72035b0d72c89aab416ef1ae18e0d58315482749f2b0e55c672183616fd1004a

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 02:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4b6d40611c6e4f3bb56445f38a8a8d50N.exe
Size

2.7MB
MD5

4b6d40611c6e4f3bb56445f38a8a8d50
SHA1

69038a113db73d091c3e70f25861956dec7e39f8
SHA256

72035b0d72c89aab416ef1ae18e0d58315482749f2b0e55c672183616fd1004a
SHA512

c38f3db6733a58cbb84e2ec32993792b6732ec0609bd099f6098acbb9d130975adc401a454089334f8903d013d6ac5a43f0182c02d0646be346ce5c60a1abecb
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBX9w4Sx:+R0pI/IQlUoMPdmpSpH4

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1364	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHQ\\xoptiec.exe"	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZM3\\boddevloc.exe"	4b6d40611c6e4f3bb56445f38a8a8d50N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe
1364	xoptiec.exe
2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1364	2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe	31
PID 2332 wrote to memory of 1364	2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe	31
PID 2332 wrote to memory of 1364	2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe	31
PID 2332 wrote to memory of 1364	2332	4b6d40611c6e4f3bb56445f38a8a8d50N.exe	31

C:\Users\Admin\AppData\Local\Temp\4b6d40611c6e4f3bb56445f38a8a8d50N.exe
"C:\Users\Admin\AppData\Local\Temp\4b6d40611c6e4f3bb56445f38a8a8d50N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332
- C:\UserDotHQ\xoptiec.exe
  C:\UserDotHQ\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LabZM3\boddevloc.exe

Filesize
54KB

MD5
dcba9dede3e33dc897d63d52686bee58

SHA1
bad60fc7bded2543a30ebcac9c6f9003dd15222f

SHA256
279d0c7982affa4c8dda9d9bec300319aa7ca5bed2f1d918e1435e14ca9dd764

SHA512
a502e511e779a98bd8a5e5c7e76cacb9d7eaadac61bce6724263025d3da1d1e251f8f279ef02db256209d093c406da7241103b85c6e34dc5eff46a60e7291a2b

Download Submit
C:\LabZM3\boddevloc.exe

Filesize
2.7MB

MD5
b9fb2434cd145495ed2c9089cb0e7e58

SHA1
a7b120297ddd04ab5b90af90d4d30b56c7e593dc

SHA256
27141ec7a6183db33789012d3a3c4105c1926ffec3a0e1636e0c144e4e17d8f3

SHA512
014e42dda0cc262bed0259a90c50dea4b2b5bb07587101374ff3a988b65b1786fcb0f4a24689297140de0f1afe953a5381798d43431b762118e3e85f75012d61

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
205B

MD5
2d0d1ebfb7fdbc2a661a1acfddf2a162

SHA1
e07ab7ddb557290097b05a3352a1eb3fd17cbd12

SHA256
9047512ecee1d799b6075b31601b6056eda46b8b3baf80117346736918535c3a

SHA512
af22da214cb0cdc9094ae7c2d1d6b154cde58bc6e195ad6429a5ec5be40eb756b38c788edf86e932b2d6ffc24ddb69aef19a23a5ea93682b247b6dd91be537e5

Download Submit
\UserDotHQ\xoptiec.exe

Filesize
2.7MB

MD5
84d56a87ab3ba571efb2930a0030ad5d

SHA1
fa490c49e15e99216ec1e0f8e922fc4e6baaffd1

SHA256
7e9ba2629d7222542fb1935a459256bcdbe9f70ca0f1735d528ed36e1620e461

SHA512
d84698cace95344481a3462446b789b5b174b719524ec2138b7f2cb1d0b731428c33a44fa74fbc53855e37f55bb63d2ec08623b129de0886426f6e64648130e9

Download Submit