1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02/05/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
Size

2.7MB
MD5

a3ceca4d3d403615885dfb4e869a9ac4
SHA1

7fa1f9b8318608af67e85e9c7601721b89e4c644
SHA256

1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8
SHA512

588896293a9e8413bcf183aec0340742c8b89357ef678ab1484132f799cc66d5e1076e076fb155980151f7d402f604604b59b610fd06b84c3844aa3d918229c6
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBc9w4Sx:+R0pI/IQlUoMPdmpSpS4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1548	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZH\\xoptisys.exe"	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCH\\boddevsys.exe"	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
1548	xoptisys.exe
2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1548	2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe	28
PID 2916 wrote to memory of 1548	2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe	28
PID 2916 wrote to memory of 1548	2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe	28
PID 2916 wrote to memory of 1548	2916	1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe	28

C:\Users\Admin\AppData\Local\Temp\1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe
"C:\Users\Admin\AppData\Local\Temp\1c2edf8ac660370d8ff4ed5cdecf6a892635acc7b4d3c2f811b1ec5b9b3cd8b8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916
- C:\SysDrvZH\xoptisys.exe
  C:\SysDrvZH\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZCH\boddevsys.exe

Filesize
2.7MB

MD5
29acafdfff9eec977a7456538fdd4cbe

SHA1
f62e1d7985d93c5ed3528d6c6128f9d8f0d2bf37

SHA256
a7568a160ffa241f2ac917195ec4d5983fd041d688e63b6879aaec3464be1271

SHA512
cadcc3a1beedadbf0bd846ea2b38c34f783dfde2dafbf40c973614ef7d2e0aefdd99c6b6904d77f9459d255115b95b0aaf21ed89da017c23998a7df1e48d2048

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
922d38374f81b7dacfbe1f7a65adc59b

SHA1
ecf8479ec2ca7ba1fbd650451c9995db0b0ce99f

SHA256
62e6e43ac2ab4218a814a84c408c07ebab4163f40eaab05ae464138da92c7f64

SHA512
0142fd43e9b653cfc7741742c3357f828d6a01b0cb777494dd01ebf1e80a8708ceda38c8fd2383700aea6ad95f9c99e15d8f21da8cff416a7bd91b3277ebdd51

Download Submit
\SysDrvZH\xoptisys.exe

Filesize
2.7MB

MD5
a0ff866254f9538e95c156ad965d7122

SHA1
cb29b788c28c89c0922f28e251946c6b942d9a94

SHA256
5fc5dd0a9a14fc0eb2f531decf808bd3205858431f9c56f2cde07e9a0bdf85b5

SHA512
579cb280817497f06223609620fcae7868a6e5f1dcf82b3891973419c46599758d7dff7fd73799b95d70fc1fb4c066a012b9566ec65105b81ea5bc9639c1d0e0

Download Submit