5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
Size

2.7MB
MD5

8be63f5e612759c84711c12d538223e1
SHA1

49c3fe4d9bc253f556ed618739fc61b40d19ab2a
SHA256

5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127
SHA512

dfb39c69bb4a7da30a82e8449481e88979ccbcdc1e855bd1383d5ffb3b03a2d0e1fbde810d072e995565f1771e13d6171a49f284692b6fc5bc7326ab4d3315db
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBm9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4536	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW0\\xoptiloc.exe"	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKW\\bodasys.exe"	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
4536	xoptiloc.exe
4536	xoptiloc.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4536	2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	90
PID 2700 wrote to memory of 4536	2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	90
PID 2700 wrote to memory of 4536	2700	5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe	90

C:\Users\Admin\AppData\Local\Temp\5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe
"C:\Users\Admin\AppData\Local\Temp\5250d827c90a720d38fb3c10fa44590ba4b3ecc72586a9087146bf50932c8127.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\IntelprocW0\xoptiloc.exe
  C:\IntelprocW0\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\IntelprocW0\xoptiloc.exe

Filesize
2.7MB

MD5
51178036a8034eb9b681f0237f977d5d

SHA1
c565dd9b6f2b2bbaab45c3c9ede9e7ff4bc61326

SHA256
cbc9cea1d208d79db68c1b0daa69404c72f24c1ef0ef6486c80ae46effab7731

SHA512
84a08629610f5c9b1c81f2ed707bf79d1b4017932ba59372656d738d008e62750c2b023ecee89201f13beb5ad9422c96eb84387105d4a3c2b890bed501c6e43c

Download Submit
C:\MintKW\bodasys.exe

Filesize
2.7MB

MD5
7a7acef05cfacf4a0e83d99bc9e9401a

SHA1
615df42d157e27eebc9984bb369a2c6a90b90a2d

SHA256
c96a333b163bf1b5c56af161887d316632b46fb87f601417a5182092e50dfd3d

SHA512
e59c64d6f167f37347a1bfa08e0bf5169937fc2ac5e8f6934e73edb09c650256f92dada89421c7863cc2655e72657bfe9286203e1cf686fcebc14f156f55f69a

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
206B

MD5
9178419788c5767ce78c78fe5faab439

SHA1
ed49ab1a13a9196e640ecb3dc69ed4480da9d56d

SHA256
1018eb141c9b775bdcf5ff19ee5dd1882b426f42a4aea196b2600b45f0df0c23

SHA512
6c096ea738cf22a0fb3adedd4b68123e648b20b3eb1182918dce6e895dd9d265c15e209e2f74319a0cf80e927806ae395183616ef6bf33ac2c998205f8dde711

Download Submit