ce3d799862bff625d8f212a414eb4cf3a7f49e1a6b15658ef522990dbf10f14b

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
Size

2.7MB
MD5

e79a6ad9e80c5b83e1edcc327ba4f7d0
SHA1

ecbc0a5aaea3a0ec040b1b29011f7441b922741b
SHA256

ce3d799862bff625d8f212a414eb4cf3a7f49e1a6b15658ef522990dbf10f14b
SHA512

7313313a3301b3a203cf21fcf2a28c89741d5a9b7629d4e294eef5298ca928343f94f0cd869629a4870f99a08cb19ed87558a614654c066c8bacd3ecad19af5a
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBi9w4Sx:+R0pI/IQlUoMPdmpSps4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
324	xoptisys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWI\\optixloc.exe"	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVG\\xoptisys.exe"	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
324	xoptisys.exe
324	xoptisys.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 324	3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe	87
PID 3144 wrote to memory of 324	3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe	87
PID 3144 wrote to memory of 324	3144	e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe	87

C:\Users\Admin\AppData\Local\Temp\e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe
"C:\Users\Admin\AppData\Local\Temp\e79a6ad9e80c5b83e1edcc327ba4f7d0N.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144
- C:\UserDotVG\xoptisys.exe
  C:\UserDotVG\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZWI\optixloc.exe

Filesize
2.7MB

MD5
1eba92259bde264a482441c24d961e61

SHA1
3d3c48e55cf51966f30173fe79179e940f90f9ca

SHA256
998a6355eb13fb69a8db15c77717853613b2312e011e46c87b13b2ab0dabd3e1

SHA512
6d7e802d2c27dc150a9ca6d34e6846533d844794f355419069b8688cafe95ac0ea926f3ce62ec89c17a31a6e32a439ff30f713c19f7584b0b680bd4069034be0

Download Submit
C:\UserDotVG\xoptisys.exe

Filesize
2.7MB

MD5
a4d1e28c92da1b9dbbe710382367fc52

SHA1
15dfe006257366b6e3792e09e8c48fc9fcf1e553

SHA256
2a37c58027e25b9068dbde544cadc0153ee1a08309c236419282c4eeb80e8823

SHA512
8e38d3ac3e0271f6c1ae9a7c6438351a5dd76e8593d7e68be6ed82462d0517f5179b7a90b2e583188a30cddee26a525504dec026634bcd8ba7edd11816c73041

Download Submit
C:\Users\Admin\253086396416_10.0_Admin.ini

Filesize
197B

MD5
d4aa4a3c4b944735e5d56069d3b1e1fe

SHA1
f3de4446953de135c65f87dd36815251d53451b7

SHA256
c8b8e0c72088e1b6a7b7806d250531eb5cd994240ca6ddc7badb6c7ac4a599d4

SHA512
24dc16603469b2b6d96a6a1457fb540e431f7365d8d881321ae4a66c97a960841c3375cf963fcf7bfa779f8071631c178edf62f993727da36562d800873f8419

Download Submit