97f4369a87405d2a09a8c4effa5eebe952f41fed712d723b893298f00a366a8e

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 13:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16cf75a63c826463bbd0bf7c9866d310N.exe
Size

2.7MB
MD5

16cf75a63c826463bbd0bf7c9866d310
SHA1

88e9282d7d1b8fc9d7a0853e71eeed898fc8b91b
SHA256

97f4369a87405d2a09a8c4effa5eebe952f41fed712d723b893298f00a366a8e
SHA512

7ecb298174c75b050d750f0d46554710fdbe1e6ba3eed91569bff187576b90fdb2ff79d91590f20bdb15b9b91759cb243ceee25ec82120b461dac32b69725a30
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LB99w4Sx:+R0pI/IQlUoMPdmpSpd4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2524	xoptiloc.exe

Loads dropped DLL 1 IoCs

pid	Process
2280	16cf75a63c826463bbd0bf7c9866d310N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPG\\xoptiloc.exe"	16cf75a63c826463bbd0bf7c9866d310N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRW\\dobdevloc.exe"	16cf75a63c826463bbd0bf7c9866d310N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiloc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16cf75a63c826463bbd0bf7c9866d310N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe
2524	xoptiloc.exe
2280	16cf75a63c826463bbd0bf7c9866d310N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2524	2280	16cf75a63c826463bbd0bf7c9866d310N.exe	30
PID 2280 wrote to memory of 2524	2280	16cf75a63c826463bbd0bf7c9866d310N.exe	30
PID 2280 wrote to memory of 2524	2280	16cf75a63c826463bbd0bf7c9866d310N.exe	30
PID 2280 wrote to memory of 2524	2280	16cf75a63c826463bbd0bf7c9866d310N.exe	30

C:\Users\Admin\AppData\Local\Temp\16cf75a63c826463bbd0bf7c9866d310N.exe
"C:\Users\Admin\AppData\Local\Temp\16cf75a63c826463bbd0bf7c9866d310N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280
- C:\IntelprocPG\xoptiloc.exe
  C:\IntelprocPG\xoptiloc.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxRW\dobdevloc.exe

Filesize
1.7MB

MD5
8aeb63148f1affbf7ddeea1496a0e602

SHA1
14935b987409c1d10b2c5c20800d800497245e9e

SHA256
22e1974cdb68101307effb96eaea01eccb9d4af513b82bf155433c8e4b198361

SHA512
f4c1c0ead55ee7dca9346405f04fc374a0b25ae186f3793f16506ca1afb0a5c7171b9e1760663839191e907d942f7129545532f24bb1932ff0a10bc26971a1b8

Download Submit
C:\GalaxRW\dobdevloc.exe

Filesize
2.7MB

MD5
d56ef295873b54c1325ce1207ba61522

SHA1
66fc4cc3350fa06212f63f999740a72559b72e72

SHA256
2b9f132e413a0672b4e252613807bb4cda71dd3264bb45c95dc85f0a05ede9e2

SHA512
dca309ee327a9a6053fb0186c041435b7edde5450027cac14a628807eca69614007d9f67898e6274c78ac873f17600fe5b8261b7200c02eba5abb69108c018e5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
8c37c5b8e3188259a45e35dc5f4da1ef

SHA1
95b09ebc561f730585c063d1cd495c0a6cd19c32

SHA256
f8e0e7ce3779017fadeb9801df1e61b50370ca008d52774292edf86fe334caf6

SHA512
763e4530d4391d576b131752c638390ab48578a5203d27df2995367106eb63ae829ee18f911e3e1b0e9ae2da6de9a338f822efd7b84a876aea1347f3b41fe4cd

Download Submit
\IntelprocPG\xoptiloc.exe

Filesize
2.7MB

MD5
2aa0bfb41a1c4e7d05d2f027c46addf1

SHA1
ca58db615800e0dfdda26a5ea859c84a2129f788

SHA256
64ebdf92441659c4bddf8da14fbb32f57485f4ae49a336a6f013b54c4d4727af

SHA512
78095ed972be4c3d1d449e5d170c2452c9b60fa88780766bd9873a7bedcaa4d7efe4524c4f1e0a3132c0eca9613687946815a98f3957ebcd49e8b1e8dfd44193

Download Submit