7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a

Analysis

max time kernel
149s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
Size

3.1MB
MD5

d4c9e36520fdf893834da9c5826685f5
SHA1

dbae3108fe8cfb696844d0ff6681eac8aae7ab7b
SHA256

7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a
SHA512

9921d5f0a5a5fcc244a53ea601a55885e993abdcfcb13a559e6a81e5962cb2b3681d37c937e031402b3be5049b98f0fd8d4146fd939ab46ecc73a75e4c8c78c4
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBY9w4Su+LNfej:+R0pI/IQlUoMPdmpSp+4JkNfej

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2664	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvEV\\xoptisys.exe"	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVJ\\bodxloc.exe"	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
2664	xoptisys.exe
3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2664	3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	30
PID 3008 wrote to memory of 2664	3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	30
PID 3008 wrote to memory of 2664	3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	30
PID 3008 wrote to memory of 2664	3008	7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe	30

C:\Users\Admin\AppData\Local\Temp\7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe
"C:\Users\Admin\AppData\Local\Temp\7b96f9cf80111ec1d0d351ba98eaa3b1f33a6f39c0423215ecb7ba3a5e3e175a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008
- C:\SysDrvEV\xoptisys.exe
  C:\SysDrvEV\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxVJ\bodxloc.exe

Filesize
3.1MB

MD5
82cc42530a33c51d27742baa9a3aed15

SHA1
8a34a062e8df5697ef951999227e0409451079c7

SHA256
a5260accf604e5cf81ee8d23975ff7a204eba2b0efa54d4509ab9b4ce95a0a19

SHA512
9dfa84ee9660bdf7396c739e70d402fbbc59dd60a376e46b0cfd40b3373821419b72899dcb0e21e4e842ac706d23032df43577b4fc3547a53fa5c9ea7d50bd66

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
c50a28b494371152cc1b05160dd1f6d6

SHA1
cdd333b82fdee129d6a7bbdcb7ea5b01e0aae75d

SHA256
3e0363e79d40cb6786a66e23dc8b03b2aef5d1a84d38da36cbfed558c6528994

SHA512
1fd69a639eb2ec2bb5e22683eca9b35f0ffac957427d174f769ca5cc423130d241ad9ba08603cba5057f5f560c345490c77b783129ca237de22c052ef259e6b1

Download Submit
\SysDrvEV\xoptisys.exe

Filesize
3.1MB

MD5
d20de9ecd56f0bb4ebb15d8a0c6b8fe0

SHA1
ee72fdc648014b77399ec86cd1ba16a49ab5b326

SHA256
39cf3995944957b15065eaefb88fdb6baaa465fe9762d629cccc54d9ae574708

SHA512
6181ebf851823c7f6aae468d9eb4c133d98dd4114ee6190838a7bf32ebfb8f2417919f5096f7933cbd59a097d45571c379a8f80d4026aa2181a07fe10f2dab15

Download Submit