Analysis Overview
SHA256
ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4
Threat Level: Shows suspicious behavior
The file ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:56
Reported
2024-06-03 05:58
Platform
win7-20240508-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDot4T\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4T\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMS\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\UserDot4T\aoptiec.exe |
| PID 2976 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\UserDot4T\aoptiec.exe |
| PID 2976 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\UserDot4T\aoptiec.exe |
| PID 2976 wrote to memory of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\UserDot4T\aoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe
"C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe"
C:\UserDot4T\aoptiec.exe
C:\UserDot4T\aoptiec.exe
Network
Files
\UserDot4T\aoptiec.exe
| MD5 | 757689e2599b3d43d1b40507d011d7ae |
| SHA1 | 0490d9b941a8cd87d9f8c0f46dc5681924b0c709 |
| SHA256 | 24ae0c8bbbf1e4be47c90d41f39f9f4991f8a3871c9f73c9a079cdce5c46442e |
| SHA512 | 6debaf651e273a284cde0e07d809fe23c889216da13da4e29da9ba76db3721082e5598128ff4592196e5e81c54250687edcb596107724f0b1573ba3ff2f6ac5a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 426cfa41d6c7bc7424d6467aaa7661b2 |
| SHA1 | f50ad17a9c229e5d6089b3e80ecfaedbef083860 |
| SHA256 | 155f60fcb171b1a858c63587b781ddb653e3188375f0eb2e92152f903509430a |
| SHA512 | 09b0cf153d98452c19fca9551f982d7055903d447d9e5f054b064ef2187b71db42bddf576888720483c3d0ab35cfb76b33be74a2209debdff861c2a2c6ae2bab |
C:\GalaxMS\optialoc.exe
| MD5 | b9b117307401723092442df8f7b1bba4 |
| SHA1 | 7de05ef17cfa729b2eff4b60d59d3d11754303ef |
| SHA256 | 103ad794bd799f8af00c81011a9e25aac6f49ecf859093cb6d72212155981073 |
| SHA512 | 2df3af0ac2cc5241f3e5d8d79a056eb1f42879f70d702b562948b24d86eb05d030eeb94aefbc89ac0fe487503f8f662fc70505b29611f12be432fd321515ac8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:56
Reported
2024-06-03 05:58
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
103s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocZG\devoptiloc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZA8\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZG\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 772 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\IntelprocZG\devoptiloc.exe |
| PID 772 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\IntelprocZG\devoptiloc.exe |
| PID 772 wrote to memory of 4676 | N/A | C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe | C:\IntelprocZG\devoptiloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe
"C:\Users\Admin\AppData\Local\Temp\ff863770f403717e0550f7f28025f4d0c66328dc2829c6dc61c08ee79e0267a4.exe"
C:\IntelprocZG\devoptiloc.exe
C:\IntelprocZG\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\IntelprocZG\devoptiloc.exe
| MD5 | de0eb8165d2402b8cf376c3e5b0661a1 |
| SHA1 | 321be178da7a7cf39a97131cd994c17bfa5629f4 |
| SHA256 | 16bb0d11540b81df98668dae6b574198a13b20826a11e99628f3054c475f75c9 |
| SHA512 | e79b86e65208c245aabac53c5c29d0bf417d7c6d96d4c51fe4dc4ea2f6d5c45906841c4f1280b005c070ad48b9fc2759970a8832c49c581d95f12fc7934a19a6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f82f8b02dd72ad14a88d22c990b1a61e |
| SHA1 | 57764790cd64d398fedde845e245a89012e01ca5 |
| SHA256 | 339de77063a4bf1d14b17b5940efdcef321ff907a281831789fa5dc2af61b4bc |
| SHA512 | 2146b80835a0877b85f3c92297bf9c2ee78618184de676928f081b464cca2fd859551bf9dcd221262f496a78aa5487eed91b3d958b01f8d90214e99de57d8dab |
C:\LabZA8\bodasys.exe
| MD5 | c41dc9af6b4d2a08015e3c5b0cb7301a |
| SHA1 | 7ab6efdaf5b348acdb7ea1f4818473a460ccbf67 |
| SHA256 | 5ecc0eda6b276364ee7bf1bf425e7db1c4c3c070dafa48eed9b441e6b60d1f3c |
| SHA512 | ca143456a373a076d715ead506f0f553aba551352d380cfdef32496c96c3b15b55cfe2390c5d1e5e9385ad9752d46b2dc99dd0634f1476a1e77a872bf0746f89 |