78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Size

2.7MB
MD5

f4c15e4237f6e469c43c0e960221427e
SHA1

905870f4120e5952128f7a77411b89ea4c21c6b8
SHA256

78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c
SHA512

13e1be3f3b49581c091c09cc0ec078c09c80b36b5ca8c989f5bcb3e62a4655d213e598e9d37bd64f09f444508f313c1726006ed09fa6dffba30de857b44a47cc
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB09w4S+:+R0pI/IQlUoMPdmpSpe4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5028	aoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYY\\aoptiec.exe"	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJU\\optiaec.exe"	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
5028	aoptiec.exe
5028	aoptiec.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 5028	1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	86
PID 1492 wrote to memory of 5028	1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	86
PID 1492 wrote to memory of 5028	1492	78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe	86

C:\Users\Admin\AppData\Local\Temp\78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe
"C:\Users\Admin\AppData\Local\Temp\78c328a4c13d63f0309badd4be3db2c9b4503dcd8a1285857fded5767801182c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492
- C:\AdobeYY\aoptiec.exe
  C:\AdobeYY\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeYY\aoptiec.exe

Filesize
2.7MB

MD5
3f9e68b92661d50ad2edbf8b98a0144e

SHA1
61c38a27265f6ab7d6f3909ef4b4c7a4983c2053

SHA256
979cca1b467458f3f6f734297c0da04a69cdbac22b2baad56cfc45801b43678b

SHA512
b760bff9ea8918c3b3e952efcc2125adbd080bcd27106093168145cb9e17d5c219f20648d8da122a01583e3c8db9969ded55870b3c316a34451d09f7d1571842

Download Submit
C:\LabZJU\optiaec.exe

Filesize
2.7MB

MD5
360d07be5fb5551dbef371eac740b5dd

SHA1
1322e6ae55be3e29dd4642e61616dda59d158e81

SHA256
4a6290cabe890093b68e37a3e51bdbaab8c795ec027fcfd6a002df7df9fabda9

SHA512
0c1c962b9ef9e2e34f412848e69b7c7b2d0f2e8e0a40ad85f175fef751973ed7be7a670aaa61c03e9fd2280f179bd874573c8d7a913c5d10d888d3d5c834611c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
193B

MD5
abf77aefe4cc81f084a001b660784a57

SHA1
a5724af3bd767dcee99756b111aecd2da4b296aa

SHA256
391656ea4c90cd0da3708a4fb846933a5d3a96cd36a7be8b6df60aa8eb90f93b

SHA512
101fd294a0ca0ea95004bc1e900c79a600c961c1ef55bd0fb3dac32cd3a222fe1b1f920faa09e8888385486b9dee34f85b259312f3d77d71d01b1ea8c5e2411d

Download Submit