17b329e0d6da73f0c70f344df42fdc29979ce3a192df44a25b7af5344b6b131a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 07:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7514b9cf1c38abad72f58d776d0a00d0N.exe
Size

3.1MB
MD5

7514b9cf1c38abad72f58d776d0a00d0
SHA1

d926398b8ba6229cd2202c005d8fabb3dc1d9397
SHA256

17b329e0d6da73f0c70f344df42fdc29979ce3a192df44a25b7af5344b6b131a
SHA512

dac11531ed4d8c9370298b55fbe7b86e426025f693be64d38904699058cc7984dcbd6da4a4da1beeeed605f6c8534ab36f7b812a85c21ca9359021c7098a878f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBA9w4Su+LNfej:+R0pI/IQlUoMPdmpSpO4JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2712	aoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotML\\aoptiec.exe"	7514b9cf1c38abad72f58d776d0a00d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHY\\dobxloc.exe"	7514b9cf1c38abad72f58d776d0a00d0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7514b9cf1c38abad72f58d776d0a00d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe
2712	aoptiec.exe
2820	7514b9cf1c38abad72f58d776d0a00d0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2712	2820	7514b9cf1c38abad72f58d776d0a00d0N.exe	30
PID 2820 wrote to memory of 2712	2820	7514b9cf1c38abad72f58d776d0a00d0N.exe	30
PID 2820 wrote to memory of 2712	2820	7514b9cf1c38abad72f58d776d0a00d0N.exe	30
PID 2820 wrote to memory of 2712	2820	7514b9cf1c38abad72f58d776d0a00d0N.exe	30

C:\Users\Admin\AppData\Local\Temp\7514b9cf1c38abad72f58d776d0a00d0N.exe
"C:\Users\Admin\AppData\Local\Temp\7514b9cf1c38abad72f58d776d0a00d0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820
- C:\UserDotML\aoptiec.exe
  C:\UserDotML\aoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintHY\dobxloc.exe

Filesize
61KB

MD5
6129d28fd7fda2612040596b27b9d097

SHA1
b28376266a62f9e3644eeb1679011c3c57f1dd39

SHA256
1170930386364ac9df2c5ff3e6f4aadc848a34fec8aa1986a618de4cbba6ce38

SHA512
49ab78fa6ce5aa6655f1c5708f18d044c91316494622569651cf3e5cd51bceeceda4ac2fceb17ecd2728fa6947ecc79aab40d9b9e3d8e77d524ce0939803e3fa

Download Submit
C:\MintHY\dobxloc.exe

Filesize
3.1MB

MD5
5069f0b6017c1c56eb54aecc7efda553

SHA1
711243c737c7040b12ba2dfdfce8f2de23c4b604

SHA256
fc6fb9a62c170146f48f4b11b2b70f921578ed603f41a3ac2bcc97714b8a77ad

SHA512
6e7f58709cacbccc971e2108f49a0329f61b02960eb1d015b7e6aaba810035bdaeafff3da9c44f12f86e225a074c92af48c7d99b7e8dccfc40340c3c8298a08f

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
25bae65f046b2c9cab27502bfc5e4606

SHA1
df8f97f84333995ad9a9eadabefaf8fc9ce10c88

SHA256
e9b1336c02c58302e4b2cd2d290b5a9ca0ee3adffb25e993d03e11143b5206b2

SHA512
a11af6f04cfc5ea5e5a36d6c55d92565ab40f47f89eeeb6aba997ba1047033e6242700f4bba9808b0a5c1167ce8bc683ded3a08ca85aeef322b3d59c8e3c5bb4

Download Submit
\UserDotML\aoptiec.exe

Filesize
3.1MB

MD5
0741abb8afe3d1f8f11ba5de9fcc510a

SHA1
74fa4a636397237813d8b7a80bb9cad808715c84

SHA256
a6b0879cef2062ce9e86bd7221a6abb2a7928029f3a81d6145da2636a3e4cc8b

SHA512
c4b68e4fcf92c5dbdbbdcc9812a52d10157d01b61ac416f4769b47a51ab474caf2da85454467afc8cde14659b6f749d080118f0d63f08d8302d969ea6bd00022

Download Submit