Overview

overview

7

Static

static

3

4ff69e733b...0N.exe

windows7-x64

7

4ff69e733b...0N.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ff69e733b627741368024d52821a350N.exe

  • Size

    2.7MB

  • MD5

    4ff69e733b627741368024d52821a350

  • SHA1

    2e4507c50283f0f88523cebf4b6cdda22f4c5dc8

  • SHA256

    1cf44892d60f4698cb00cca833c100a9b1e5a8774186921c4580969dc211413f

  • SHA512

    326c38ba2f8b448fc11069b032cc4cb100cd90040d6e6356b8ddd8f894eac700815a7e4eaba9d29a79da6917d9f922443f12b8517c2e4cb4bda3836d948123bf

  • SSDEEP

    49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBy9w4Sx:+R0pI/IQlUoMPdmpSp44

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ff69e733b627741368024d52821a350N.exe
    "C:\Users\Admin\AppData\Local\Temp\4ff69e733b627741368024d52821a350N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\FilesKA\xoptiloc.exe
      C:\FilesKA\xoptiloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\GalaxTS\bodaloc.exe
    Filesize

    2.7MB

    MD5

    307746bb97e3bb328d07eac06168d3dc

    SHA1

    2b1e2ac4cdd32318bbb6a13546dc5a2f64d0c1ed

    SHA256

    7ef3b14e62bf008acdc9260d94ca6d43df173a6a16bd2cc476a7419e588d451c

    SHA512

    c1e2a5c6e63d3804c97139889140a9d1f684db5d64a1d88c94184b8750700467de6792a7b9b1ccb74e1ddbd3d76024ec64eed5aec1dd2b1a4b4b4534cc1d3582

    Download Submit

  • C:\Users\Admin\253086396416_6.1_Admin.ini
    Filesize

    204B

    MD5

    ce3b59b6ae57d6ff71101419f809ae75

    SHA1

    1754cc06b889c42187f0d37b26cac96eae04d296

    SHA256

    4895865be5356eb517aea4d8cf7879cde3c4d68f8d77f2d0cb6f61bfe0fc4bc8

    SHA512

    bc9abbab695ff3ceeb5a48b4d1bf15735ce8dcebf0b98ba3ef32207f8d65d070047bc98fd384e8f143b63ccebb2857c947633321a83632ddd930531b920445b0

    Download Submit

  • \FilesKA\xoptiloc.exe
    Filesize

    2.7MB

    MD5

    688b10f3ad34dc910e64aa7fefe4acbb

    SHA1

    5b0f45739eb1c4b61e92191a725f113f4c50e0ca

    SHA256

    aa40e12032172ade50b02d301d945bfaf8d6c8c8de40903dd95091e54b339b9a

    SHA512

    658dcb3de58498eedc6ad29986608580aaf2ce21d60283ccb7c1ad5eb011f504d68761ad03294a01bc6826ce6bebe04309294a312c83ea8b040a82453913ca91

    Download Submit