Analysis Overview
SHA256
74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53
Threat Level: Shows suspicious behavior
The file 74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 23:23
Reported
2024-05-30 23:26
Platform
win7-20240215-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrvZH\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCH\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZH\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe
"C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrvZH\xoptisys.exe
C:\SysDrvZH\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | c25abac9a56b77f2fa85f5a8dee33877 |
| SHA1 | c90a534c3d600533c340c016e9f02a5feccd9604 |
| SHA256 | 291ac0a2ded680d2782b1713ebb67d37fcad90e4ad6e849cf5f86ed3c33b5c2d |
| SHA512 | f542dbbbb68bd5b405513f0ef01fba6504afe91ced6a7d9aebc46e02e179a5678d44fc8de3c96f19108125c08dc031bb02968fc02e0fb9db044780ff5a8efdbe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aa6290ccc148bd85a17aad625f3b0044 |
| SHA1 | eb11cc695b6d581f8e77db03ec642e486395901a |
| SHA256 | 73cea574acdb24085793fed5faba25b864ba06b486ef191eda4504a5f0df1ac1 |
| SHA512 | 4affd6dfa23bc007b323db0b9e646807b26dac15958c25d2668766e07e7fb303a8978a79cee28a25dc9f7671b535126a546a009af6842e79e1e191b50ec5221f |
C:\SysDrvZH\xoptisys.exe
| MD5 | 9e9dbab2a06419de8f4b5895f44ea3fb |
| SHA1 | eb4b245247510b993d704d2f831aa88c4ad4df54 |
| SHA256 | bd6d49ff207e1e72263dffbd601dae08b6055074e4b50ec43792995b03fff423 |
| SHA512 | 83f56afcdcf755d2804441878a8d784835137fb3f499afc4338b4c129e7593967b52e7c8a903237cd29e3476f0d54f42acc402952feade67fc510f5d69385af2 |
C:\LabZCH\boddevsys.exe
| MD5 | 460e56ca99d91a92176ba282e2e731e3 |
| SHA1 | 41fb8122aa2cea4537a22a35a9b407b8e8ad9872 |
| SHA256 | f7af2bb32efdffb4cce119a37026689efef87b1d2e8149ba3e5f454b675d6cd1 |
| SHA512 | 43ebffe1b1cbcea16ab809f27235e08886635799f350e952a3046a5a87e5e41de289292d155f2ea8407c48dc81a6637f53ede57873e40150be892c10702e7d00 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 28ab746b8b66c40f0be5f727e1edf301 |
| SHA1 | 6622bca60302bae14a7dd6d2170450963bed1132 |
| SHA256 | 0be919c52954e93225944d36165f7c70818f3b5ffd9d9d54b2bf98250b1f6784 |
| SHA512 | 0958bc5198dd6b7d5ec3b0e046425755971a7adfada8d76ba8aa45d5efe9a6b7c59a9fbd221f7e5442741f3af05c48465f71997f752b75242f10d41db2a6d399 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 23:23
Reported
2024-05-30 23:26
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\Adobe7Q\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7Q\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFM\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe
"C:\Users\Admin\AppData\Local\Temp\74fe4b130e5d9616fdb0a41c2adc84bcc4b8fe3f31caf3074e3eec9817259c53.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\Adobe7Q\devdobsys.exe
C:\Adobe7Q\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| BE | 88.221.83.249:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 249.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | a84bf1b8102226d261da6fd19f939f82 |
| SHA1 | 35f2bea16390e82c1eb791f3761c12430f2d9f69 |
| SHA256 | 8f14db6215e5258af5834de0ee3e61699f556e74c4425653cf4ed862d4f5be5c |
| SHA512 | 1082bb1a4897979f280544be5515a167dd86dd3699217e8f3a83a2a168660ef816dc2ead2a803bc432ae6b3757dc49e005bb20b53262ee896c65878493884b8a |
C:\Adobe7Q\devdobsys.exe
| MD5 | d6099bcdd4fd8bc82c5ac53fc592b7b0 |
| SHA1 | 44376abe6ebea0dfbb0add994ca5b844334d7d4c |
| SHA256 | c1f0ac49956aa45acc447f04047e9a5eb8712b5e7bc44c31d0fc3aa64aad453c |
| SHA512 | 27c34ff26f45beeb73dea55e72196ed9f93f16cbb1aa66ba2b01400059aac1d0d7f9ad55ce93392ce23c967b9887ffb3602c76cf5cf3f2cb4db8527833572313 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7c33db144ce107a399dca64ac350cc10 |
| SHA1 | 5ca5400384dc42c2f26ba7e38bed05433bc8826c |
| SHA256 | ffaba1529810f1da1a72bde119da5705d1ed1df2721d86aa5118fc9c4743260f |
| SHA512 | 5c073305991c9763fa25e4d47416db4e0173b6bdd76807dfafb8c8fb85e0c24fa5a5c53684eaf646d1ffa13ae15991d0e7f36ab329136626999dfc4f56c55f06 |
C:\MintFM\optixloc.exe
| MD5 | c61445dc8ac583289054c4286ecbb9d4 |
| SHA1 | 1c9118fbcc8a13772a72a512f2b92c898c7c56ca |
| SHA256 | a56a17b6b5fba4f4101335a4a977348e19fb9083b49adacaf739dc392ca38f11 |
| SHA512 | ac5e8c359b1b021fbf84cf170461fa05c688ff8b62fdd3dcc6854f38bd7ba479064637b9ea26bde4dea18d3bfe4fbc4b9ff531a7a3b3d417364f507e18944e9e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0cea97722885739e9d0a903bd4f4e5f5 |
| SHA1 | 6b80934226024773620794e3c5c8cc0260056e83 |
| SHA256 | b88ff87d33bd0533540b7b2ad9b22c7c7c0b1bd7db309c5bddad4863b3d76797 |
| SHA512 | 50c22cd1f652c0d7c0d92cedffa7cedece4ed3d555cfbb66904802d595b8ad816c82727bc97be180ec49f9c278533301809414716ab57fe0a3b04dcd32adcbea |
C:\MintFM\optixloc.exe
| MD5 | 5c2d0e289513f715fd6bfd9f0fa85a22 |
| SHA1 | d850182e707fce4533be9c4ec71d4d7848bbfab4 |
| SHA256 | a9754ee07943551e68c0115b11675a2278749b1e1410054394fc812158153c17 |
| SHA512 | 18c60db6bbe1e2a74531b1954d514a9f3d39452f018bc3eebc057f93f450f12cdc7658642221a078413003cb4cd0eeb294918bf546765646603b63eeae9bab96 |