Analysis Overview
SHA256
8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b
Threat Level: Shows suspicious behavior
The file 8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 23:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 23:58
Reported
2024-06-04 00:01
Platform
win7-20240221-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\FilesZ3\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZ3\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintSN\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
"C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\FilesZ3\xoptiloc.exe
C:\FilesZ3\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | d647ecc0753ed21fb935e0259e070450 |
| SHA1 | 92bfbbb6a7cc8bb8842c8081593e4e64818da3d4 |
| SHA256 | dfb18e521ce70b3cfed9c90cc73aa9b8b194d329f2118c66b74ae2b4863b3398 |
| SHA512 | 6afa599f658df3f3cfded980bac337992bb4765a097d33491687d0e75fdaed11c4a5404274a463b6402d2996bd337f7eb3361a698af0720478162846b891cb37 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 888b6484c83cd7c402ad61e38d4590a4 |
| SHA1 | 20188ad8d9e497196a0741ae5090a6e17ac2bc72 |
| SHA256 | b400e97b81f8f98fe027e7cddd377c2935639a90ca4c5ddc9bede22381cc6302 |
| SHA512 | 8ca00f9494c03c483ce3375a673a21ddd55b85404988c50e2c59c7c442131ddf5776d38a2fe3a29b122311099f653a23ef33832ffcaf369dad83919d8e6d94c6 |
C:\FilesZ3\xoptiloc.exe
| MD5 | 25b865003b54619353e1098b866ebbdc |
| SHA1 | 9b30603ba7974ffa1aca64922e84efe0c9557df7 |
| SHA256 | c6c5006eee01a2aee83675189743a6379822718ba06fed3943afcde4cba00195 |
| SHA512 | 929e959693d0b80b15290ba82ead1673ed9ac2c557831149f65f1e7dadfd5219e5e9e411f3d932e675d565cad011013e2fabc4c08ac2d8d8b2bcbc0b687343a8 |
C:\MintSN\optidevec.exe
| MD5 | 211f25780a949ecc47fe103d46655355 |
| SHA1 | 9e61828760283cbf311ef63c6da4b54bc8e38bf4 |
| SHA256 | 03491075aed567421202b9da1912d5f0684570b8bfcfac389e16ecab234affe3 |
| SHA512 | 425b07a8bcade19beb7d3eb2c68a5c38fac85217de4e8894bab479305438f7596b76f74008bde826ec59080a7a764188687505f6ff96e044ff9027820a3b495c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | da78b45c490b652ab3a0504f7784ab16 |
| SHA1 | 0a15893ee69eec3b9f19b85f95f11ee148bc3ffa |
| SHA256 | d78edf158fb0a5c4f7187525603c1b2dfc52cdc23eb2009cc288a80833db5055 |
| SHA512 | c74f0bc9c59b6be6d8771901c4d419f79f862319f08b0fd0829d83f5456d112dc6ad634ebb744ee4113a7ae4cd3797a04c133e764297806e20d3c13f62b4a95f |
C:\MintSN\optidevec.exe
| MD5 | c4f1574ae17f866c6d229c8b2752f281 |
| SHA1 | ac57045ce6675372cca1808c8816c0f2eddbc543 |
| SHA256 | 86e026acbcd213d58ae4799defa534525785d175dad58888556664ada4560f9d |
| SHA512 | 7b25b0b26584b3552ed09ff0ec676a02a2354145b966e87ad7a596aa282bc3d4f5b296020dc7b5ff51f5c23703ad95c9fcc79a3082505ca29ac190889b3f6cc3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 23:58
Reported
2024-06-04 00:01
