e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 04:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
Size

2.7MB
MD5

3aced0ecc8a427e9b5c029b5fdd681c8
SHA1

49a102d6dee23a6781196a4019657b20429e09cc
SHA256

e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead
SHA512

61bb59b4fef8bd7c3b38670d0e4fd0dd7733f622cac4288cc76326ac7fd433a23ff73b76b57fcbdc0daf7dbd964da174fae51b0610a0d56d20ca6d10c24775ae
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBa9w4Sx:+R0pI/IQlUoMPdmpSpU4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4348	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7H\\xoptisys.exe"	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7B\\bodxloc.exe"	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
4348	xoptisys.exe
4348	xoptisys.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 4348	2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe	88
PID 2416 wrote to memory of 4348	2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe	88
PID 2416 wrote to memory of 4348	2416	e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe	88

C:\Users\Admin\AppData\Local\Temp\e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe
"C:\Users\Admin\AppData\Local\Temp\e26b9998410fd4f508e5fa8ea25b1df20f02561d5748f0eff63308dc76292ead.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Adobe7H\xoptisys.exe
  C:\Adobe7H\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Adobe7H\xoptisys.exe

Filesize
2.7MB

MD5
2917047d715797c3918275772b20f201

SHA1
536914a12fc243a36825a39900a6f94a0cd02cd7

SHA256
72c4439dd12454c4db1f09e0e72199190c371fedcfb93ab4e4314b89fcf2d746

SHA512
96c628bce24c607eff658afc274075f8ee3a89b3e08e456b3c29bd30803d3c7d19abdae4ad1ae12b6fb49dc0230cbe6c6a5f6a0f5d95faf002eef7b7509ce115

Download Submit
C:\Galax7B\bodxloc.exe

Filesize
24KB

MD5
8ea53c792f7c1e933b815bbd15d05fde

SHA1
af115a5719fcfec80ea4a0e559253470e0d94d8c

SHA256
0413b9eb1ce1ce6f7c36a1824ff4ef484e2d1c51d816511c63c45265e0b57f5a

SHA512
623bb27f1758473fc1f554205acabd9b8326bf1db856573494f4f775139c99f83222e9afc884be8f73e8620d8293e68760a601a51607c9eda75b69f989074ce3

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
a0613d72999a433df7d887b8a7bc710d

SHA1
24fc2cf810210944e70285fa670614ae6a86d194

SHA256
65a4995bcb53d35300e0b813d7f81b7fb43db09854c5b9dea42ce52a673dcc02

SHA512
e836ce85f261ace2debd99c8a362083bc34e9d1c8ea0ab3abac290ac77273a644aae1317f5c1a9ab777e2498bc8359ad88ffccd9a2a4e08041919224dfa07339

Download Submit