7e8cba672d3510710e94b10f1b6bd3e2b264449cea90a75b7378bf85e631f9ea

Analysis

max time kernel
119s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

847081187c19357b60bfc03f1d9f5750N.exe
Size

2.7MB
MD5

847081187c19357b60bfc03f1d9f5750
SHA1

238a0d33f33721cad445cc3a6d0e20202e88c0e3
SHA256

7e8cba672d3510710e94b10f1b6bd3e2b264449cea90a75b7378bf85e631f9ea
SHA512

551d9ad16bf02cc1a26f3e59cf4fa7fec942c2081e73f900ae00ff34094041445fd1cc97bf3d4ddf5246141eb3aa46cc8aeb8b7ff77c397e6cbc8b9fdf380cd2
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBL9w4Sx:+R0pI/IQlUoMPdmpSpb4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
212	xoptiec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZC\\xoptiec.exe"	847081187c19357b60bfc03f1d9f5750N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHD\\bodxloc.exe"	847081187c19357b60bfc03f1d9f5750N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
212	xoptiec.exe
212	xoptiec.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe
2496	847081187c19357b60bfc03f1d9f5750N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 212	2496	847081187c19357b60bfc03f1d9f5750N.exe	87
PID 2496 wrote to memory of 212	2496	847081187c19357b60bfc03f1d9f5750N.exe	87
PID 2496 wrote to memory of 212	2496	847081187c19357b60bfc03f1d9f5750N.exe	87

C:\Users\Admin\AppData\Local\Temp\847081187c19357b60bfc03f1d9f5750N.exe
"C:\Users\Admin\AppData\Local\Temp\847081187c19357b60bfc03f1d9f5750N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\AdobeZC\xoptiec.exe
  C:\AdobeZC\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeZC\xoptiec.exe

Filesize
2.7MB

MD5
447c82a7f0a6752ea9ea84730baad587

SHA1
018a6d1519b0fa69efebb3fd7a4e3981be81ae3f

SHA256
8f52a861ba45ef0743eff0c18acb0257a52ed33a33bcd0e0cce0dd3baa523024

SHA512
d072fbc5953db7ca85df7d5c7e6f56e33511d56d90e4b41eb83e353fcb6cea95f720e360b74f27adf2515ab2b99590e3ae13cfc8aa66531f5522a01ad9330fcf

Download Submit
C:\LabZHD\bodxloc.exe

Filesize
2.7MB

MD5
b046a52bd506e559631a0b2f1e4b27bb

SHA1
53454bd48cdd31b5ec869c0bf9f3ae711a800321

SHA256
b2db72d320ad487084126984413f889336aa333a29e5c5c32401366190cd0a7a

SHA512
cdc32ffcdff58c0441379a7965fc94aa03b9811558bb00e119a822e9ea3c4ef421965e60e7a433646f50aed74a450712cdc983dd84710bc1ba08da53c1f7cc20

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
200B

MD5
71667092a554d21172092a74fd6466b2

SHA1
dd21825c893d791346f12b85a3a5873eb72cca9a

SHA256
23c650a947860e8ee856eaef7de5c6c049003d0ec73a5f457298cc7486f0133d

SHA512
1c0cd5f822f2fb8da1b01af86130d4efeda2a656eb473bdb32ca3966f8d33cf7d35c009b86e7fbe06ac6b3d5656d41ff4d1dbee5f79986330daff4dc22899e49

Download Submit