2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc

General

Target

2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
Size

2.7MB
MD5

32ec9dc8f0907845adef528ebbf1b016
SHA1

3657a6df7fda6b556a28ef8fe70c33c39be2863c
SHA256

2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc
SHA512

b0d06f262e5144d74667cd19d7c93959a9a382d27211c2c355e3f8e6c0ca5d07ed0acbf621da150d46e178c3a1adee5695d6097b62b525c4de4ba3af7ff47e98
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSpk4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

xoptiloc.exe

pid process

3952 xoptiloc.exe

pid	process
3952	xoptiloc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeXT\\xoptiloc.exe"	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWW\\optixec.exe"	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exexoptiloc.exe

pid	process
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
3952	xoptiloc.exe
3952	xoptiloc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe

description	pid	process	target process
PID 224 wrote to memory of 3952	224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe	xoptiloc.exe
PID 224 wrote to memory of 3952	224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe	xoptiloc.exe
PID 224 wrote to memory of 3952	224	2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe	xoptiloc.exe

C:\Users\Admin\AppData\Local\Temp\2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe
"C:\Users\Admin\AppData\Local\Temp\2f6ee05e70af1b9d6af78d2385ad461c64cf98b995fc1b50b7d448ab4b95b5bc.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:224

C:\AdobeXT\xoptiloc.exe
C:\AdobeXT\xoptiloc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
1⤵
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeXT\xoptiloc.exe
Filesize
2.7MB

MD5
dffcfe488a15569c740e3f14658b55db

SHA1
0a841b82439b8ecccef7e1cae7f4cad62fb72183

SHA256
0f98aa7f6048afcebe4affdf78eac9d71c8bd4b3e5bc144de6feebf42e259d5d

SHA512
9fbac678bc29c243e109f74bf46a72d6861dbe2247bb96b01b8854b147d9bc3df9137744b98a676051e415d5e7994c8cc1a8eed37cb84700ea7a2d5c19ce12b7

Download Submit
C:\LabZWW\optixec.exe
Filesize
2.7MB

MD5
8415de31a5c1038ccae11c2101b3c1a2

SHA1
f95a492efcaf981a718500fff25c5bed8fb19170

SHA256
489d343730516c5624f5dd2e6face2a6f0d009a7996156b8c863722b065b628b

SHA512
d9376564e44c338b4c586cd3b910750df3822077d2fef3019696083d20dba9049dd24fb14ccad5d81c40d3231255d0b3e6a94ef590afa21aeee13e3fd0d28287

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini
Filesize
202B

MD5
62b4e175e46a8e0bae34f05a75f82592

SHA1
6358d0d8ff32e51947a38225faf81a51e23d6bb9

SHA256
c83da3d41dcadf5dc52f94beaacd5fc631337718487592641c715c46fae2e6b3

SHA512
578aa918d322ccdd4430c494ff8166f52c7ac0f523c22b4d07f201173158427c86cebdf9cc541c3e1b4affdbedc6a92d8292a357026717cace15628f03783b27

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads