989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
Size

4.1MB
MD5

90597856dff5a4bb25fefab0ea1d507e
SHA1

b7236b109561835b061f145b96796e12eabec7be
SHA256

989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc
SHA512

08f11b050f9cbddeae284c50df7d174f0bac0edbf02d36bea863fb63cc71b27f0856ebebdea7d7aa176ad2527dcddb83c144285ba8bcd22317d152d3010fe998
SSDEEP

98304:+R0pI/IQlUoMPdmpSp24ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmx5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2660	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIO\\xoptiec.exe"	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBA1\\boddevec.exe"	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
2660	xoptiec.exe
1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2660	1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe	28
PID 1648 wrote to memory of 2660	1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe	28
PID 1648 wrote to memory of 2660	1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe	28
PID 1648 wrote to memory of 2660	1648	989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe	28

C:\Users\Admin\AppData\Local\Temp\989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe
"C:\Users\Admin\AppData\Local\Temp\989630e3d4c0a724d834f4848bce8e856908dea3c466912e5e3813481fab7fcc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\UserDotIO\xoptiec.exe
  C:\UserDotIO\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBA1\boddevec.exe

Filesize
4.1MB

MD5
a4511a06c31ce23694974b6cd6570e1c

SHA1
b656aeecdf71062b763bd41961626ce3c6a9dce5

SHA256
f333b3e30ad35571d8227a46ae18f253c3b7e4f7d88f3cf4fee937b05b027529

SHA512
425a52fe9bb2d6d679d47c04a4eb019ccb11dfb04036ec1da20a0e3eaf4ac474371ab098c33bab0472706c8b5b953fd6f73fd6312ee4c7a260b077faeeefcdd9

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
96d0be7cbc766da306848170215b65d9

SHA1
148f71c4a81f107ee4627c2c0e5131e920a53869

SHA256
0eed38f70ac6581a08fcb34aad43197d6bcb86a12ec27ea6df80f964ad863389

SHA512
c5ad5ce72d25b4853cb17298c5b239bc5354bd3502af4abe10494fe0748af3ee4ae2d000412b425d2eda84f56c2d8894acbf3a1a8bbc9d7c583e434b6d3997a0

Download Submit
\UserDotIO\xoptiec.exe

Filesize
4.1MB

MD5
5f5e3d82f504de3068a0a556ff7de783

SHA1
a3decd826febced41d23539e976683050002aee7

SHA256
e09913599ee86ec018ae00128d0743c73cec9bb03b673491fefe96b8091d560b

SHA512
f97bb979b2d2f74c4706f3d0f9bcd1da4626bfc584a3ab99533dfc64c5ba97144a58151ddcd91a378a6890b41ea83b8ec79361454cd47e07f7693045ed1f0f65

Download Submit