Analysis Overview
SHA256
ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85
Threat Level: Shows suspicious behavior
The file ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:32
Reported
2024-06-04 01:35
Platform
win7-20240220-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDotJN\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5P\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJN\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe
"C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDotJN\devoptiec.exe
C:\UserDotJN\devoptiec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 7e6f550e957bfcaba74d93f132983caa |
| SHA1 | 2646d37159fd4fb8534fa820d525657ab567e130 |
| SHA256 | 82bdd49494e5db0aad3ae47d75da58d554d31b9441434c17cb766c52c3452f42 |
| SHA512 | 581428bf646e1dd7e4e1f1f9416f3cbd203f8b64bb7a0b8dad8d0d7a97f9b6311fa8a189eff7044627ae1d4f20bedf0d47ac9b15e6b9b28e5097bda25c744959 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6e29d7d558eea4409d8272fe59d62cf9 |
| SHA1 | 84af99caaf18b772ed57a89560698f808c6fa739 |
| SHA256 | e1ba2135a7dbcfcc015549c331563a53b65c7afc8c36ff4a27e0f56c1bbfe719 |
| SHA512 | 2cb764f723956877b548cd698e40f73db794983aca45dceb243c648052179c0eb644e47ba22d81be9d0476f920676c5034f8d26895e993c92f19ebe897850be6 |
C:\UserDotJN\devoptiec.exe
| MD5 | 6ae33dba62ba03c774aad181438f2d1b |
| SHA1 | a53e730a731fd96df526eef602eb8195c270aaf8 |
| SHA256 | cc383c93ef24df81112a9325d60e48b63a327fccb42f093661933d2d38665e6e |
| SHA512 | 90ac5c62227ca0564b723519450d515c3d683c50b1834e91b5f6d76cda02d19a2fd91c029aa696b3fbb955b9dd711378198b3d7bd672e070074c79754ffbb285 |
C:\Vid5P\optialoc.exe
| MD5 | d29c25cd751fc582a4ba6d7b6924349d |
| SHA1 | 829b204e8cf4d731069f13df1b1c8006c12ddf61 |
| SHA256 | ab77e1aba69907b44cf5a28b37435e3ac0f375285be545f17f2186d18eaee478 |
| SHA512 | 65fe618d3009a4ec55c13268796fb6a580c270d60089d0883da051924fc915a816b425ae3f56d00990fab86c0ede7425ef1a2245b1a992f5e507bc9dfe5f2a0c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7bd0870cd2108f9bf21b3956542d3afa |
| SHA1 | 5f38ba8f5c07e4c2a8dc1e0ebea6e4f9e1b88c25 |
| SHA256 | 1c92b82e096cb45d8eb3a6102e1dc85cf76c79e651d1edd2e830326489bac42a |
| SHA512 | d098a029efe7a7f0dff3861e85cfdea2631f2fe04d61f82334e51cc54e3154175f27ee59bb8afef1226a27f2104b906d068f6174cb49dead5fd24a0fb1f393c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:32
Reported
2024-06-04 01:35
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotR3\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotR3\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLM\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe
"C:\Users\Admin\AppData\Local\Temp\ae73b6aba183245d9515c595cea2b08f8d7d94b923dfde776ed1c530577c1c85.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotR3\adobec.exe
C:\UserDotR3\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | cb342d8ffa4d3f03da326b6470f45a40 |
| SHA1 | a5693c3f6bc0e4f58f478a08cdaf1b015102aabb |
| SHA256 | a4cacf3129bf4cab298596bc3fca6386662cca68adadfeb4c03a64901ee7c4af |
| SHA512 | f06712041cd91269e9ce86116f1459566cd0eccf65d141f691a7f205967cd34458153445c17287d995b8173115cc42cb79072caae405a2733192dc6f1c10ad40 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 803a5762eaac2f56d9b4ed91087ba1bd |
| SHA1 | ea9d5aa945fcaca6274c8f47f44d04d7ab7c83c0 |
| SHA256 | 1f94361420b7f10f8ed5359770ae2d7c2fb2e942fccb42e6acf698fa56ec60b9 |
| SHA512 | ec74b704c9ace405525fee8485b51ce99466fbdecf45f3cd784dd0625cafa03c626e1cc3d48faa3d23e884bc6dc34778e23ab48cd222e140fe8b852ccc33e531 |
C:\UserDotR3\adobec.exe
| MD5 | b157791d914125e064efea500d248de1 |
| SHA1 | c7c6acd974f968d1f3ac6a72b090ffce6faf66fe |
| SHA256 | e9883d23100460d45c06dcd0696f05941a8e2c2e10f6eb8e602255fa04ab7293 |
| SHA512 | 08296c4b01831b1afd1a0424f172b7ce509b6782f30054bd558d63faa74094770f104d7cfd726edd2f26531ea4a06985cab1c5affecb7296ac7a3a432c0444b0 |
C:\UserDotR3\adobec.exe
| MD5 | 4e49e4496fa416902adeff07d74b215f |
| SHA1 | d93029c53be30caa9b6cf6683b73c8a0277afbe1 |
| SHA256 | 2a30404647ae5f2689edcf9d54146e8c3759ef4a02246866561716eb3a93d2f8 |
| SHA512 | f4b6df9e16d276e0a39a11648df2145da999b9f5880ee943f2b20cb454377a14d0bb028b66244c3f06370f7e34afc0c0bf32a816c504a63a6ab52f5a1b53653b |
C:\LabZLM\dobdevsys.exe
| MD5 | bd90b6926f8ff2d3bbba1a7c4afaad50 |
| SHA1 | f4b3c2095723c762caf470fbc288336d6061d1a0 |
| SHA256 | 46db6e4659ea7313160d1e0dfca15fbe95c00a84a6b60d8bd78faf0671b5002c |
| SHA512 | c2782b99d280602887e04272a11890a24af9962a05b381e76a4402404c483020e434ceeb07fb01287ff9ac1fc0b6e6d281fbf3dbce1277219bfa33c5f42116f2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fc070dafac46e205a39d0f8f1005ca29 |
| SHA1 | 5b1ee93ef0990f3580780e0e32d929565855aeb7 |
| SHA256 | fa89c66488dc1a021536d0dcddfbe181a2b976c7ae0b18b8d68855e070ed9437 |
| SHA512 | 9c3a0ec74371d1ca710fb4da7b4c4938a54d8e17755f268e818a3e2a171a14b1d67c73edc10625616135e10693c0acd4b9bd778f14babd2e307b2a0d5317669c |
C:\LabZLM\dobdevsys.exe
| MD5 | fad812a3fc9a4fdc30fffa9beb7fee8f |
| SHA1 | 2f561b7e594c39f7bd398b440955cac64b8697d2 |
| SHA256 | 9c54a41ef780a06400b191c5cdd8e3d4f8a0106bb7b116dd2e97ca27719aa5e6 |
| SHA512 | c8ee6754608d43b52aa953256371155f325db46616e241a1f5cc2dfbe3af03deecac368c22ac2f15df50571085012251f85ebcb4760a082f7b12b892a76a5dfe |