457f91f9933d8ff8a0d617e63159037210951f5062259e648a1d5c839d5239ec

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48475fd6e2aaa53f926ff7b6570faf30N.exe
Size

2.7MB
MD5

48475fd6e2aaa53f926ff7b6570faf30
SHA1

9c02e5237e88593e327f31dcfa9b93b473118cb6
SHA256

457f91f9933d8ff8a0d617e63159037210951f5062259e648a1d5c839d5239ec
SHA512

d771840f033c0a084c4448ce41a2a54a42bf2f32276bbb984529eab2e81a2fa6ec8814cd12287d79a3b041f8f9b1ca77ea8c4dd7b7bc087959072f42d78dc295
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4S+:+R0pI/IQlUoMPdmpSpS4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2080	aoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIM\\aoptisys.exe"	48475fd6e2aaa53f926ff7b6570faf30N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDZ\\boddevec.exe"	48475fd6e2aaa53f926ff7b6570faf30N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe
2080	aoptisys.exe
1960	48475fd6e2aaa53f926ff7b6570faf30N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2080	1960	48475fd6e2aaa53f926ff7b6570faf30N.exe	30
PID 1960 wrote to memory of 2080	1960	48475fd6e2aaa53f926ff7b6570faf30N.exe	30
PID 1960 wrote to memory of 2080	1960	48475fd6e2aaa53f926ff7b6570faf30N.exe	30
PID 1960 wrote to memory of 2080	1960	48475fd6e2aaa53f926ff7b6570faf30N.exe	30

C:\Users\Admin\AppData\Local\Temp\48475fd6e2aaa53f926ff7b6570faf30N.exe
"C:\Users\Admin\AppData\Local\Temp\48475fd6e2aaa53f926ff7b6570faf30N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\SysDrvIM\aoptisys.exe
  C:\SysDrvIM\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZDZ\boddevec.exe

Filesize
2.7MB

MD5
543c45b4b05c2242f528d8f25fdd356b

SHA1
8e422b22a785905cd16c9775ff9382cb139286ce

SHA256
fcab79f4cb7ddfb02abb3e34c90f0ed04d847a206de4bde1e28bf261d8053980

SHA512
d99c74ee5bc6afc0ac48deffec673ea1bb695b706f22cd10de27ac44530e831e52d00ceb42f6a8c1ccb461eed8786da0b81b7612909da5160cd3d6acd2b98830

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
460a33318c2eb9d8cc3d937c7beddaa7

SHA1
f894a5552f1f374359e33dbe9bbfd847649e0c3d

SHA256
a4cb479a7b509db88b064c567f9941b805843d0fa992a3b32068dfd3735c2ad6

SHA512
5a18a858f4c9bca810b4e4b5f33503053411d794f902be503f660a006d3a7414e1106be81ed15fe29034a5973c98fd9f1cdc8dc6d4faef86b9ed880f3dfb3585

Download Submit
\SysDrvIM\aoptisys.exe

Filesize
2.7MB

MD5
cddeadb46020e27e5200446ef30cb8e3

SHA1
b31f77e2a2f18979dd9e38bc453edf58b544ebff

SHA256
662418bce623a048c42283ca8b36f4c1a8b9a25799925b0976f4c867ee083472

SHA512
959140fb5f0d118f897ac80009f819a1ddb3ef05d5e5f84024c005231339849f799a24776fc66639c28cf372b9217d81bae2cb15de2e24743724dd4fbecc1200

Download Submit