bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 03:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
Size

2.7MB
MD5

2bc07e2966e81f9cd1531ea93c2e23be
SHA1

5ad22c422f4f1bb7715ac364fa01134b47f5150c
SHA256

bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201
SHA512

0e093a3c07906d18b7ea7eee8bb0b01abc43c9e5eeaf9dfba6f77dab254068d19e35084db8f7964d083c2d2193b42e12ac0633b01500c9b8924dcf142784d695
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB49w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2484	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ5\\xoptisys.exe"	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFN\\optixec.exe"	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
2484	xoptisys.exe
2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2484	2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe	31
PID 2240 wrote to memory of 2484	2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe	31
PID 2240 wrote to memory of 2484	2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe	31
PID 2240 wrote to memory of 2484	2240	bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe	31

C:\Users\Admin\AppData\Local\Temp\bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe
"C:\Users\Admin\AppData\Local\Temp\bac51e5ff6bfad4df0d437fac9acc39b6545e44eb25b2733f07863e550173201.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\AdobeZ5\xoptisys.exe
  C:\AdobeZ5\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBFN\optixec.exe

Filesize
2.7MB

MD5
4cea7379ceeceaa97db49902ae634b8a

SHA1
baf189d81146717d8bb8158db4300d43ee6019ab

SHA256
72fa6106b0a5b5334b4db837bb5b2374201fec0ceeafc60cd78483488a2b8d6e

SHA512
c381f1b09f5042f41e9fa6fb10405236eb06cefdf50cb432b36ebd1964fcc2751b0c47a182d526ffdbdc0cc505f9e529a56ba826505e41518c282dff9a015d83

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
201B

MD5
211990a90c7c64edbfdc908e22cd2103

SHA1
9368567ba893deb8c76dbf982e3e7a93c39ceb95

SHA256
5669eb4b63853ef5b1742a0b22adfe356c39519b7b277f22d386f9c483c5f63d

SHA512
5bac9eee1744b1b24f535236e15614e50f701b95f92584e4f1e48c82b87b59f2db4c496bc490da9a08a53b21ee71ebfceeadf140538e83fc64d348c3b51367eb

Download Submit
\AdobeZ5\xoptisys.exe

Filesize
2.7MB

MD5
1a3b1df578fcdde71d1cf0cdb1db6d0d

SHA1
633dc03c15ed312a07d08e9dc25c1d19754a70e2

SHA256
cda68c3b0e57c058aa0a77e19250b5095add94105f1f6313736598e36ff4dc0d

SHA512
1b6fa39a1fc208fee510e82f3e1fc0c57d8c41a726d8cfe90e4a0da5bf8e44ef7cd06e462fef182f9033c82671d85491e3a45912a74349cf06331e58f871e487

Download Submit