5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
Size

2.7MB
MD5

9e9a0ccc98580bf6f22a82672f25fac3
SHA1

d0535c707f51cf600db830949cae4d16d0fc7a32
SHA256

5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95
SHA512

dcd2d6d5ebb65c3b0ec4f09786db7fda877522273a62e21299ca3319a89d9fb557769da36da72dc446eeb1c89a5aa1061be39527717c6faeecc41f6a30203c3e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4S+:+R0pI/IQlUoMPdmpSpt4X

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2784	aoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot87\\aoptiec.exe"	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYS\\optialoc.exe"	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
2784	aoptiec.exe
1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2784	1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe	31
PID 1848 wrote to memory of 2784	1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe	31
PID 1848 wrote to memory of 2784	1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe	31
PID 1848 wrote to memory of 2784	1848	5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe	31

C:\Users\Admin\AppData\Local\Temp\5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe
"C:\Users\Admin\AppData\Local\Temp\5000c2af391a7bf2c4fd04c9a31996ffc693e3d8190cde52e99ebb825a9ccb95.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848
- C:\UserDot87\aoptiec.exe
  C:\UserDot87\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintYS\optialoc.exe

Filesize
2.7MB

MD5
b2c9b8845b987a5ba204aa7f4b4346f9

SHA1
96abf700ff884cf66e6786c0693616d6c93e5e9e

SHA256
fd2aec0170cd271fc479366e29d1cda23a9c63206d5d6482d922b2850969220b

SHA512
306a1122b8108645e7dd108cc412d89bc5d0de659f168077ba1c63a2bc46556abb8750c570532083d99630095746ebaea2d0f574d3ed3fcecc84319ac5549f5b

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
f2a552db3f8c6efff36d8b54e8248aa3

SHA1
09a9edb4c45b8f1f76afcbeb187462e5d530c724

SHA256
6e066ba0cb1eb8a12d3f34a2f5bde7473ffbe845698b440b0d24fc12fb10d38d

SHA512
a5b79d822efc9222663854ea175c201267120fb332273f4488bf5ab5d907a8b7466db89447f34d07602f3c7516539f5b2ad2442b22b3be4c653a6677a30b9d11

Download Submit
\UserDot87\aoptiec.exe

Filesize
2.7MB

MD5
257eac21d39205ce5195a65a3e8a8444

SHA1
14ee986b83d94b6a6682d018fcf81804313c7cf7

SHA256
d2aa1b4bed6c246b545c6946afb23bf20e329ea0301d529a19ac1cdc9c9fc4e5

SHA512
f293e9eb43163c1ee109588fa3aaf1c116a787f6d6525f33fdb281720883e6e8e9d4aa7a8e07dd202efaeac7e3fb8dff623a1be3bb8e819f197f92c3b36ab591

Download Submit