68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
Size

2.7MB
MD5

5741f4dd4c1625eb2212cda03aa8de10
SHA1

5d7b6f0dd2bb4694b130404009c85566c061ff75
SHA256

68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440
SHA512

58493915ef3f4d3b704690bf6e53b6d76ca4a1dee3279319297bf3487c06ae3b3e1eec4da7d0879889205f3c1b3d27f954088cae9e9f3979492af4a89c04c97e
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBF9w4Sx:+R0pI/IQlUoMPdmpSpd4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3024	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOS\\xoptisys.exe"	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxN8\\boddevec.exe"	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
3024	xoptisys.exe
2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3024	2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe	30
PID 2288 wrote to memory of 3024	2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe	30
PID 2288 wrote to memory of 3024	2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe	30
PID 2288 wrote to memory of 3024	2288	68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe	30

C:\Users\Admin\AppData\Local\Temp\68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe
"C:\Users\Admin\AppData\Local\Temp\68aebb5bb47e253631d2905d3f042978b0fc2fe0dd44bc2a3d0ae74fab939440.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\FilesOS\xoptisys.exe
  C:\FilesOS\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GalaxN8\boddevec.exe

Filesize
2.7MB

MD5
b22bed8ae8f9866df8e2b618fdd566d4

SHA1
b4a7e7758158007f1c1763e54a87cb3b20bf0cc9

SHA256
aff44aed826105155db1fb3929561efb968549d76a926d9586feafe1f567df0b

SHA512
3022382405300c8ebc00a465379711893aa11550709ee8c83e4ed0e993633db2c402785829a93854490dc5527f18a7adf3b567492e94bd10cbb0a7f16601a645

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
b76c1ef5e1e2282589839843f5e67da5

SHA1
7814bb50ee626d025f64594b35ca96849d883421

SHA256
b0491f02fd2c67081dc876c39781f1a811b55b4b964af2dd60e5a7324d662c97

SHA512
535cc7e5ef19a4d0afc6187b1a7c9171d0482e23a1a66bec0a24132c562a29eeedb39f6dc8b720f963da39407820e1ab2b35a9b34fb132007ded7c47859eeddd

Download Submit
\FilesOS\xoptisys.exe

Filesize
2.7MB

MD5
8928116961358fb5443e3e733e1b2594

SHA1
8f97e600602a5a2d94c6de5845c6e59224924e00

SHA256
33d16eb4adccdd7d02711e50904b6794e188fc73b7d71f31062aa4fe405b152b

SHA512
1a1e81d9bb6051022c0056b880aaa432d4cba0157fb31b21602eb173fc8f02e0bfdac8849b5d3b728c991f09870dd9097a7f3241da5d8959c1c68a06d804d431

Download Submit