d7ad9153fca552f21476689a7f80853774738c033cdb53981902dfd873aee7d7

Analysis

max time kernel
149s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
Size

2.7MB
MD5

04b2eddf716f9ee4ecf89f68004e5110
SHA1

5bf5c320a23f15da9c0c0135d69b9e44ee810f21
SHA256

d7ad9153fca552f21476689a7f80853774738c033cdb53981902dfd873aee7d7
SHA512

96a46b9f904359b142023b0c618d6df59121d4e7be539c549f610bf6eeeefcdbb610670dc7d386d8fb9b11de6487671a96ac8c159e214477737170b3c784ba6f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBQ9w4Sx:+R0pI/IQlUoMPdmpSpa4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3380	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGB\\xoptisys.exe"	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBXQ\\optialoc.exe"	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
3380	xoptisys.exe
3380	xoptisys.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3380	1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe	90
PID 1132 wrote to memory of 3380	1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe	90
PID 1132 wrote to memory of 3380	1132	04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe	90

C:\Users\Admin\AppData\Local\Temp\04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\04b2eddf716f9ee4ecf89f68004e5110_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132
- C:\UserDotGB\xoptisys.exe
  C:\UserDotGB\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBXQ\optialoc.exe

Filesize
2.7MB

MD5
bae49ec5a2d85ed706c4984bb8276137

SHA1
7101baae08a3cc28eae475d59822992ca2c583db

SHA256
ace6f6f5e416969955d27cab661648524195453868353b36f75a52682f5d336b

SHA512
8f52d44c9607ede897a309019e116a3996a32aec47676b35e7869e1a27c1977bc40cb98e6ea55b16ebb77d50f98edb928d0a1df9b391719be76e8b28725d5d0a

Download Submit
C:\UserDotGB\xoptisys.exe

Filesize
2.7MB

MD5
61b58d20a121d08d8c810e31503334b0

SHA1
543f80f40ce4436d2cdfc8bfd4b8a9679b79ebdc

SHA256
b5a45bc2f42b1e791ee8372eba5f4ef1154814ddb0d6e3b132f2686d19dffe66

SHA512
00bcf6b2c84b7c0fb264feff0b6aa9a7b5ec9a8bb0755cb786ef11539b8f6b2c74c6caf4abe70176aa1694c02a4624e097018d7f1f2c063f9b3dd886b835e590

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
205B

MD5
4b260e6b8875d3a448c312188493b835

SHA1
a6ecb6add0ce54f8a6e72684a417d58afd835969

SHA256
f2fe9409699a68bd9855c5056fc234b20f0b7bd33ae049884a51f828375ada99

SHA512
ea440d1b6b9ea80ad42cf64833f5a32aebafdddf80c6ba33bd51f3e0e38c97e7597c7a38315114f31b0cca8ad4a314a0af7fd533d4cb0d90f31f002de990b1f7

Download Submit