fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e

Analysis

max time kernel
150s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 04:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
Size

2.7MB
MD5

4b823a24aa0a70d4c28412b7f7570f74
SHA1

a4da6e011db1e23bfed54769c4e8e4658b2ae415
SHA256

fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e
SHA512

6ba1eeeddca9166444f9c646442115933e03581353d1e27c8e2c745c82126230b1fa7c214d70dddbbe05435aadd039f1787c29319c03806cd4fd3f3c554f5a94
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB/9w4Sx:+R0pI/IQlUoMPdmpSpT4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	aoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1V\\aoptiloc.exe"	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBCO\\dobxsys.exe"	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiloc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
2468	aoptiloc.exe
2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2468	2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	29
PID 2304 wrote to memory of 2468	2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	29
PID 2304 wrote to memory of 2468	2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	29
PID 2304 wrote to memory of 2468	2304	fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe	29

C:\Users\Admin\AppData\Local\Temp\fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe
"C:\Users\Admin\AppData\Local\Temp\fc9c824158f8e37e90b66d2597d52fd02ddd9fb8eb4d7d2b74f2be63baaa107e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Files1V\aoptiloc.exe
  C:\Files1V\aoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBCO\dobxsys.exe

Filesize
2.7MB

MD5
bf548526b9c4ca3083874caf156b2195

SHA1
0a71a992f7b959da1ed6f1ff516742f9ee5622b4

SHA256
285be0f8204b248e819f62850e4fb69142b2fb62d2e5656296edf182173f33b7

SHA512
cad78dccfcdb1aafa35b1144540c8fdfd893d7fc7c1911e9c1cd82f1132ed9aae5d06a9aff6d5f6631a3949a4e92e50bce1742989e7acb0e9ecf343bcf3e7b77

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
200B

MD5
7038ffaeca99001ffe1a05efee606e48

SHA1
98fa95bd29e87f2b42948922a37e6d687a22692c

SHA256
3a9621127820eba9f039cf1c2c3c8b45a13ee02bc36c1c3e3815e1eb72ea029b

SHA512
60956335218f20120d721483e9481c80eb000ed185f9b6830ca97bf060a0407765336a68584e4bff46cf00b01668c55e6c2c0a173e9dc3f06a0d7598a4cb0fbf

Download Submit
\Files1V\aoptiloc.exe

Filesize
2.7MB

MD5
ec4eb6fa9e93f656d300c3f65f54f2a3

SHA1
8752858a2a634b50711858f9562d6afd658f016b

SHA256
a78dfb1a4ace8ca37d4dfe48b402df2b6aaafc53fe90cf6705741c051c8f6ca6

SHA512
959927f81f18ae6b4c7bea83a7a459c6cdc56fa39ba31471d37cb440a9b6160c720937f30da896eb02a15a01a57395db7d990fa214f3c74f74d76c5129fabc1b

Download Submit