c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 03:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
Size

2.7MB
MD5

a21d1a3cbcd776ba042f8672971bd74d
SHA1

c9915a2901c169f64e3faad553fa556933362ea2
SHA256

c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce
SHA512

00346f1defbe2621ffa2eb476780f3cdaa8af2b56fd4306a5b33597d10568d3ad749460c4e495c5c617913d38326e2574f25cdf166e3aeaa9b9aecaa8309cb81
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4S+:+R0pI/IQlUoMPdmpSpb4X

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4028	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid8L\\bodasys.exe"	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotTT\\xoptisys.exe"	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
4028	xoptisys.exe
4028	xoptisys.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4028	2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe	92
PID 2332 wrote to memory of 4028	2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe	92
PID 2332 wrote to memory of 4028	2332	c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe	92

C:\Users\Admin\AppData\Local\Temp\c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe
"C:\Users\Admin\AppData\Local\Temp\c8076793879ad1a7ef894a37699dc34d0362d08099bc287b27347e232103d2ce.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332
- C:\UserDotTT\xoptisys.exe
  C:\UserDotTT\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\UserDotTT\xoptisys.exe

Filesize
2.7MB

MD5
69a9ffab5abeb55bd94b402b65a0ccdf

SHA1
dc509bc314725814e8a79961ec5d39db34e08a85

SHA256
b30fc7b2325b39b035abf4cc618fad362a7850e8038895018c59b5695497340f

SHA512
41b5543e1061e81254ee744b97b9e79907a4d18a522f584aba11aba641b2eb643835d0e0ed8a2deb8bb5cbd470286f3e2dc1ed5f6e454e986b55028426425584

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
202B

MD5
73fc3ef299fd13d9d6d0b9a055885751

SHA1
9609a33b2098044f214a77c9e05bdf25935f3b70

SHA256
6ad304ceff0a80d441fb9c0000644153f30ae632899ac661294829fa814743fd

SHA512
6ff687781f602f1a01a84eaca8302c1027ae8cac6d4fcfc3bed205df6468b812d6cbd4bb2fee5017e5ba3477816df6bfee5f48dfaa8ae6cc7cde3a8e42e9f278

Download Submit
C:\Vid8L\bodasys.exe

Filesize
2.7MB

MD5
aaa4c49d6eaa24a7c6b75717a15889bb

SHA1
5ccce233f9be730da093e73b4c9b396b8d40beef

SHA256
a0b0f776c7e9b914f835af78a9f77af8c2bab5e61023d246343547f77e9ed619

SHA512
18b231dd4937ea534a13088657a8f7abb48080ef1b3adda3fcb1ff3cb5cd8c0764f62ee1e398fc89f75b874d229841f739af95dd683be78348ea126a9c0cd346

Download Submit