935f8a02e3b8197351243184f33448b450c2d3fdeb4cfacf9a1ba8f790288066

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31271f0f4246219c520a7884fa86b330N.exe
Size

2.7MB
MD5

31271f0f4246219c520a7884fa86b330
SHA1

61ffd943ec90bde4043c89ecbcd46df2ff3dd0b1
SHA256

935f8a02e3b8197351243184f33448b450c2d3fdeb4cfacf9a1ba8f790288066
SHA512

fabcb1a98438fa936965bb6058e9654971d682ef325112e7be44bbc846df6421d9eae4ba8b7ecd107471da2c062f006e2297073c60ccaa13bf50f6457fbd11ec
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBK9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	31271f0f4246219c520a7884fa86b330N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTP\\xoptisys.exe"	31271f0f4246219c520a7884fa86b330N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUM\\boddevloc.exe"	31271f0f4246219c520a7884fa86b330N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	31271f0f4246219c520a7884fa86b330N.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe
2748	xoptisys.exe
2656	31271f0f4246219c520a7884fa86b330N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2748	2656	31271f0f4246219c520a7884fa86b330N.exe	31
PID 2656 wrote to memory of 2748	2656	31271f0f4246219c520a7884fa86b330N.exe	31
PID 2656 wrote to memory of 2748	2656	31271f0f4246219c520a7884fa86b330N.exe	31
PID 2656 wrote to memory of 2748	2656	31271f0f4246219c520a7884fa86b330N.exe	31

C:\Users\Admin\AppData\Local\Temp\31271f0f4246219c520a7884fa86b330N.exe
"C:\Users\Admin\AppData\Local\Temp\31271f0f4246219c520a7884fa86b330N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2656
- C:\SysDrvTP\xoptisys.exe
  C:\SysDrvTP\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZUM\boddevloc.exe

Filesize
2.7MB

MD5
0964db45a376a23f677486d9420a9261

SHA1
5048fefc1ae9c99bf312843c262dd29061bb51f8

SHA256
e8541f6ee3b853523c3925dced5d6d7dedce3ecf5bc5c4a8a6544effc5c22fa6

SHA512
46c7676681d320f65e8a7d5d7738e44827d131c008f44a369c9264ada1fcd586be29072c53d0f4f5573fc5d5f22806ba9b3f62752e8d47be4715dcc5fb994be2

Download Submit
C:\SysDrvTP\xoptisys.exe

Filesize
2.7MB

MD5
23337cef03802bea1beab1fe8f490f87

SHA1
cf9aa53d720f97cff58a5f98b19c16aa42ca8087

SHA256
28c7907a7fd24699385b30955e92fdd56a2fda444c74566ad656c5450b603dc2

SHA512
16fb0d739a9966e61b2cfb458a1ecbddba7ff6332d838f52bd59eed7617598d7efe28a2873756fae33fd44a0ecf3ac0a6c5fc2eec257443bd2579103a6397f22

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
206B

MD5
dc4b58746c75c7e9cdc34100f651baa8

SHA1
3352e53b9c76a36202dee6b4a848e36e1af2bada

SHA256
7b520a29c6a56620c0d749e0f0e3062ad2076f0c7f8592b30aeb234abe92287f

SHA512
87a282ebbb5ffef38da93d4f7cb3c046bc7c9a4b955c0ce3cf01fc821fe3d3d8ec937b19dbee005a00c34d22c64f5fa8be06b339456367c9da4d53fa111e8349

Download Submit