717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
Size

4.1MB
MD5

61c3ea4acfa0c83ffc1eb50017e93b3c
SHA1

17573c7e6e9995d9e0b5ac3745464c62b3278258
SHA256

717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916
SHA512

7e5bb338041d8a44dac5faa10b566ece123ccf9421c8488c986208bd074f36bef19fd8f66b3d59f7b89fa25c4195da01f62bf1bfa63bcfff796a44a191b61703
SSDEEP

98304:+R0pI/IQlUoMPdmpSps4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmX5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files5O\\xoptiec.exe"	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDM\\optixec.exe"	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
1724	xoptiec.exe
1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 1724	1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe	28
PID 1648 wrote to memory of 1724	1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe	28
PID 1648 wrote to memory of 1724	1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe	28
PID 1648 wrote to memory of 1724	1648	717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe	28

C:\Users\Admin\AppData\Local\Temp\717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe
"C:\Users\Admin\AppData\Local\Temp\717801512798b71de2ff6b5e3e8c606019727e4d173ee5110636905839b7a916.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Files5O\xoptiec.exe
  C:\Files5O\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
4f6b73891e3e3c70e977c64c3f67a8d5

SHA1
97efbbd764265e58d49c987a6725621d4c21e5a5

SHA256
09fb695045c7050d090468077ba55ffafd7ad3ac00952dc9d79a177382ebde54

SHA512
0927838a9110789fdb467e3da77e1c03c8d56c41fbc9ff9bc5d8e4dd7a088a7195b140e4ff2b0d6d0c46aeff362ddefd16634a34f2731294bc415d40c17381c9

Download Submit
C:\VidDM\optixec.exe

Filesize
4.1MB

MD5
e9735b2bb5c133d35fc889dc720ccb6c

SHA1
6e164de70784c7ee82381306cac6ca33dbf94d85

SHA256
7bbffc9c69e1e59b438f9ee77dd9024819bfcba2c6347b2e1e4e2032b6fff91f

SHA512
019beba6e1f02eb3d8ef24298b781e4b7b124cde1da569f3dcf21f6f3707011b7ef1114cb36d9b0aca1d1db28e0f3fe20ea5e02857f6a634cd86ebd8fd4937a9

Download Submit
\Files5O\xoptiec.exe

Filesize
4.1MB

MD5
2ca9a49e1ed80a56f44c660743f90389

SHA1
d3264b19639e80e018b465bcf8d0ac4a1d84f6f4

SHA256
d875ad5259fdcf1c5549dc59abefa49f84460806a4fb4ba5ec435111635dde0e

SHA512
e9e0bc2fba9a4c1c67f193ed6ef37fc29b90e81f96bb6775c1c30cf33056994f3dfba174f7366646a2e1412f69c5509c7366d1b9f434ff865dfab1efe374a04c

Download Submit