fe78e40074975e53368d4146eca73afee3abe790b046770477545ea797c1a365

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19967111de64b38adbc394905beb60d0N.exe
Size

4.1MB
MD5

19967111de64b38adbc394905beb60d0
SHA1

05cad3ee6cde6168e87edcd2e9e3e21cfefcc17e
SHA256

fe78e40074975e53368d4146eca73afee3abe790b046770477545ea797c1a365
SHA512

9acb96462a0044465c012fba8277ac57abc910d18fd5b9f4057a0ee20e5768b68497cca6754b7cd1f052b28a8a6fcc9390c9c16a78a32d8d27bc1b2d4bc9f87a
SSDEEP

98304:+R0pI/IQlUoMPdmpSpD4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdm85n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2544	aoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1756	19967111de64b38adbc394905beb60d0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe2A\\aoptiec.exe"	19967111de64b38adbc394905beb60d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP6\\optixec.exe"	19967111de64b38adbc394905beb60d0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	19967111de64b38adbc394905beb60d0N.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe
2544	aoptiec.exe
1756	19967111de64b38adbc394905beb60d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2544	1756	19967111de64b38adbc394905beb60d0N.exe	30
PID 1756 wrote to memory of 2544	1756	19967111de64b38adbc394905beb60d0N.exe	30
PID 1756 wrote to memory of 2544	1756	19967111de64b38adbc394905beb60d0N.exe	30
PID 1756 wrote to memory of 2544	1756	19967111de64b38adbc394905beb60d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\19967111de64b38adbc394905beb60d0N.exe
"C:\Users\Admin\AppData\Local\Temp\19967111de64b38adbc394905beb60d0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Adobe2A\aoptiec.exe
  C:\Adobe2A\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintP6\optixec.exe

Filesize
4.1MB

MD5
1557c93d7ff57a166e3a95ee7c56033a

SHA1
2501322afb4ea8a1da3550c21f44bd1a4bc95029

SHA256
2b759b39db0e927dcfdb67e0c637937107a03869b5b6bf42cb8a9509afdfe727

SHA512
5113a1bf8d939456f173da600d9d1cc535d5ee71f79870290900c4af88c526bbe215acd6b7f3a2852e0f775a27fa4223f83f83d8971984de3e4190be6773d831

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
7c41c562771240a5d4a0f37cc7c6a107

SHA1
ab516c9599017e67f15cc3b2d448d0db56868cb3

SHA256
80549bc94bbd7de6ed82e28ded6b8594827e9729a0b9c4e640c64dbebdf828fa

SHA512
8cfd5bb29c0086e8b68652d5b8c5a061125ea54912339dca76db27558221063aa45f3233d7fcdb5c33fa8747ec54df798a8a0102548023cc326c7f79ab6962a8

Download Submit
\Adobe2A\aoptiec.exe

Filesize
4.1MB

MD5
ff1bded0a3ae602d86c8e0fe45e67285

SHA1
ef5d244ec92a3a266f3730caf6e0537a6bad2622

SHA256
81d0ea4d014fa87ce64b728620169d4d0d917655d8af2707d7be177b78c2c4f3

SHA512
b8dbc7ad8467b7ce3d2ec9fc370285a873330c2faf7919b83f533423ec07248a42071e1943e3ad7842f04187c0834b94f88b75febd08982e6ea5a918d6f088f7

Download Submit