5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
Size

2.7MB
MD5

8be63f5e612759c84711c12d538223e1
SHA1

49c3fe4d9bc253f556ed618739fc61b40d19ab2a
SHA256

5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127
SHA512

dfb39c69bb4a7da30a82e8449481e88979ccbcdc1e855bd1383d5ffb3b03a2d0e1fbde810d072e995565f1771e13d6171a49f284692b6fc5bc7326ab4d3315db
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3028	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBJ\\xoptisys.exe"	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint1R\\boddevsys.exe"	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
3028	xoptisys.exe
2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 3028	2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	28
PID 2364 wrote to memory of 3028	2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	28
PID 2364 wrote to memory of 3028	2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	28
PID 2364 wrote to memory of 3028	2364	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	28

C:\Users\Admin\AppData\Local\Temp\5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
"C:\Users\Admin\AppData\Local\Temp\5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\FilesBJ\xoptisys.exe
  C:\FilesBJ\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Mint1R\boddevsys.exe

Filesize
2.7MB

MD5
2e54c0d5d44316e8a90effe5fa2a58ac

SHA1
408d9636eba4cd1fc704536de8ab037a70bec330

SHA256
ae0a179a427973946b2b4da11e034f3233fb8684686e4b2d94d286f5c72245f7

SHA512
b6e5c05b07da03e364b498a1b59333def31b9a1c93b4c497d771f78ece1fd7bcbac59f4a1c62c59db6966c74aed01c1be80666ba3710c3ad6562d9d07f89c00d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
becbac0ca3165a92d70415f576052135

SHA1
4e863488cf71a102220d0c49567a269d9d30b05e

SHA256
1828ed1300604db7ebb8fcc06f04a0cc266b17f0d0cf05a4989aa7268f6512da

SHA512
f1ba8593b8b4ddbfd892d0ad3de9df5b7375a3d70f403225d5d891f13e4b0b0c87232cc3ba2c0ebab29f39fe788b05f78bd0b38205324be17b914917e9d314a5

Download Submit
\FilesBJ\xoptisys.exe

Filesize
2.7MB

MD5
f5465099dde7df4250a407da2dfb1c94

SHA1
6f4011a17b9f7dd313a12b9cbbb272878ec7c40a

SHA256
c3625df3fceb5f5b0df5fa449c2545d0d21740f3882bf9c9ac40146575a0e04c

SHA512
3e7c7cadb4fca302dfb0224719a12479d705ed8d47ed5e6c53a0accf8e790c944c1ffc0e5fd89d9d587728720027fc09b0bfd68fa4737b8e06532175a116e77c

Download Submit