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\UserDotHU\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotHU\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint94\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe
"C:\Users\Admin\AppData\Local\Temp\8a97dbf067499cd6a2d8bfcf9fc18f4b494eac273770d663bd949eb8ccb4a46b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\UserDotHU\devbodec.exe
C:\UserDotHU\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 124af55be3455d489b013ead5ba5d5b5 |
| SHA1 | 3e666315afb189a861a2cc82d90be01718761b3a |
| SHA256 | 5bb2396ef67bd627e0851b8c17b4c3c688ca093ec3e8f5677a041b60f2fd11a2 |
| SHA512 | d4bb9e7b6bd4f311af73e8d157ba455c14c8550b2356f2bcb0b6e88a41d03ecf02b6cf3c97b63171561fc4665b804716f9c01d8c242460dc31e0fc60cfaa8676 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fba360ae5fba4b869088e82485d5f01e |
| SHA1 | 10eb25eb886792d6a0bb3e288764aa97ada88f5a |
| SHA256 | 4af3d505ed2e942bff4bcae5ee74fffa31f2972422aea6fbc9a5b0aa4b9e80d5 |
| SHA512 | 29132f55698633ac35174c3f21bd6476a016dd9010bc560cdce28ba8a77af555ba513d4604bda6fcf7f3d29bd75554bea1fe59dc50de4769a0e0b1be06faf802 |
C:\UserDotHU\devbodec.exe
| MD5 | 5d36a83b5f4f8ce4c3790b9a355dd5a0 |
| SHA1 | 1e3540e1f9ee0e701512ebaae2864b4ac094a5e0 |
| SHA256 | 796cb66d32fb03a68e6b49d9ab2ccd5927d8e3d49152839b35f73f0e5930e34e |
| SHA512 | f472a82a1d772d45a1cd8361cfa5e2ca5a1b7abf2f39422a7014633bbce7a9b80d22a4cf663a5b978504e3086c716fb678d4470609f89dc79ad16763b65828ae |
C:\UserDotHU\devbodec.exe
| MD5 | f51973f7df249268061bcd3ca93522a4 |
| SHA1 | 8afff12fea8fcbe020194437e72854956b6eb1ea |
| SHA256 | 8ea80d6a21576ccf25ab7ea39e685dbefa4b0176ce7dec8edf1c83a067503ceb |
| SHA512 | c307e823eda7fde07bf1d08f12ba639562ce01cb688eaf68edde3795ca5af358b7026da9bbefd07935e4c1670d1e455528b4176e4fd63c46d4ffcdb9240613b8 |
C:\Mint94\optidevsys.exe
| MD5 | 9d16efe1f319fedb6d5c05ec230f2805 |
| SHA1 | 895d60feafe99ae9e155735da738462009c097ac |
| SHA256 | 3768d8aed1e9db68d9740f45f48620ea0ddffc7c7f41237273dbd379641740c7 |
| SHA512 | 59b909fb819fab247f9e19fd6ca59d3fdbea03d198351a821040d44a0dad0cd47a78fb9ca01987c0bf97d8cd5450e8958d07e023fe42e3b961e1378b9c28ea6f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 85207fa0fba00942edceccded9fd1c82 |
| SHA1 | c8a5e5fab03335a2573974e9f7eaa2a03f50a94d |
| SHA256 | 944440fbf08d9d0e1494a88c0cbf730e2cb2bd835096c2a6e4788b0cca86ccb3 |
| SHA512 | ffda7270d4c9d8ac84a8f5d1ac8f1eaf5e490d07bf1a4ded84210dbd90207eb5b9474910c22301a4a0599eaa0604f8bc89a8f0aba9bd4f2fc313c3ed6817edbe |
C:\Mint94\optidevsys.exe
| MD5 | c15688efbb22ec895ca10c710a32d367 |
| SHA1 | 4bc6a993166339394d7e5c4218eb895dfde3d9b2 |
| SHA256 | 8f2a86dbfe77272f5cd01b6df6cb599b63f61dfd792735faa261fb7de4a7aa6e |
| SHA512 | e71b00222c9b99f718a9edfe775d62da208894f7179dcbe31eeae7f3b734d9274e6b3e91271c4e799d87d0aa2f9546ac061d99dcb468a572e512d760da9ce418 |