8eccc893c1a289be577af468ac1c7f13a4df2d78c41ee7afe379cf075c97c61a

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08f23127106e454e6da03e5543164880N.exe
Size

2.7MB
MD5

08f23127106e454e6da03e5543164880
SHA1

15d9d50e70b6369b54b7505fe5ec1ce65aed47f8
SHA256

8eccc893c1a289be577af468ac1c7f13a4df2d78c41ee7afe379cf075c97c61a
SHA512

3679fbc5276378add4527f2c7ebd5683207cca00e99d2ae5f02cb66054fe05f3693acb300c38b856502203f07489c8ca027d53c665272385e06a96b5f37c35b1
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSpg4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2524	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2280	08f23127106e454e6da03e5543164880N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotO1\\xoptiloc.exe"	08f23127106e454e6da03e5543164880N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintL4\\optiaec.exe"	08f23127106e454e6da03e5543164880N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	08f23127106e454e6da03e5543164880N.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe
2524	xoptiloc.exe
2280	08f23127106e454e6da03e5543164880N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2524	2280	08f23127106e454e6da03e5543164880N.exe	30
PID 2280 wrote to memory of 2524	2280	08f23127106e454e6da03e5543164880N.exe	30
PID 2280 wrote to memory of 2524	2280	08f23127106e454e6da03e5543164880N.exe	30
PID 2280 wrote to memory of 2524	2280	08f23127106e454e6da03e5543164880N.exe	30

C:\Users\Admin\AppData\Local\Temp\08f23127106e454e6da03e5543164880N.exe
"C:\Users\Admin\AppData\Local\Temp\08f23127106e454e6da03e5543164880N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\UserDotO1\xoptiloc.exe
  C:\UserDotO1\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintL4\optiaec.exe

Filesize
2.7MB

MD5
5d17cbb85e4ddd4e28116f6290f591f4

SHA1
df36b358bae3b25902f822f19118641db4671218

SHA256
586859b1c99203268d6a7948b5a67607b3164a904f59f1a1334fff433e41a093

SHA512
445f168177a2306eb13d6d8827aaec8dac785806a15f311b3114194120055b57bf519b5c0df039f73a8a88605f425caa515cccca7ba020d84bc3b65915abd914

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
bd27cf0d0e738136436550edb505ec5c

SHA1
ff5b54496260b6ee566fb5ed6e25ee616b4b72f2

SHA256
c095dae42f8b66a57f4b4a3bcdf9b419766ecfb30eef606dc107da375c933873

SHA512
00d84cf64b5f92b426ef7b203b9d1096341b1bf407044fea4336366722c3979fe929908bd314e7ae02f38cd602235a7896de835f0e9233ad34e712e9fe9090f2

Download Submit
\UserDotO1\xoptiloc.exe

Filesize
2.7MB

MD5
cb9c5811918b883aad3cdec4928ec4c6

SHA1
fc7de5cbb2e1052d30d49b7285baeb9eb3ddd612

SHA256
b09aa5fdeb6df6cd5b6789b2f008eb12b8626b8db035e3dcee22efe9b349af94

SHA512
3b982cd11c1a290fb23c44959b7762e160571a4ff1173b09a2b15106e63d462d0be8387fe1de06f60dd6192222cb8b1537208a79de77b34b645aa629fd8fcebb

Download Submit