ecefdeca3f0936086119593c098b8b14b9431ae698f2861dba7a408f5f4fbe8b

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d0a100a87a3f16fa9b4f08a2d2a010N.exe
Size

2.7MB
MD5

18d0a100a87a3f16fa9b4f08a2d2a010
SHA1

e1c367595f444375d9b5b2730959209f5fd5081f
SHA256

ecefdeca3f0936086119593c098b8b14b9431ae698f2861dba7a408f5f4fbe8b
SHA512

6fed51c840b7e0ea1f28df7c37e71d1245f0357afb9acd2f9416ded3a6725b9388853a2a266a8bf6e8aa68208f7f5e8e0175a2dd8dc2a7557c106985def5e566
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB79w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3052	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEI\\xoptiec.exe"	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ54\\bodaloc.exe"	18d0a100a87a3f16fa9b4f08a2d2a010N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe
3052	xoptiec.exe
1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 3052	1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	30
PID 1316 wrote to memory of 3052	1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	30
PID 1316 wrote to memory of 3052	1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	30
PID 1316 wrote to memory of 3052	1316	18d0a100a87a3f16fa9b4f08a2d2a010N.exe	30

C:\Users\Admin\AppData\Local\Temp\18d0a100a87a3f16fa9b4f08a2d2a010N.exe
"C:\Users\Admin\AppData\Local\Temp\18d0a100a87a3f16fa9b4f08a2d2a010N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316
- C:\UserDotEI\xoptiec.exe
  C:\UserDotEI\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZ54\bodaloc.exe

Filesize
2.7MB

MD5
e20d6ae08b5cf070d551f2c183af411a

SHA1
e90a793c7d031f9db72f71be4bc362bbf67223ed

SHA256
8502dcca03e6dbd4fcd638d85fd4c89e6a57dae418fa05a3d1bd61c413a44e6e

SHA512
5a93466d8d4b726969386baaf2b4a128c82962850befb28cd1435d45cdd0165b1f6dfc1a63e2ba4d2c40602c3ed237fc9737a9ed53c8d98557655157df40e6de

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
64a7164f8cdf65489f444e49e7a02626

SHA1
cf42057c71352515e4f50855a47f1f604a4f110d

SHA256
499bb4246494694618a4629558bf211ed635ee122b09efcc30cbd4d30fa4e471

SHA512
d8faaa10eda9e0ed0b9ba9375c821d006974a68ed5919a3a9c418a7a0362eb919454c69b93b1c3429c0395d16ca375775b3170c9cbb14fe7613e86e1f59aead7

Download Submit
\UserDotEI\xoptiec.exe

Filesize
2.7MB

MD5
95c8595d97eea1174d2a1dd36cd58c70

SHA1
836e496efe66c64a011d3d48d49f8e374f7a74b1

SHA256
3ee637429f00d8a495439385dbb616cfa142c5e3f114b0923012187d5f57e10e

SHA512
1550becfbc3a5fc9baab660d8007a97c73c7cf6cc2dffdb2f44b63143a385743f73f79cbef270d6222cbda8dc02cee78d020e8537f5cea9aa7289a143f675b86

Download Submit