8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
Size

2.7MB
MD5

94615b7623dd766ffb3e62c61d088c60
SHA1

fbf9f4cc468b4f4cf97794f43183525ce127518d
SHA256

8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74
SHA512

7ba8e818cba9db057bbefd870e3e597ef5f6537ceda4ed0471168938dc9131607eb563aeb843029cd2db12ca1b65f905776463247e9afcd76f16ed1a741c8e18
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4S+:+R0pI/IQlUoMPdmpSpq4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4580	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0P\\bodxec.exe"	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvCU\\aoptiec.exe"	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a :R[bI=_\T_NZ`I@aN_ab]Iecabod.exe	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
File created	C:\Users\AdminI.]]1NaNI?\NZV[TI:VP_\`\SaIDV[Q\d`I@aN_a	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
4580	aoptiec.exe
4580	aoptiec.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4580	2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe	86
PID 2172 wrote to memory of 4580	2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe	86
PID 2172 wrote to memory of 4580	2172	8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe	86

C:\Users\Admin\AppData\Local\Temp\8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe
"C:\Users\Admin\AppData\Local\Temp\8cf3b8ba397d9a555eb73e0270fab5b3d1d49838496c78fd301302352aa89f74.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\SysDrvCU\aoptiec.exe
  C:\SysDrvCU\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB0P\bodxec.exe

Filesize
2.7MB

MD5
3122547f54f29958017a55b56430edc8

SHA1
d2a3a633bce71d24be240870a65c3901ed3bc50f

SHA256
919ed6fcecc1c38b0dcb53ce7f247350898a1a116da39811bd93d88c408826f5

SHA512
786a2a10dbda32dda248680184e62a9be3d5382a1a6db39b5077b30abc39dfdf0f777530ddb8ee5d948a7ca148c9927aa9c7b90aed6d1ece36bcba2d630f6827

Download Submit
C:\SysDrvCU\aoptiec.exe

Filesize
2.7MB

MD5
f65ddee7bda52b4544860ffd654565a2

SHA1
e8f087b7ab8290d976daf83e312b831f3fe7bdd1

SHA256
c77744ce38e7b561a09e6e25c52f0deed06b9e17de65d5ae9348701a3a7c83c2

SHA512
bd4c6d7d272d93b7e0b3667285525b1383bc2b84111aa9d584c2b37502c9b1b51aeaabbd8eb2afad472b4b9bb58cb3b2ed27c05a384b0bc91e5d7e851b374345

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
126d9c4dfa4d1a4ed5b540e0184cbc79

SHA1
1a026a4d2a4749a16296c301c8f802e88c6909d9

SHA256
04178e0cd7f60e0309861178340ea54679b6925982f9e0fd0ea98a1bf5f8b2a9

SHA512
fa9b26aea55edde88c300dbfe7ac21ac4833166bc3bbb84e477283c27285a22e47227a06870a39259141e9d637923dc26b2361a8a0b729ecb6eade8337fee5ad

Download Submit