988526843c7d50dab47d9c52f77ab5c6542b44f78282df20be606c9d713643c0

Analysis

max time kernel
170s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd99076eb030f22ee62ea34d4485d8d0.exe
Size

2.7MB
MD5

cd99076eb030f22ee62ea34d4485d8d0
SHA1

c562745d8125cc3ca6439df4a91320c38943938c
SHA256

988526843c7d50dab47d9c52f77ab5c6542b44f78282df20be606c9d713643c0
SHA512

0fc85889bfcc85091e028a3d7dbdf09d42c1660af6857f1747affc0c8e294d594c29dac13cc81d35ba64d20f9edb8ff45fa92766b13b03f2377782eb24ac32c7
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4Sx:+R0pI/IQlUoMPdmpSpU4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2592	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2144	cd99076eb030f22ee62ea34d4485d8d0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO1\\xoptiloc.exe"	cd99076eb030f22ee62ea34d4485d8d0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintL4\\optiaec.exe"	cd99076eb030f22ee62ea34d4485d8d0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe
2144	cd99076eb030f22ee62ea34d4485d8d0.exe
2592	xoptiloc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2592	2144	cd99076eb030f22ee62ea34d4485d8d0.exe	27
PID 2144 wrote to memory of 2592	2144	cd99076eb030f22ee62ea34d4485d8d0.exe	27
PID 2144 wrote to memory of 2592	2144	cd99076eb030f22ee62ea34d4485d8d0.exe	27
PID 2144 wrote to memory of 2592	2144	cd99076eb030f22ee62ea34d4485d8d0.exe	27

C:\Users\Admin\AppData\Local\Temp\cd99076eb030f22ee62ea34d4485d8d0.exe
"C:\Users\Admin\AppData\Local\Temp\cd99076eb030f22ee62ea34d4485d8d0.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144
- C:\UserDotO1\xoptiloc.exe
  C:\UserDotO1\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintL4\optiaec.exe

Filesize
2.7MB

MD5
c5e0bbf8a3104bfbce6b6024b3176051

SHA1
b932423e167f31056a161b8ab0d711f4856fb071

SHA256
f4b0c1884728c681148f86c1c6e6aef81efa44d8672d8553fa0b318c12b2c2c7

SHA512
9e85616263529b000de55ba8e5c085884621f67b0fff0cab3891693846a5d02910f302c755d8036726d7cf9100a8778c75671e300ab01047261e867f191f396e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
a7637f9136e412d7e604904173477ff4

SHA1
7e124e4f6217941cada3d55ce5cfb7df84a67651

SHA256
881691106f17294bcffc9fa6fcc11d646cf21c92e8b991306bc678f1bcb13acf

SHA512
07b3c36d83cf0b7703b007a00c56a596141fc0e8fcd39aed2e765a74b436a6af12119c836d42c26803869d4f16aa741b811ead7be0182f79d1376427c2844d4e

Download Submit
\UserDotO1\xoptiloc.exe

Filesize
2.7MB

MD5
fc0e0579ab14476b4a4711e8b6629c00

SHA1
5f0d024c63b8d2927af91a3e0a5b28324e56b0f9

SHA256
5ad78db7c943d307aabf3764a503a23f8a16c052fb18ec59871503476df38cf0

SHA512
0031876f253f5fda4bb4d51a6c7711559f2ce30f95862cef1005d3360459bf3b54ce3da1ee88612d56810b34517c7212aecac1417fddaab6d51d6ded98d17a4d

Download Submit