608df215c6de3aeb1cca1ce57d481d1b579b363a201236f361f62a8c4f484c1b

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 17:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6eabcc159ee53868b6d73536039ab80N.exe
Size

2.7MB
MD5

b6eabcc159ee53868b6d73536039ab80
SHA1

267b49e2436a6845248ce479e5f702ae50a7e71c
SHA256

608df215c6de3aeb1cca1ce57d481d1b579b363a201236f361f62a8c4f484c1b
SHA512

f6d1122b1affb837b996ec325c89712f1230e49327f09d203ba618edb08d3372a3686bf56d908da14ebafbb9439fb30514dc6bfa534ee473c46450cc0264cc74
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBC9w4Sx:+R0pI/IQlUoMPdmpSp04

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	xoptisys.exe

Loads dropped DLL 1 IoCs

pid	Process
1464	b6eabcc159ee53868b6d73536039ab80N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9S\\xoptisys.exe"	b6eabcc159ee53868b6d73536039ab80N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB10\\optidevsys.exe"	b6eabcc159ee53868b6d73536039ab80N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6eabcc159ee53868b6d73536039ab80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptisys.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	b6eabcc159ee53868b6d73536039ab80N.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe
2308	xoptisys.exe
1464	b6eabcc159ee53868b6d73536039ab80N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2308	1464	b6eabcc159ee53868b6d73536039ab80N.exe	30
PID 1464 wrote to memory of 2308	1464	b6eabcc159ee53868b6d73536039ab80N.exe	30
PID 1464 wrote to memory of 2308	1464	b6eabcc159ee53868b6d73536039ab80N.exe	30
PID 1464 wrote to memory of 2308	1464	b6eabcc159ee53868b6d73536039ab80N.exe	30

C:\Users\Admin\AppData\Local\Temp\b6eabcc159ee53868b6d73536039ab80N.exe
"C:\Users\Admin\AppData\Local\Temp\b6eabcc159ee53868b6d73536039ab80N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Intelproc9S\xoptisys.exe
  C:\Intelproc9S\xoptisys.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVB10\optidevsys.exe

Filesize
2.7MB

MD5
b1e9548fcad63be658112d9fff9ad602

SHA1
de471cbacf36ace84027b8a7bc09f18a601d48e7

SHA256
8bce90216c1d270f896651d064d22b493b18aba909c51b59e58b481e7242f3f9

SHA512
368a1c516a94cbdf97f694328cbb032cb1d3c0aa2d9d00f8d1217d3ee9d9cd8c508059f6cb88e37d57bf74e2a5bcb12286d239286cf65d8413614dab8d38205d

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
208B

MD5
8b7ebd62797ba6fbaf776cd124636ff5

SHA1
8c7d4e3a7a39355a138f6b1c30dfea45b9a0568e

SHA256
2c6a9631c2553dede46d8d0dde873f592a8f1ec68e51c62f054460ce4de6126a

SHA512
0349c4883c00e83d9654149ffaac64fb9bb025b3f1bd7f977400b067232bfa0444fc8e30dc1dce990ab481051d8d88b90c44cd3ecd0f173270295ef36d9358dd

Download Submit
\Intelproc9S\xoptisys.exe

Filesize
2.7MB

MD5
272e53d478a129d9063d43a7791625fe

SHA1
c0313fad4cf612dafd7234435f5e9c4f6f2c69c5

SHA256
628671d54b7f2e94b364d1d1189ac36892aacb5a601c755a1af79ddf085b0af0

SHA512
0c34251278723afebb164587c34289492ebec68d4eb0e3ef7693251b8a0e75869be8ff92bd860accb65f59ee47f14e9e2fea0035d8d8d26a8b802715d970401e

Download Submit