957c7f20c4307830fd5973fded95bb2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Sx:+R0pI/IQlUoMPdmpSpS4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1516	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4D\\dobaec.exe"	7a36dbc34c80e27d52394c9def2756f0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP4\\aoptisys.exe"	7a36dbc34c80e27d52394c9def2756f0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
1516	aoptisys.exe
1516	aoptisys.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe
3944	7a36dbc34c80e27d52394c9def2756f0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 1516	3944	7a36dbc34c80e27d52394c9def2756f0N.exe	89
PID 3944 wrote to memory of 1516	3944	7a36dbc34c80e27d52394c9def2756f0N.exe	89
PID 3944 wrote to memory of 1516	3944	7a36dbc34c80e27d52394c9def2756f0N.exe	89

C:\Users\Admin\AppData\Local\Temp\7a36dbc34c80e27d52394c9def2756f0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a36dbc34c80e27d52394c9def2756f0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944
- C:\FilesP4\aoptisys.exe
  C:\FilesP4\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FilesP4\aoptisys.exe

Filesize
2.7MB

MD5
f7c05200aa23a0351761cc75de6669b0

SHA1
2f0082deda53e99b0960309c753ffd2d6d328ff9

SHA256
ec7568c95873a64c9bf21c55075553ebfb5e03a4ce5d0ecf7831f23e17e60c00

SHA512
cf1600fee39dfe034ef9508a93d2c9c4a2f79d131cd517c113b6e42a980078a230b4411c203e2a7795695e9a99ed1197cc889f4bbdba3d26bf6ac48684b828cd

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
199B

MD5
ea5114e7bd92edbb7946aad21bcca028

SHA1
aa8401c2dad70f917786751a4d124d39aea4bbc2

SHA256
af8197aa40ad8e39fc82e20f1a4250a30ff48cfa6fbd0278ee890e19f73c6ae2

SHA512
9b0ef153b74a1d8b8531877143eed5b59735ce886242fbec69fed5ff35c84535e4d645ca022960f5a50eda7d3e2927ef3f1e420c5b02d6578dedb2c9a1234bb8

Download Submit
C:\Vid4D\dobaec.exe

Filesize
2.7MB

MD5
671999ee39be8d7cee302bb3bd1a6201

SHA1
62518f1ed8b27666e7a876d58bfd9cd190dd5b47

SHA256
1994f34196e15e091a96043d14d1098c5a4dd72ea412c5d327119318d8d7df98

SHA512
2d22d9717b5a13e138ba7d9d68b7661cf4704b7f4116877df44419918297551b61ba62de2a6d78847394b4485986afcb9c6437e0542bc8eed68b2d80a6d9f863

Download Submit