120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
Size

2.7MB
MD5

fe9745767caa342b758b5a1e59163cf9
SHA1

75fc1c1afe3e4eb243b3300753c1d541d3cf4ccd
SHA256

120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca
SHA512

1d64d5f303cc2fd9f6fe502c9c2acc7b1df7c0f36301cb5a7989de001a633744aea6bc4244fb41161b931f9d1780eadc9475c53bc4ddf9603d608c78c458886a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBJ9w4Sx:+R0pI/IQlUoMPdmpSpZ4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBR\\xoptiloc.exe"	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVJ\\dobdevloc.exe"	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
2740	xoptiloc.exe
1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2740	1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe	28
PID 1964 wrote to memory of 2740	1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe	28
PID 1964 wrote to memory of 2740	1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe	28
PID 1964 wrote to memory of 2740	1964	120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe	28

C:\Users\Admin\AppData\Local\Temp\120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe
"C:\Users\Admin\AppData\Local\Temp\120a67a0a6b68b78ccd3a295590dd4d61fe4d79462983942b6f12419345455ca.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\UserDotBR\xoptiloc.exe
  C:\UserDotBR\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
6400a581ffc8d3c30cc6e96c57853d95

SHA1
11453b1dbde41794e5a12082f5f1c8b690735522

SHA256
5693da0eff8fce4c93af6ced3f9c4fd71c4cf4534d120a784ab11840c4059c2b

SHA512
40e5f863db849291fafaf860df0ed5704990eff60899de4d2cd96b739ee45e4e3cb722498c3fcb93b180ad852c1afc1d1a34dcc5fd2fe877528da4396446627d

Download Submit
C:\VidVJ\dobdevloc.exe

Filesize
2.7MB

MD5
44330c5d96d78f72e4674349608c1297

SHA1
f7322f49f2789c9ae68611647dc86bcdb06fd9b4

SHA256
4a0f4b8d0cb983e1188d467fb6767dadacef9973975deacc3b6ba1111cccd88b

SHA512
f792156939e037f7225df9a63acfd4ef264ab1e618f8d61f79794670176a2f1f6835eb2b9cd471120c1e8f6d053bd60edff921df00ae591db749f1a0b05890e0

Download Submit
\UserDotBR\xoptiloc.exe

Filesize
2.7MB

MD5
cb221bb435ced7cfcd209cb8e769ff77

SHA1
e357b51a773717037dd6bfe5650670ff1020aa43

SHA256
ca447e4a157766167104b26052dd2e2fa96fd6af0cce7b5bd5c1d9e9d2e29da0

SHA512
306db4d9e0ba2fdd436a80154e30c24d23ce6f8b95b23d984274dc3fd8393652fc754602d021114767a4bf6cb894d39f92a94966947a4bf40ca84849f0361a9d

Download Submit