82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
Size

2.7MB
MD5

3629d759ad64e2c772f315ee5d384b6a
SHA1

601035c98de3b73708871b7f61001c84f569d6c1
SHA256

82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da
SHA512

62d98bd06fedbf346f6b919ffa3c41b702fda2a4233aa99c9c7975008fc9599b5bb172a7de9a4b8a9619d498e707808ec0d643a47f41d6fa4d4c6e638a819cb6
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSpw4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1252	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ4\\xoptiloc.exe"	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEW\\bodasys.exe"	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
1252	xoptiloc.exe
2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1252	2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe	29
PID 2520 wrote to memory of 1252	2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe	29
PID 2520 wrote to memory of 1252	2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe	29
PID 2520 wrote to memory of 1252	2520	82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe	29

C:\Users\Admin\AppData\Local\Temp\82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe
"C:\Users\Admin\AppData\Local\Temp\82ed9c64097b1c079d828a4f9202325fdb1f717909945ceb435b6636e9b654da.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\AdobeZ4\xoptiloc.exe
  C:\AdobeZ4\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBEW\bodasys.exe

Filesize
2.7MB

MD5
cbf19eee4aa548368801464d2e6c1d89

SHA1
a84a31cf9140fbbb9da61e97e07abb0d4cad6c23

SHA256
f24acfdebb1ae8fc6f04b75b6411c4c912e794314cd5763b4301840621a21cd1

SHA512
75ac280db43db7a93137dd9212cefd66361734933843c1c670ad916b97137cf61044da75ef9e6540e319855fbd322ae5be3fae221303398c6323d1ccccf193bb

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
9e72760930432600d4a28ff23d8a7984

SHA1
b51a1331bebece65b44e0f0b6cf5db83ecb8c3d7

SHA256
88b7f2941223d4cfffd354632c171e10467c5481b066aa90b3da930e95c86ebb

SHA512
ac3ec3942a4d52574d78af9178e3c43f269656625edc30ee6f7d59107fdd495e7f3e2dbc3900ef9b1b01c7b92d084f99bbc5b107f3167f9463c3a7b609a8a724

Download Submit
\AdobeZ4\xoptiloc.exe

Filesize
2.7MB

MD5
0768613bbd2dd00205148e3ac3d548ab

SHA1
3f654ef0f72d015e70e966daad3ee2302662bfa7

SHA256
2fd03b62f278192ee97e679f25ce89bd77d526d46940c738bed1ece46c9f6be6

SHA512
68a95b5504a47696e6196cce8b941d065df5184f9f1fd94ddcacc7f785834e449ea29423070d52596d74169a7b6225ffbebff0249ce3ffc1248fd598d01d13f1

Download Submit