896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
Size

2.7MB
MD5

7c235d649523b2a39da9190c65cbff65
SHA1

d3f04a2028a326a1cc7eb232c418ce743d8463b0
SHA256

896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf
SHA512

1e569ee83ba78d733eb69c9655162fcdb90940dc6efb0318e859ce8e50c254ec230ec333396a2af38f03c9f2fae685759c6f2cf77edc3daef9a6c6776b164258
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4Sx:+R0pI/IQlUoMPdmpSpE4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
896	aoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGL\\aoptisys.exe"	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVN\\boddevec.exe"	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
896	aoptisys.exe
896	aoptisys.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 896	4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe	88
PID 4360 wrote to memory of 896	4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe	88
PID 4360 wrote to memory of 896	4360	896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe	88

C:\Users\Admin\AppData\Local\Temp\896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe
"C:\Users\Admin\AppData\Local\Temp\896a6b3230fecefdd77efe8e7a29aa517aecc0d126f6cfae08b8112b108e3acf.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360
- C:\UserDotGL\aoptisys.exe
  C:\UserDotGL\aoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZVN\boddevec.exe

Filesize
2.7MB

MD5
99a17f774cc59eed62cd5f3e93b14671

SHA1
d062693d2a3c3128bdbf7058e594df65c2c96c8a

SHA256
6295aa948ca357adb987a4cdd5231b1bb68cc5a463bf1c8c584c6d6d1fbe825d

SHA512
5be95c9bc0b68e2cb146689144a8a2fa84a7bef661da67f4a427871460a1fe8f04b0a07af322dee50c91dbc6d587b982177628c8b5b760e0deb1603dc4e8a175

Download Submit
C:\UserDotGL\aoptisys.exe

Filesize
2.7MB

MD5
cf9d5d854211e5d81ddb2de24cd7c96a

SHA1
8974dd564446e8218111e1a92c515ae68838bbfd

SHA256
1cd021bf5c8f493901c7c6f72ff2dd1261278f5c3bb298ddb5085f5b3e743b28

SHA512
591f75683404f2a5a4ecb47c56ae400884a2dc76d7dedcc4e40c34bb4cb17e90d5f299a48c9db86b6f37077c45791afdffea1a3ffd0fcc6d6087585e5535803c

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
fef90ace0a1064c94bbbdda3f930f658

SHA1
192c117946e659c0b04092c35e3bd0f553d6c112

SHA256
6dbca343c77f7a3c9d568719215977e41572771f30307256e763c51f6b1e5e0e

SHA512
732633bd2ce76f9da371d8284465af46b5ffd5f075d300b226da1155215354e7cf413eedac691784414eb91ec62798a061de2b6db1a7425bf3e942bf5565e5ed

Download Submit