Analysis Overview
SHA256
5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67
Threat Level: Shows suspicious behavior
The file 5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:10
Reported
2024-06-03 22:12
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvWD\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIJ\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWD\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2060 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\SysDrvWD\aoptisys.exe |
| PID 2060 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\SysDrvWD\aoptisys.exe |
| PID 2060 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\SysDrvWD\aoptisys.exe |
| PID 2060 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\SysDrvWD\aoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe
"C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe"
C:\SysDrvWD\aoptisys.exe
C:\SysDrvWD\aoptisys.exe
Network
Files
\SysDrvWD\aoptisys.exe
| MD5 | e82d98131f6a977ccaa5e0a6211838b5 |
| SHA1 | 1cbf32b352fa7cc3d41fbf4b961d9f8955df57cf |
| SHA256 | 026608a893c35ba6f05871324f644ecdcb6af67516876b9f8bff43f518bf63f7 |
| SHA512 | 50a69cd59fb1376d6164f31a7881d414e1c39c47fec650acf2d5ffa61f941b24eb3389cc439e7c274223fbc422b23c3d3d9b0b0ca793844b485c29de9f72ef6a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f3b5f9c79b296b545618900044ea077c |
| SHA1 | 6037ee6babed75b6c5c645970f1db46744d4c003 |
| SHA256 | 0baabb59efa680faf5232cc3df1ac0529e7aa73e7e641fc9fd55ee4a6de3c164 |
| SHA512 | 4a14b81ffc731a90bf38f00ac3ff757f5d1b9da4dd88562dd57a682a140188bda0fa455a47a168945a0d6dba8154c29ea6ecf1e021ff1aa16577bccbe2a65fbe |
C:\KaVBIJ\optidevloc.exe
| MD5 | 727a99a6131c8e2b463e249c8ce1cc74 |
| SHA1 | 099ef1b56b2e947a07fe2cf6ac5643e519f94240 |
| SHA256 | e0190f84b545ac9f1dd89192099edcd1bb022f89bc3490795066ba2328fe0cdc |
| SHA512 | 02261ebf9f92fc9e52e76046bdaebcd8c3e5fdc65e501222ea849b092c8c5ef7b7fe3731f28d49278ee75957188e1a360fcc134a7fa026e427088b74964391d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:10
Reported
2024-06-03 22:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Files4C\adobsys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4C\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3Y\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3760 wrote to memory of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\Files4C\adobsys.exe |
| PID 3760 wrote to memory of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\Files4C\adobsys.exe |
| PID 3760 wrote to memory of 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe | C:\Files4C\adobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe
"C:\Users\Admin\AppData\Local\Temp\5ec755cefc19e4f2f0a21400a65e763e0c38947b8d8aff87dc8a3b271e765a67.exe"
C:\Files4C\adobsys.exe
C:\Files4C\adobsys.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Files4C\adobsys.exe
| MD5 | 566738fb56e572c540adc4ba0d672865 |
| SHA1 | ed586cccabfbf40901a294393d6b7f134b7c75d5 |
| SHA256 | 5495ba315dc4accfe9acd45e57fa84f1ad67c223d57207e766afaeef5445fa6b |
| SHA512 | 676efdfe7bd1b6222566ae5b08e6e05d58848fee970e4b13180c90b491c0dd85273ad642a3d6afe9c21dd4bb4b138f231850bac1ec4677972508edb503ba6698 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4a90378b67ddaeb37ea34f78cc078fd3 |
| SHA1 | 673b120aa02ee61b7163557ecedc4a256573bb4d |
| SHA256 | df235d63c8cc3773d9a72d2c7fab15b0215ea9b727af65bfb7d987c0dcaac170 |
| SHA512 | b137aa427d4a6f45910aeeb0ffa40e4a2dda73f6ca759a98aff6c8ac8daa9c1cdbd0413406b456a23ce61dec8dede841bd5f6d855ff57b9964288ec52dc5ecf6 |
C:\LabZ3Y\optiasys.exe
| MD5 | eea8db9055b90d395d20762787564c4d |
| SHA1 | 7457d836426bd847ab09b951788128371d9e4c20 |
| SHA256 | 8863c40d3e01297250149f10801b4fc785c172e2fe32ce8b9c60794d727f58f7 |
| SHA512 | f6f9772eb9074529e511c7a72696d75287bca4533888ab547849a4c66b4ddbb129653b2b20148acc78ae2b466243008dc6ea5a18ce3e0225a7237ce03719d363 |