6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
Size

2.7MB
MD5

63bd0aafd5888742a139490a563293e3
SHA1

a0c20bd1f68946ac72b47621068dbc3305bef957
SHA256

6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25
SHA512

c3cd60a8ad4b4101424091a5f203d49fe236310cd60cf6d33a379891b9baac779dbab5c1d08491e3c248d9ac15b93210b0af765cc431bd9903bc477607d5dfc5
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSpg4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2324	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZY7\\bodasys.exe"	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0M\\xoptiec.exe"	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
2324	xoptiec.exe
2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2324	2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe	29
PID 2412 wrote to memory of 2324	2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe	29
PID 2412 wrote to memory of 2324	2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe	29
PID 2412 wrote to memory of 2324	2412	6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe	29

C:\Users\Admin\AppData\Local\Temp\6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe
"C:\Users\Admin\AppData\Local\Temp\6c11bc8e2a408a1a469c59ebb5394a156e6e0ff0a57837c16866d057ba29af25.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Files0M\xoptiec.exe
  C:\Files0M\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZY7\bodasys.exe

Filesize
2.7MB

MD5
14a1e0aaaaea38f0b151138541926402

SHA1
fa2e76252a4c43e173b2ee360f21077fca57e983

SHA256
e43225f45e44ad288ad14e62e1e0aa9c1a32399b8333071795c3b8d7b7a1ee4b

SHA512
5705b3d524d8af3a90c845dc44dc42cc5d49629024424bd254e7c208b2658c5e3902fd2ed4e3be17df7c5ce0f7af8ae85aa1748208abd5958a084c021efd7300

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
c60410747e1cbb8e2619a860851bb628

SHA1
1bcc02520c2452359a160c42969112eb7bcd6a8e

SHA256
7d1f283c2310365cbf432a62e4fc877e351805cf8378ea2df86a95bd7398cad5

SHA512
2ee4dfdab7785366acca2187b08f2bd71574cf031f9c24e7209f7bf3474cdc1b7b68d6e09aa247b7cf31e7368d8cbd7844ab91ad0253c5c80c5941ff2c1a7580

Download Submit
\Files0M\xoptiec.exe

Filesize
2.7MB

MD5
9b0d37e611e1d9309a094891d623272f

SHA1
8e1c81898e8aba907bb1e88067c604f01fdebf8e

SHA256
e58d983c85c4b6f2dbfe50abeb0acc4388b9daedcf5667f0391f5daca3c6ca5c

SHA512
a9d027e62235708cad4e4507cd6ee850ef5b447047ec883297e5286537c67cb0c5d86c3ce8397456f24a62c6b73750377a8f6f1351a58b9fff60452565c55e73

Download Submit