Analysis Overview
SHA256
efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2
Threat Level: Shows suspicious behavior
The file efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:23
Reported
2024-06-03 05:25
Platform
win7-20240221-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotGG\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJL\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGG\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2204 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\UserDotGG\adobsys.exe |
| PID 2204 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\UserDotGG\adobsys.exe |
| PID 2204 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\UserDotGG\adobsys.exe |
| PID 2204 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\UserDotGG\adobsys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe
"C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe"
C:\UserDotGG\adobsys.exe
C:\UserDotGG\adobsys.exe
Network
Files
\UserDotGG\adobsys.exe
| MD5 | ea2cb56766651d3326f9fd36e3837dc2 |
| SHA1 | 652c487924fe3f4e123c62b6f6f82d0b87ace9c3 |
| SHA256 | 11ccb8d0bb7643a2df8a980d0f8c32ba361492780b03d796ac7c8073322fd051 |
| SHA512 | fba313bef9d5de6a89cea04112c7dd9b146d48063eb53662c41bf9b40f257bcf50d4ff9291431e1efbbdc4d090706cdb5ef809ca8a0d6ef74fd4e5e3199f89ce |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a295a1512bdd46feb147689c33d1ecdf |
| SHA1 | a2f6a30aadc853e37c3031eaf131438f73073076 |
| SHA256 | a6c87cd5d00f8384da55c4f39e418634c8bc9e2c7a591e145a4028bf3bb122dd |
| SHA512 | 531c3d6ac7a0e965691c7d0d8586f73a34ec6985329291cacd2487a30be1323b0248f4a052b6d1a1082056fd09ce1902a9b21b8f4d215da45afda9ac50992f55 |
C:\KaVBJL\optialoc.exe
| MD5 | d75965096608dae1ffd8530271fdaa28 |
| SHA1 | 545cf456e1b36ab763bf2138187eefcc48282a25 |
| SHA256 | cb12d2e86f3568c496b04eeb148ff4f14173527642d97e9ad5594a5735c99e68 |
| SHA512 | 9a724eeac5ad7a5a23c0e1b4d8df25dd2711ad03f394987f839e776ca367d855816259219ce302281959b6fe0880c5aa7893c6d66c4aef5e563a179574acda06 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:23
Reported
2024-06-03 05:25
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
94s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\FilesOR\xoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOR\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYN\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\FilesOR\xoptiloc.exe |
| PID 2868 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\FilesOR\xoptiloc.exe |
| PID 2868 wrote to memory of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe | C:\FilesOR\xoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe
"C:\Users\Admin\AppData\Local\Temp\efeefb84176a41b672555a90300daeb286a159ec1b523c8162595c06a69091f2.exe"
C:\FilesOR\xoptiloc.exe
C:\FilesOR\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\FilesOR\xoptiloc.exe
| MD5 | e1dcd12663d5f5844f7a9726c24ae11c |
| SHA1 | 03fe106acd86e7ed0a5d2ba50d3d50c7f5f361b1 |
| SHA256 | adce075e24c428a1c1047d71b0dcfca50869b5aa5e9a4b0963b0e82ba4c329af |
| SHA512 | b46d7f6f0540dbc813d77167a91ee8b8b98d721783073a8beb4856892217b36d506bf6934355ea48cfdc8baa384a91ece2e18dde92b492bb57495dc44bd841c8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 11927baba8b561d8da816bb04f279ff6 |
| SHA1 | 4d7f613924cd382c1b194d3ce025498a0f0611a7 |
| SHA256 | d501b64d335659fea479e0da1c4fa14e16e44aee66b1b24c6877d06ec9f13024 |
| SHA512 | 6adca752d0fc10e13de35629980b119e8b4c79b7c1d8b28b83f580226b9757b90d4db9e8dab4ed939e2a7bcdc2083fced26ea4c66b6ceacd2c9664f10fb26ed0 |
C:\KaVBYN\optidevsys.exe
| MD5 | 3c2d1004d0eaf1d05e477ecc4b548592 |
| SHA1 | 2f0a4454ee678d7e064b90bb5f30f779000fe8ae |
| SHA256 | d574ee866bce0edae34fb11a16ab23aa42791aa2291789e76f4ebacc2751475e |
| SHA512 | 062a54d216076de0ebaa17a426038fd98167b6f797e452099eaab74bdcbc97b74bb106c28e8e025c0833a5342231f6332310f1796a2ae737d45a48c510e10df8 |
C:\KaVBYN\optidevsys.exe
| MD5 | d28398eee7fb2775262da5ec82e0eb51 |
| SHA1 | 34e2b7e7beb690ab9addbf453bc04a33cb0636ee |
| SHA256 | 4ab33b1e70f456931aa2b52270e89b0f4b488d24a774be6cdc39e7ce0b4a7fba |
| SHA512 | 5c8397fdaf6d4ec861b426dbe58578d568ac7a6fad75a8b7e70289421429d42622ded6d2371827e24c97b7a329bd3ebce670812733ce9216f554ae9b8a3b19fe |