f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
Size

4.1MB
MD5

ba87ef73f9a51c364e7f27bcb97c0960
SHA1

4da645f6e2d825faa3ec6e7370f5af89e678eabd
SHA256

f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69
SHA512

5ff23494aa709d6684f63e3507b39fa8cb643a0816d0c5834ede08a2c9a6baf188ba5969ec655b1ab5617f8330d3ff34fc2a9ba97babfec946611b3723c6be86
SSDEEP

98304:+R0pI/IQlUoMPdmpSpH4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmM5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files20\\xoptiloc.exe"	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4D\\dobxsys.exe"	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
1964	xoptiloc.exe
2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1964	2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe	28
PID 2200 wrote to memory of 1964	2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe	28
PID 2200 wrote to memory of 1964	2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe	28
PID 2200 wrote to memory of 1964	2200	f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe	28

C:\Users\Admin\AppData\Local\Temp\f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe
"C:\Users\Admin\AppData\Local\Temp\f42c1f989073eef0b430b6e4efe4961334728d27a13d7af5d8ade31fadd11b69.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Files20\xoptiloc.exe
  C:\Files20\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Files20\xoptiloc.exe

Filesize
1.8MB

MD5
13ec4f0d6a11e323fc4f2ccd56cccc68

SHA1
fd6314f073b3bf794472449d161a812c52310f31

SHA256
9a4be0356b704fc6744389751936aa97436925f7e1a402c6f52317492fd5ce9f

SHA512
455fc71a9c28c5ce69ac4c47802f1b151addbdc46bb40c59645f69ec660bdd6f93ce62639bf3d5f0e1e6bca04b0dd7c301992db6817ab504786f887e4f72cda0

Download Submit
C:\Files20\xoptiloc.exe

Filesize
1.8MB

MD5
2d6cc1448b3bd944cf3cac422f5e4057

SHA1
1fed24e5645df5f828fe9070864d8e4517c6625e

SHA256
12cbfd96a6c4b8f959ff3388562ca1c198a116f486c1bbedec531ae98278e517

SHA512
80fb247416b99a1deb0a8219ecdbf4e66672e5a76880dbe368c90f503f49181d7199abdc58507615c3f0caab158b14c662480f3b217c89625b683dd6c7870d05

Download Submit
C:\KaVB4D\dobxsys.exe

Filesize
895KB

MD5
76079b37db4143cf7e32639bfbfd66d0

SHA1
ac8527cceeb69eb7a3492474805cf25590a7d2e8

SHA256
941c2b7420ad940f00bf56824ec32688ada0f8187e01fe49a996216caf5351f2

SHA512
f39f678d7019b2b4cd4e6665d4817221a509e1c7a56166a412dd0090ee9e113276f6ec41d16a64e55b78d6c9c623a6dffa07b6e92ef1684617173ab574834fed

Download Submit
C:\KaVB4D\dobxsys.exe

Filesize
846KB

MD5
284e540322c80c60e2d5995f693b0032

SHA1
3d182fc43038795d015da849e39ba58966d11205

SHA256
aa3a38ad0b7cc37c0059f65533e0cd95dd5f6d658bd92108f16b74a517fa303a

SHA512
3df37e2547bfffac921a48935b248f1f10f75dc7c7c2dcdbc0bf984ea9605084764b2c5916c8d930684f32785d9ea42d7e050f3df5a973f4b320e1e8ec5b7edb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
140b370a7c4e28722d85c760ab0e6b35

SHA1
d9f64f7f0d7e381621ca2546e1e7f0d5949518c1

SHA256
85c8634219234e2846402f93ae180f593953769bac546f44fac6865d410d3861

SHA512
aa2e6c1bcedf618758abe8279452aed22abd978c8a11049e1fc0dae0a2332f2e60b0ee104550d26bc7e834b3a6e057cb82b4b307bd8879b951c5429d03e19c82

Download Submit
\Files20\xoptiloc.exe

Filesize
3.0MB

MD5
f02509b0ab962b419a216a4a77d0ec1b

SHA1
2b18d58816e7c92185219f1fb1c9c1059a7ba26f

SHA256
285ec8a57b40a2ced9132b8d0917e2089514ffd5ee9cb2b5283464e771d64c25

SHA512
14d20d86543c57e813d229da4e74ebc282b3381e57f2a60f345eb43d3aa1cd65795307bb44efdc8c96d25eb47a9b343dafa4a078f56ee2faa4f1e0d916583382

Download Submit