cbf8fdba8426d3b5d7540be5f55c13de824ee8a167f9ca9a9e1c1f2411e60f00

Analysis

max time kernel
151s
max time network
132s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
Size

4.1MB
MD5

246ac5ce41f1111e5b5a47a65ac5ff7a
SHA1

fc483970cb63ecad1aaecff1e88747f89c97295e
SHA256

cbf8fdba8426d3b5d7540be5f55c13de824ee8a167f9ca9a9e1c1f2411e60f00
SHA512

f63474b702e075cd1cf562956391e84800d8011dacf64319c0665e13b6abd30418c1f17b50aaa2f2faf6982fc57feae050f92d0c393be251d3507e1f6ac931d3
SSDEEP

98304:+R0pI/IQlUoMPdmpSp34ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmE5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1736	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc94\\xoptiloc.exe"	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU4\\bodaloc.exe"	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
1736	xoptiloc.exe
2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1736	2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe	28
PID 2004 wrote to memory of 1736	2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe	28
PID 2004 wrote to memory of 1736	2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe	28
PID 2004 wrote to memory of 1736	2004	246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\246ac5ce41f1111e5b5a47a65ac5ff7a_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Intelproc94\xoptiloc.exe
  C:\Intelproc94\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Intelproc94\xoptiloc.exe

Filesize
4.1MB

MD5
90a471eb22311755bcc0e8aad5f70e53

SHA1
465324ffa461a0f9b6be1e16b82dda68bc0b4300

SHA256
abd9faa27980e22ea16d2fc3851bf13f113f229464869103909b1d25e521100d

SHA512
cbe9f6ea9ca3eb5bf782f558b0ae085518a1bc0e852a1b87e6e911c503baeec23ad1ae812677d15461234f2547b4e4d9c66be56b2cdad032ccd7dc0094ce3d11

Download Submit
C:\Intelproc94\xoptiloc.exe

Filesize
4.1MB

MD5
90a471eb22311755bcc0e8aad5f70e53

SHA1
465324ffa461a0f9b6be1e16b82dda68bc0b4300

SHA256
abd9faa27980e22ea16d2fc3851bf13f113f229464869103909b1d25e521100d

SHA512
cbe9f6ea9ca3eb5bf782f558b0ae085518a1bc0e852a1b87e6e911c503baeec23ad1ae812677d15461234f2547b4e4d9c66be56b2cdad032ccd7dc0094ce3d11

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
de5ff46bbd98c5908f18fe2523743c1e

SHA1
c2dca01181763e7513d5b64b836ec8dc59d7e16f

SHA256
2e123d8ef0107fcb619909e4b7c2a7a8981f1119593fa17886e585cdeee29a61

SHA512
5c7da34af87dd9b468dea3e5513acea0eb08d524aa26e136d322e9efee2e1277d7e6000c30b21bb0289bb6c61e13cc76a8ce4dc59ab5c70ee73a748cc4ce1ba0

Download Submit
C:\VidU4\bodaloc.exe

Filesize
4.1MB

MD5
a047e9b4fb6ad45ec0d8eff30b707d86

SHA1
6d00072786f134fbbd59ce6f8292e51dfbce1b5f

SHA256
787c4ac0470f1002d7347d69d3a62314e5d41bc7d9eeab4c1a83f73af8452435

SHA512
013aa1afe44d1dbecbd4ddb27a6324f676b35947ad1eb49ed9c26d99283c661e87a690416934ac2ced84cb6c117dfe83c326de270f01606ab59c644baec62766

Download Submit
C:\VidU4\bodaloc.exe

Filesize
4.1MB

MD5
a047e9b4fb6ad45ec0d8eff30b707d86

SHA1
6d00072786f134fbbd59ce6f8292e51dfbce1b5f

SHA256
787c4ac0470f1002d7347d69d3a62314e5d41bc7d9eeab4c1a83f73af8452435

SHA512
013aa1afe44d1dbecbd4ddb27a6324f676b35947ad1eb49ed9c26d99283c661e87a690416934ac2ced84cb6c117dfe83c326de270f01606ab59c644baec62766

Download Submit
\Intelproc94\xoptiloc.exe

Filesize
4.1MB

MD5
90a471eb22311755bcc0e8aad5f70e53

SHA1
465324ffa461a0f9b6be1e16b82dda68bc0b4300

SHA256
abd9faa27980e22ea16d2fc3851bf13f113f229464869103909b1d25e521100d

SHA512
cbe9f6ea9ca3eb5bf782f558b0ae085518a1bc0e852a1b87e6e911c503baeec23ad1ae812677d15461234f2547b4e4d9c66be56b2cdad032ccd7dc0094ce3d11

Download Submit