f075ae265a7bf8e69ed183de1e4f2febf47fd6a85ef02e15cd447cf27c13913f

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-08-2024 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d80d544ff59777a6f317c90c856840N.exe
Size

3.1MB
MD5

d5d80d544ff59777a6f317c90c856840
SHA1

dc067c25b6e55d17a0b6bcb77a82b48f96803e11
SHA256

f075ae265a7bf8e69ed183de1e4f2febf47fd6a85ef02e15cd447cf27c13913f
SHA512

5a09306e1aab66ac3c55b8a9f4eb8c6aab0db9d19fd7e3b8146c4e095eb6a74587ee29001e5886325627d50a0aeb14aa871b7b32c0c96d5b11b858ea654280ff
SSDEEP

49152:+R0p8xHycIq+GI27nGroMPTJPer1c2HSjpjK3LBf9w4Su+LNfej:+R0pI/IQlUoMPdmpSpX4JkNfej

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2208	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	d5d80d544ff59777a6f317c90c856840N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePX\\xoptiec.exe"	d5d80d544ff59777a6f317c90c856840N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCI\\optidevloc.exe"	d5d80d544ff59777a6f317c90c856840N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5d80d544ff59777a6f317c90c856840N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxopti.exe	d5d80d544ff59777a6f317c90c856840N.exe
File created	C:\Users\AdminC(WW+H[HC9VHTPUNC4PJYVZVM[C>PUKV^ZC:[HY[4LU\C7YVNYHTZC:[HY[\WClocxopti.exe	xoptiec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	d5d80d544ff59777a6f317c90c856840N.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe
2208	xoptiec.exe
2308	d5d80d544ff59777a6f317c90c856840N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2208	2308	d5d80d544ff59777a6f317c90c856840N.exe	30
PID 2308 wrote to memory of 2208	2308	d5d80d544ff59777a6f317c90c856840N.exe	30
PID 2308 wrote to memory of 2208	2308	d5d80d544ff59777a6f317c90c856840N.exe	30
PID 2308 wrote to memory of 2208	2308	d5d80d544ff59777a6f317c90c856840N.exe	30

C:\Users\Admin\AppData\Local\Temp\d5d80d544ff59777a6f317c90c856840N.exe
"C:\Users\Admin\AppData\Local\Temp\d5d80d544ff59777a6f317c90c856840N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308
- C:\AdobePX\xoptiec.exe
  C:\AdobePX\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
4ced49b72ac6495df5ba4568f1f310bb

SHA1
02167d5893e0bf321fde00921a77abedd52eac32

SHA256
b08494c61dac41a2c633146e4afa7efdd3ce33873235f81aff528d2d2c71a0f6

SHA512
8404a416bfaebc3700d07b40087c330e1a344f62ff4a961679a38a6989bd6cff949cf1ebd1bab673331a455b7b221161cb91ed734f5dec9130cbb31b9e8d7227

Download Submit
C:\VidCI\optidevloc.exe

Filesize
3.1MB

MD5
c805f3d1ff86926ec25923cba5a8ba6b

SHA1
e2f9effec5a7f196d7d4219e715fc01bd9eacba0

SHA256
aab6304c179c51eb15b9e0acb81d0960bb7f29752e7dc10d982e1ba95498455f

SHA512
426813e0e67a3024d983d7686471a846710d3957224d6acc6ad2b16e6b299d60ef2bfdb3661e9398536d0422befeb7f78b334713fa4640f87e42411583b68200

Download Submit
\AdobePX\xoptiec.exe

Filesize
3.1MB

MD5
e70d0c9bd08545ba30da6649c595ed6c

SHA1
0284dc32421e1ef2bb558e251b3455bc2ced0d39

SHA256
a5168fb1dcc723886a1446226dc8246a20a9dc64eaf4597f405e2f4f7008ac77

SHA512
2b6a73ccd1a4ef3a84dbea3d0f5bdfab38d6d142a5f99ae4ea92217c188558f047bb03a22bc6839d1ae07b7b8d836de779d7245316de59d3cd92ad32b6d59a15

Download Submit