4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
Size

2.7MB
MD5

47d4ce76d326a7349fe8c8131200fb0a
SHA1

fe8e9ddbb33eca682733bfd1057b879abe6b2854
SHA256

4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd
SHA512

df7731483233c455593db27f98aff4276cc4db00884263b65bfb8301eea4bf36f581bd9dbbc6474638a802814cd339408e5595427f761c913aea5557f45d539f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB19w4Sx:+R0pI/IQlUoMPdmpSpx4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7V\\xoptiloc.exe"	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8U\\bodaec.exe"	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
2832	xoptiloc.exe
2832	xoptiloc.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2832	4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe	86
PID 4700 wrote to memory of 2832	4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe	86
PID 4700 wrote to memory of 2832	4700	4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe	86

C:\Users\Admin\AppData\Local\Temp\4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe
"C:\Users\Admin\AppData\Local\Temp\4965536a83d73459af68ed5144f7c4c0df91fbacb2f4da637d3ecdadebdbfdcd.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4700
- C:\SysDrv7V\xoptiloc.exe
  C:\SysDrv7V\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ8U\bodaec.exe

Filesize
2.7MB

MD5
64f84ef1784cae0009b873d4cf47a067

SHA1
d8be28174a10ea43d55067a167b6309781a5235b

SHA256
29c90e84865ed8226530f5badbd2da7c1b140f1f5a2d280e3b053cf5dc52e33e

SHA512
85ecb75442a5d777b49b772ec586668b7e32e1b749fec25d53fe081f054937dacf7cf48de45bb05f51b065bc56761c9150e0f391341dd17a44c91331b39837b4

Download Submit
C:\SysDrv7V\xoptiloc.exe

Filesize
2.7MB

MD5
7cba784a61af9875bfb2effbcca1d288

SHA1
66997c582489a39e26bf8fbe87c09a4e9fb48217

SHA256
02be0818595d89f0aca5d992fedbd702adc91f3e7852417646bf810c16f44dd5

SHA512
415f165c74a900b0e7887e3899b716c80ec2285ee6f60f96b9fa8bf52263003e50f70989b68b1a2bf4d13cd33e7fc5524ced3077b75c9f83d17769fa3da208e3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
201B

MD5
8c478d3e70bc107deef74b765dea2bc7

SHA1
1bb812bb60d0f5abd6ccc5b03898accd191472d3

SHA256
e986e1af6ddcd38a77da99158c7a2f3b2bdd6f4ffb871c9b5f1662b40d4faf64

SHA512
8013ddaca7c52c26fd74e6ef1ebb7a29c867fa716bf2bb976e8c80ade7254a7ac424135a4e52da8ce870e6b9b635cde920d5ba9be4c97ec2ef77e4fcab2d3a2e

Download Submit