Analysis
-
max time kernel
149s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 18:14
Static task
static1
Behavioral task
behavioral1
Sample
032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe
Resource
win10v2004-20240709-en
General
-
Target
032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe
-
Size
2.7MB
-
MD5
04e0f8cfef5a9203f87a6e6f957e02c2
-
SHA1
fb1c1486c3470892e3622966f6b5e2e5a9aeeef4
-
SHA256
032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb
-
SHA512
d520f08a8bc6949995c91383943877aeaa5bdb923a3063317f345192cdc423d52282b3489dba575e66f99cad296a067f80088b2654e347d72dc4963a027586ee
-
SSDEEP
49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB89w4Sx:+R0pI/IQlUoMPdmpSpy4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2544 aoptisys.exe -
Loads dropped DLL 1 IoCs
pid Process 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6Q\\aoptisys.exe" 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQW\\bodxloc.exe" 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aoptisys.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\CC4G4\%B4@<A:\ <6EBFB9G\*<A7BJF\&G4EG� 8AH\#EB:E4@F\&G4EGHC\locdevdob.exe aoptisys.exe File created C:\Users\Admin\CC4G4\%B4@<A:\ <6EBFB9G\*<A7BJF\&G4EG� 8AH\#EB:E4@F\&G4EGHC\locdevdob.exe 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 2544 aoptisys.exe 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 964 wrote to memory of 2544 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 30 PID 964 wrote to memory of 2544 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 30 PID 964 wrote to memory of 2544 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 30 PID 964 wrote to memory of 2544 964 032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe"C:\Users\Admin\AppData\Local\Temp\032e898e9f9f9da801fd2abfafecd96d838de566e1a11d50c85ea6706371effb.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\UserDot6Q\aoptisys.exeC:\UserDot6Q\aoptisys.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204B
MD54c7f6462d2c1e359f65b24df173ae856
SHA161328dcd907f2d7a4de6a181471f10ceaf425e54
SHA256b8f8fdcc446bf19c085c0d99e4d4bedcdb4a8d82cc06ed859f6ed8286cca2f67
SHA512e1efada4f50083358c6569f140a4e1ef152c685c6750796d8923312bab76ac47fd2ae1a8100e9671bc2d49d2a524b003b8539da81ecb8a8ab290c722ecac437a
-
Filesize
666KB
MD54a8833936c3c858981599332be03682f
SHA17718fbb9cae726509094b9cb2ccbe3738441a240
SHA256a456f41ef2ff06bbd8be81a3462c24ec1fc0481cdf96bedc5d3197d0a5538249
SHA512202e7a3566df19411936e00f14e1733656ae4fbb26329bf8c0d870354b6f4151f04e5ca8d4f025e515f3d1a5b0f620e81ef585c6d9d3a94e47409a0026832150
-
Filesize
2.7MB
MD5b9562f2df8fbbe4b2ec515a44111fefa
SHA112353e62e9380436a2b6a579474489ea5802f031
SHA256b7dfacd75e67dfb011adf6b8db4fa4a674ab04c11b799df5d9561b057edc5566
SHA51213fcc7e905b13c399610c53fc3d014f6374c8840f27ab6d394145191050bb45885d71cb9b7f3b576c3c45d6790a05ebcd180143e313c2fb630395eb3e2a9094c
-
Filesize
2.7MB
MD56241e742ed7042a6a59c36694bbbc400
SHA112d722c9c22d50dc3fda4a928f59101010b57160
SHA256656423c162697168b9878c6f94c68821013b24b43415238a4f28d39363d51bde
SHA512c211e2e2d4125a3e91cff75084d3742271a400fbd5dd98bcbb0f0e64da7a4d27fcecab790d8dbde15cb2fb1fe44635660c0724e62aa72d18e267980a2cc9849b