24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
Size

4.1MB
MD5

81993881a302be8a98f4197af70f0baa
SHA1

a5812d595adc405211359e8b7c8d03c74a1c7b1e
SHA256

24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b
SHA512

36c4cbe246768ca58d30d8431dd0649c6273289244d28aa2b342034f471367f93659c4edd44ac65920fcdfff9b822369509c4993dffd9cb59552dc4367887016
SSDEEP

98304:+R0pI/IQlUoMPdmpSpQ4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmr5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4960	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLB\\xoptiloc.exe"	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPK\\dobdevec.exe"	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4960	xoptiloc.exe
4960	xoptiloc.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4960	4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe	87
PID 4676 wrote to memory of 4960	4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe	87
PID 4676 wrote to memory of 4960	4676	24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe	87

C:\Users\Admin\AppData\Local\Temp\24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe
"C:\Users\Admin\AppData\Local\Temp\24165541063203bff4e8c9a0e0a80f5a0b0e7c28ca808afeb51f9241267a540b.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4676
- C:\UserDotLB\xoptiloc.exe
  C:\UserDotLB\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBPK\dobdevec.exe

Filesize
4.1MB

MD5
cff40a8957ee7a3948d1c6aace965793

SHA1
b34c4111470ed8cddabf127acf30ddcda2920242

SHA256
27b0cb1f985825685b2dbf531d16c1fc4d533d6bd41f68291fefa1231174d124

SHA512
3cc901a1363297e237d0ed1d2e9e43d227f6c4abc052d38e1ed49da7a943081f6880d4aecd61d5b4251d2c68af6606a2c024131d2cc3896b1fb1320b5a8eaaa5

Download Submit
C:\UserDotLB\xoptiloc.exe

Filesize
4.1MB

MD5
316e369b4b61e0f85c5e6b98b5c1e628

SHA1
6ec9daa47bf81815df18f462881b2423605f4848

SHA256
fcf2820b3473805621f2ab28132006b80b29769f3eeb06e385322f53a602e576

SHA512
8b69bf11abd4caf8a0dd45308d16b4e8d4b5939a59c45fd17c75eada57352031b73a55de685ad884b39a4c88d5438558b2356df2201f824931272b98a277f3e9

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
204B

MD5
cf703ad287cf017eb372c249f8ceae34

SHA1
38051a9b6cc7765bee3fc178621551f656184481

SHA256
f4ef664fd270c6d4bef46cb07fe4942f352e6356a06684946aefb0c05ff0cde6

SHA512
c5157b6d3d34e841ce02e89cd4e1cec13df1d99c515fff9c801a727d8488120d6d07800e8ed371d474d14c9d8a6c236d929552dd4ba2f4e19b569ef2bc614382

Download Submit