3e4a76daccc65d00f403bcf4c8b691c1e27694581d962b0d8d2f0e2214755426

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e86e4e79e73b650d2974c31d1bc0390N.exe
Size

2.7MB
MD5

8e86e4e79e73b650d2974c31d1bc0390
SHA1

73e99e270bfbe42ec74429122501e391f87c0cf2
SHA256

3e4a76daccc65d00f403bcf4c8b691c1e27694581d962b0d8d2f0e2214755426
SHA512

dc529cb5cea146ca07ad34dbcc815afdf8246acc18028cc029a6445c108e23e71be634d2f00c1bd2062450be67bab61c4836112249658b82ad7eca639bbe950f
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB49w4Sx:+R0pI/IQlUoMPdmpSpW4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3020	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files62\\xoptiloc.exe"	8e86e4e79e73b650d2974c31d1bc0390N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXM\\optixsys.exe"	8e86e4e79e73b650d2974c31d1bc0390N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe
3020	xoptiloc.exe
2320	8e86e4e79e73b650d2974c31d1bc0390N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3020	2320	8e86e4e79e73b650d2974c31d1bc0390N.exe	30
PID 2320 wrote to memory of 3020	2320	8e86e4e79e73b650d2974c31d1bc0390N.exe	30
PID 2320 wrote to memory of 3020	2320	8e86e4e79e73b650d2974c31d1bc0390N.exe	30
PID 2320 wrote to memory of 3020	2320	8e86e4e79e73b650d2974c31d1bc0390N.exe	30

C:\Users\Admin\AppData\Local\Temp\8e86e4e79e73b650d2974c31d1bc0390N.exe
"C:\Users\Admin\AppData\Local\Temp\8e86e4e79e73b650d2974c31d1bc0390N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Files62\xoptiloc.exe
  C:\Files62\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
83e9c04ea395f35e74d4bc60b899dee9

SHA1
5a8c00504e8b028fe0259129088bed4d855b83d4

SHA256
2996194949fb6a9d2a5db91e1eba7d6cf9015a1553ed1c1830a1a93e77b1064e

SHA512
9a952a0afdf4b0e6b183f410c2ebf845aeff7572c0381e9cf47e33754ea14e9cbc6053641006d08810f44efa52002bb54570ce5326168f6b925cbcc68925a660

Download Submit
C:\VidXM\optixsys.exe

Filesize
2.7MB

MD5
c416872a1954caac80980449868dd68f

SHA1
a57533e87d3742e5e44fa0d9bb261875aa7cdb4d

SHA256
224afa2ad105ca17967747e6a323ac12773896189e6bce63021e96523bbf5b04

SHA512
081772726481c6f6fc0bfda9aea0648fa18b190b0f1d44a872d80e1011a130a6d04abe4f8802575fde3378281b28f7e0206b321b501a4a7f451da7a586a5764b

Download Submit
\Files62\xoptiloc.exe

Filesize
2.7MB

MD5
3022d5117a74ecba176f0f88e885e7ed

SHA1
55dd82fbb9bd929eb17fbcf3102bd849c259c934

SHA256
06ab3940d96086a0f44eccb6a6bbc68d56ca09caef7474d00faf4e2665f88258

SHA512
0d19551d8fc6721676ea300a62867743bcdbf61c9da15bb5588e13e4284241a2aa4836021b797ce822e0bc76d7c33840f9d4c8aeced141fdeb46a15d5859ca92

Download Submit