b3b8baae3ca6b7d301d5bcd45859c6f00eef17bdd8b2ef1d7571b85d83fef4e4

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wopti.v7.91.Build.9.115.By.MyCrack/WoptiUtilities.exe
Size

2.1MB
MD5

aacdb052b4adfc3e570a7a6619719c58
SHA1

028f5442c31a29f19cf837d0818d89f7d933e167
SHA256

81b87dd0a52d81cc0426dce1c26e9db39073bb28389ab24c0ec12ac4756c4c06
SHA512

f67e01fae7efc63852756a92815b313070bf2bbad63bc3b743e8f63b7532afb14205be0061f225249d88814b2c363077f8ecc9cfdf269ab188a3f69c1f2e33e7
SSDEEP

24576:kMguKLQHQ4rCdAZBG7N6wCRGTwjsOWsCMPqWJuOBveeBrv9KDxb020B9HEihsKmr:kMRBTnqN6wCREXpeJm2EiQ94nt7/q5

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WoptiUtilities.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WoptiUtilities.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	WoptiUtilities.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WoptiUtilities.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WoptiUtilities.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WoptiUtilities.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	WoptiUtilities.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	WoptiUtilities.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\DisplayName = "????"	WoptiUtilities.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\SortIndex = "4294967294"	WoptiUtilities.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu	WoptiUtilities.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\DisplayName = "????"	WoptiUtilities.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\SortIndex = "4294967293"	WoptiUtilities.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\Codepage = "65001"	WoptiUtilities.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google	WoptiUtilities.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\Codepage = "936"	WoptiUtilities.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Baidu\URL = "http://www.baidu.com/s?tn=yokcom_pg&ie=UTF-8&wd={searchTerms}&cl=3"	WoptiUtilities.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\Google\URL = "http://www.google.com/search?hl=zh-CN&q={searchTerms}&lr="	WoptiUtilities.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: SeSecurityPrivilege	1864	WoptiUtilities.exe
Token: 33	1864	WoptiUtilities.exe
Token: SeIncBasePriorityPrivilege	1864	WoptiUtilities.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2944	1864	WoptiUtilities.exe	30
PID 1864 wrote to memory of 2944	1864	WoptiUtilities.exe	30
PID 1864 wrote to memory of 2944	1864	WoptiUtilities.exe	30
PID 1864 wrote to memory of 2944	1864	WoptiUtilities.exe	30

C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\WoptiUtilities.exe
"C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\WoptiUtilities.exe"
1⤵
- Checks BIOS information in registry
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\romBF49.tmp.exe > C:\Users\Admin\AppData\Local\Temp\romBF49.tmp
  2⤵
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\Devs.tmp

Filesize
819KB

MD5
fd256d9f54ba68c432aff9a36d43de35

SHA1
7820a28ab8d360886e84c2517275db2c0bfbed14

SHA256
1ff1f3a34752e9b4a71cbe189a29c2ac19fe7faa1c56076e76e271a55a44b47e

SHA512
e8069747f68032ef48afe80dec9edbdec8fc5ea041a894d751c9a8b65ee5eddec71d2495ef32c9f892a8c0f2ed501b3c4afa10f66a2ade7fb089bc284ed22c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\Set.ini

Filesize
22B

MD5
8526ab457074d902cb0840cde8db3956

SHA1
3faab54c0039e50b1606d462f8f38d49759ad9ff

SHA256
579ae99e25c7b8222acf14f5307224912dfca20f465be7a66485f729ad1f8077

SHA512
642c985ca4ac088e6bcafc4eb45e02f1b0bed2be405ad3d3cf1ee9e964da7c60a03ec0ea6ffe89f97646c63924e7bb6a053426b99dfc5f691bb3bb1e746b386f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wopti.v7.91.Build.9.115.By.MyCrack\Set.ini

Filesize
138B

MD5
bd5ec1bb52187689aced68b4ac111094

SHA1
81a1cc2d907318d6b7d4ae71640f6826a93645a9

SHA256
220e00d29a6352653b206e3186cf7b1030e4f2f2bec0b62387c67ee9cc640f00

SHA512
582f8c93e76871b5a13a8a9f28302f658fe558923a57b57bd27e11e0881420b6060d43fd50cc515f2670002ca3eb90e552a228e7da8d1aee5d9575f29f1482ce

Download Submit
memory/1864-531-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/1864-1-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/1864-532-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/1864-0-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1864-3-0x0000000010000000-0x00000000100AD000-memory.dmp

Filesize
692KB

Download
memory/1864-618-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download
memory/1864-619-0x0000000000A29000-0x0000000000A2A000-memory.dmp

Filesize
4KB

Download
memory/1864-2-0x0000000000A29000-0x0000000000A2A000-memory.dmp

Filesize
4KB

Download
memory/1864-631-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/1864-630-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/1864-633-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1864-632-0x0000000000400000-0x0000000000A2A000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads