08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
Size

4.1MB
MD5

8fc89c8d6143995c2ecd615dd02657c6
SHA1

487419c5f643624b0fe03f060ffd382a69bb49e3
SHA256

08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5
SHA512

9cda4bc1b9eed5d54b3c8d173f07473afe9a637c43264896eb3081f044330d6db6cf5320640d668407f3496b5c48cfd39f3bf8fc4a8f9f69eab0b5b7e62f2c7f
SSDEEP

98304:+R0pI/IQlUoMPdmpSpZ4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmG5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2804	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2B\\xoptiloc.exe"	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5M\\bodxloc.exe"	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
2804	xoptiloc.exe
2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2804	2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	28
PID 2880 wrote to memory of 2804	2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	28
PID 2880 wrote to memory of 2804	2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	28
PID 2880 wrote to memory of 2804	2880	08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe	28

C:\Users\Admin\AppData\Local\Temp\08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe
"C:\Users\Admin\AppData\Local\Temp\08ee4f1bbd4fecff6bfcbb0d192a68da8996bf174ecbcbd711882a909623a0f5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880
- C:\UserDot2B\xoptiloc.exe
  C:\UserDot2B\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
7f64cc8d6ea94b0bd4e281f72f2f63f8

SHA1
e5690393e97b899261aaad3ba1238bbffcc21575

SHA256
ffeabefd3c51e235b0e88f6a036d01faedc28bcc7fbccb019060b493994892cd

SHA512
92134368275c62347f7e29929f8376413476205df32a2bf780d7a61f90c80a218890c15a358fdc45c0ecb08683f8d0780f222227165b95f92685a5a0f88fe6b1

Download Submit
C:\Vid5M\bodxloc.exe

Filesize
4.1MB

MD5
19fe54c1db1768ae758d6453f9717a28

SHA1
2b7581cc711c2e9b37346c3f87678240b23e590c

SHA256
02b8b2a1f5073b08744e81267c9a65a724ce351e2cc54eb240a56151e47dff9f

SHA512
a5167fb0f15840d52e0d00906a2d38ca0f8eebd5252b94fa661bd353042e6d6a1dba12999e31895174cbb51474b2844dd8d849919b3bebe973c4a8bec6b9e06b

Download Submit
\UserDot2B\xoptiloc.exe

Filesize
4.1MB

MD5
1de79198a2fbf248637752e3a5bf367e

SHA1
2205204738e0f2042b0eb88fde52f224d427c142

SHA256
1ad44286e55f03af80cd7e7d844d0db420d2af4d184f91d260b161f7f71dff75

SHA512
fd709ab756244f1be32ca89fe048ee8ef6307272a7f4f1aa010c497e66b4e83f801afdb56a6a96917850d906b838d4fdd06fc0ac353a6eb3252a60c9b9db4fbb

Download Submit