2cfa36a6c3a36d52793327ff366f4f8c77c15a6020027325057291b57b33ad77

Analysis

max time kernel
119s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
Size

2.7MB
MD5

0ad55bc51c9fbfbc6be1dbdc6b145150
SHA1

de89840f374ad98a06207bcca6a6ca3fc43dae7e
SHA256

2cfa36a6c3a36d52793327ff366f4f8c77c15a6020027325057291b57b33ad77
SHA512

dc0538b60e420f298ae5822117577b673d51006e5a9630ad521a54548524fd571499e1bc342cfad6117539d114620f43fc39795da09bcae5efebba6b6014f9cb
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1980	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8C\\optidevec.exe"	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvR5\\aoptiec.exe"	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
1980	aoptiec.exe
1980	aoptiec.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 1980	2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe	84
PID 2280 wrote to memory of 1980	2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe	84
PID 2280 wrote to memory of 1980	2280	0ad55bc51c9fbfbc6be1dbdc6b145150N.exe	84

C:\Users\Admin\AppData\Local\Temp\0ad55bc51c9fbfbc6be1dbdc6b145150N.exe
"C:\Users\Admin\AppData\Local\Temp\0ad55bc51c9fbfbc6be1dbdc6b145150N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\SysDrvR5\aoptiec.exe
  C:\SysDrvR5\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Galax8C\optidevec.exe

Filesize
2.7MB

MD5
2d8d5f99498c975407ae4e967f62b472

SHA1
fbe50f024a83673f29b206caad12d156223ac653

SHA256
a9ae90b7cfdfcfd481f32d9d495639011af1e3ebb6a8149ebbf382b20c2e59ca

SHA512
f47fe7685cb9f57428cec77935751322861907439e9672ad73e1b252de41e35e5c1a5d603433b58fc9b2c7d771c64514fd0e0b87c04a28605241d93f5da16fcb

Download Submit
C:\SysDrvR5\aoptiec.exe

Filesize
2.7MB

MD5
8133ae965319686e659edc2d42336e6c

SHA1
e3327e6eba810ddc68294ed76f885c9cda6e73ee

SHA256
e3f38d45b7103756bb0afa7c0fb600f3cdc2572cb295b511997763288ccb6b2e

SHA512
49ce7c236ede915dd85391c3bc91023bc9f8812710ab54546dd96866b0225891507c5f5f85724b96b38112aba45b69ed0430feba6866295e7653041c14fa40ad

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
203B

MD5
11ac2895a2d269bac8eae580e7031d14

SHA1
fa5dc87552be16d6d023dfdf369b5d8c029a18af

SHA256
4c80452ced7210bc4bb62c7daaf4662fb9167b342688b06664458a6751742063

SHA512
6444e03f8334e70fd877890a2601a4692535bcf29f1df581aaaa53a2c1f2c94540f8be0a3f6a745ceea4429e05fe465914851f7ccf11c29a82637235c05f433c

Download Submit