db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
Size

4.1MB
MD5

f9f7392efca4832e5a1f1ce6fdc74daa
SHA1

6a782ebfd563d67ea6d346e27ec2e6a7f8eeeac7
SHA256

db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a
SHA512

9d24344c1fd3f47b034a01e60417558589cc5f07d0cdf0d7368cd31eb6b9b596a5d0d833426868673486cf327bbacfff98ef599ea14db5e6efb15de41414d3bc
SSDEEP

98304:+R0pI/IQlUoMPdmpSp24ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmd5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPG\\xoptiloc.exe"	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRW\\dobdevloc.exe"	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
2468	xoptiloc.exe
2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2468	2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	28
PID 2456 wrote to memory of 2468	2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	28
PID 2456 wrote to memory of 2468	2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	28
PID 2456 wrote to memory of 2468	2456	db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe	28

C:\Users\Admin\AppData\Local\Temp\db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe
"C:\Users\Admin\AppData\Local\Temp\db97fd769a922f6810effa4dc0ec6625e6b1c088b911d3f717ba209540f3349a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456
- C:\IntelprocPG\xoptiloc.exe
  C:\IntelprocPG\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxRW\dobdevloc.exe

Filesize
1.8MB

MD5
1ec2e4c8ae277dbee54c5f753308c826

SHA1
34f9f4136b30ec53c1e62fdcee1caf662ca7b277

SHA256
36174a2de46fc0195f61c15ca20140ac073972057e2ddb12045590cbb9b7ad48

SHA512
46c16f5755c272d7fbd93148282fbe69daf70b3c0db7db9f4cc822fb730f7832eadf872dd366e4ea1a965a5b399d0eed55473e2d8660a6874f228a6b986a0215

Download Submit
C:\GalaxRW\dobdevloc.exe

Filesize
2.2MB

MD5
897e3950ad8854a81bf011ad4a42258d

SHA1
a8a7c19181151237dc10e073892093bf833941d7

SHA256
009a0d5c6bf67525818997d9c64c6dfe4d098fb498cd373031a8f3c5697bd1e2

SHA512
c5efd1c1a22dd3f8948bffc6a5d239ad00aeaff67ccb767eb0717cda0665ac98958687720ab96981418140320c6947d553dc4665623e1ba30e756f40df6b3dad

Download Submit
C:\IntelprocPG\xoptiloc.exe

Filesize
86KB

MD5
ed7f9e2bcdbc6f7ed78ef3ad9b92e5b2

SHA1
4edb2b272a8d16632736e76481b2ec659f352e26

SHA256
cf99bea831a40952e4748dd648f0e82fdd518cfa77286f70ff49f68d2a4eee3a

SHA512
9bbe31c89337749f9a2a83b91f0471709f314ed87d0d4f4e93f780383548d14ee0a46b9306984ae4667c26fcabdbd18160e4801c2ac6e07c313a9e6872637350

Download Submit
C:\IntelprocPG\xoptiloc.exe

Filesize
903KB

MD5
74964282f1adcfedba1b9c5412116af9

SHA1
8c29a72b8c3cd6de92a1f50fc94eea96b0f22889

SHA256
982483887fdb99604352f3da908daba0c9cf4e439368902a002a42d987c24f04

SHA512
79bc7ce09c95b185e8b16af01e45dfd2e4c9d17c11c296c52e04067aa5174e0452ecc43e321c4afbc5f92a96caa02fc9df162bf1872e587c81133c1b496cce0d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
37374e444894c1cdb97b3e7288b77f42

SHA1
f13c039c9a7348d33c37de02ed2b97921a5b80fd

SHA256
e63ec5e9c5755bcfcbb64c223c7f355db04e61697a3a4ad3b81af884451a2338

SHA512
92589e884b06fa8ada162b630700067b1b3f4d987ecb3141e4854ee24ad5befb8aa377aa3023e1a08d56897948d8d801efde33e6a07a4de4ffbabc80ed3f2032

Download Submit
\IntelprocPG\xoptiloc.exe

Filesize
1.4MB

MD5
6dbb195af4b3056cbd977109c9bbabd8

SHA1
3bfcf10a797adfc845eb85570a6a4630dacdb82c

SHA256
bb4553058bfe13f267e8ceada5204fe0083b54fd7d4a7aa07dc6bf248df8b5d6

SHA512
073fbedef6bfc0b94e9fe0bb5df3c4fa9f65e6b93658631f70e30e7aa09c4f0f13fe1d2ce3b4bddc577cf3f0ba4f4c789ca74a70cc58699b9253b0cc0ff84e0a

Download Submit