5a0f2afdc89d63b364f9137f3537f07818e4d4090511b5369c64ced04fa1ae2a

Analysis

max time kernel
119s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1589949448e34351d5d4c4e5ef32b2d0N.exe
Size

2.7MB
MD5

1589949448e34351d5d4c4e5ef32b2d0
SHA1

eba74eada380f8e45fa30d645d8b7a7d3308b8e3
SHA256

5a0f2afdc89d63b364f9137f3537f07818e4d4090511b5369c64ced04fa1ae2a
SHA512

07d9e42aa9eccbd1f614c4b183ab089547235226e8cbde5fa12406c387bcf5d6e2a2bdb9ef4f7c7697438a0c3895d8fb4a74e984b1d3d23e7f692c46d6796965
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBD9w4Sx:+R0pI/IQlUoMPdmpSpP4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4596	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV8\\aoptisys.exe"	1589949448e34351d5d4c4e5ef32b2d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFN\\dobxloc.exe"	1589949448e34351d5d4c4e5ef32b2d0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
4596	aoptisys.exe
4596	aoptisys.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe
3384	1589949448e34351d5d4c4e5ef32b2d0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 4596	3384	1589949448e34351d5d4c4e5ef32b2d0N.exe	87
PID 3384 wrote to memory of 4596	3384	1589949448e34351d5d4c4e5ef32b2d0N.exe	87
PID 3384 wrote to memory of 4596	3384	1589949448e34351d5d4c4e5ef32b2d0N.exe	87

C:\Users\Admin\AppData\Local\Temp\1589949448e34351d5d4c4e5ef32b2d0N.exe
"C:\Users\Admin\AppData\Local\Temp\1589949448e34351d5d4c4e5ef32b2d0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384
- C:\AdobeV8\aoptisys.exe
  C:\AdobeV8\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeV8\aoptisys.exe

Filesize
2.7MB

MD5
c3c190d50471db2f7b7b6bd0018a9b88

SHA1
36aed25ada44ce464761beb018e3bf7bfdd5a899

SHA256
c15eedf0a729a86a4c416c3092684f4ae573d4ff39f3ca6aa98b0c281e0d4483

SHA512
81084ae7ce1e92dfb79ba6fafc2ba061a0433ee9f92966d46c9a2f3249efd64a35c2b31594d44aecb90e007b3d952f9c20978d54b3b00a45b720ee41df705792

Download Submit
C:\KaVBFN\dobxloc.exe

Filesize
589KB

MD5
d8a1a03129635b6c50a1f94f2717bcd2

SHA1
44553aecd1657a0c42cb10f36dfa5af93693200f

SHA256
d9106d6f764561bf9641a45c35003291a2901fba9bf5fa8cf3411e242adf4d22

SHA512
38d6e4a9734492492113b09426cb65c565fa2906a4dcecfbc9420a68b48ee9ddd5f0cf8a50130d8577cad8c01024b4f07fc2a30bf2152e7a264a915849f73493

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
c21c8a54a7802d75739a96f1d65777b2

SHA1
6ab9b81adf4b26be929ae55c7320a3ecbc8191a8

SHA256
fa415f2a123949f5a9303cf0e88478b7d2189c882a89b85c5a169d6bbb6fe2a8

SHA512
f53b0d09ee5df3a101b2b8d8148cd8b29115e56722772eeeae038b2b6135e46b86a1b841a30a33f776cbaf357c59d55a0b43801ab96e4aac1651798239914a85

Download Submit