b761f278b6ebe8aeb7da5a52df097fc86ca43aaeaa02019c9789750bad66f076

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

609778445692760644343b045a142df0N.exe
Size

3.1MB
MD5

609778445692760644343b045a142df0
SHA1

73dffe5fe6d8317cd90f3bc262ee6fe9e6de6df5
SHA256

b761f278b6ebe8aeb7da5a52df097fc86ca43aaeaa02019c9789750bad66f076
SHA512

bb13ba4a7daa7ac2f9eaf0dd1820d248823f9c954a4af1addd96ff5b7779a7fbf1b1641fba6895c5ad5629ae67fc89c54934a65ad369470e8851fb87afdbbd65
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Su+LNfej:+R0pI/IQlUoMPdmpSpx4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2488	aoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1172	609778445692760644343b045a142df0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocT5\\aoptisys.exe"	609778445692760644343b045a142df0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX9\\boddevsys.exe"	609778445692760644343b045a142df0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1172	609778445692760644343b045a142df0N.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe
2488	aoptisys.exe
1172	609778445692760644343b045a142df0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2488	1172	609778445692760644343b045a142df0N.exe	31
PID 1172 wrote to memory of 2488	1172	609778445692760644343b045a142df0N.exe	31
PID 1172 wrote to memory of 2488	1172	609778445692760644343b045a142df0N.exe	31
PID 1172 wrote to memory of 2488	1172	609778445692760644343b045a142df0N.exe	31

C:\Users\Admin\AppData\Local\Temp\609778445692760644343b045a142df0N.exe
"C:\Users\Admin\AppData\Local\Temp\609778445692760644343b045a142df0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172
- C:\IntelprocT5\aoptisys.exe
  C:\IntelprocT5\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintX9\boddevsys.exe

Filesize
3.1MB

MD5
f9cf228543c733043874d60ef9116cc3

SHA1
4a964396d8a46398b583fbcc71186848af24d36c

SHA256
63d5f943edb6af0e90f73e21b041f6035ec1ac954de375ed8607d45034acf039

SHA512
2a236aaabf56cc827b864b4484fcaedd9f739a20feba3a6c9c521439ea93b2c43c72f1a77ccc247bdacf7a94102316c6e3b8c4937aa63e45836bba885f0f59eb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
8142c4747ad87a5423351936805d07f4

SHA1
60445dfa2e46a58ceea21af6f1555e319bc0d767

SHA256
71c570127ecc22ceff0780e1121a93eb2baff790c954c0ef519ac03c3cd7f33c

SHA512
6b167b582d8d87a5b5678b243cb12913e868f04e8f39c821be757a47090b7098551e94f7b11599237b3baa9ddf5dc84ccef0b28fc098b3872ee91e2ede0e7c7f

Download Submit
\IntelprocT5\aoptisys.exe

Filesize
3.1MB

MD5
a0c765606e0d27719be041c5c767a466

SHA1
28cd4a55f11e8c0e0e36b84e7c7fd661e5ad256f

SHA256
1b43d6e5b1ba1a80e33fd2a112fa00fc3b216233071b0b7fe24acb673e72f93c

SHA512
34babec897698f7c994cf8be7771902893a44170ae208f17de17b44ed5600ea69cd1e5788b03553a3a449ae046fb6550584bd4c5a6766b771c273ec8c7229dd7

Download Submit