Analysis Overview
SHA256
a704d820425de8dd10721d27ba8508def59a7b3c4ac5c60736cec431786d9fca
Threat Level: Likely malicious
The file 06ab4933f4afb37257e7667d54115260N.exe was found to be: Likely malicious.
Malicious Activity Summary
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:34
Reported
2024-08-25 09:36
Platform
win7-20240708-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvDX\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDX\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM2\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvDX\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe
"C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\SysDrvDX\xoptiloc.exe
C:\SysDrvDX\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 67a115e234f79512a670558585a129b9 |
| SHA1 | 6effb2ff0c33e3c0da9837dbafd6324c019b8aa7 |
| SHA256 | 1edfbd32b409b6bae0bbe46e10c3b9bc5264b115558887ce25af4b6f1762f5a7 |
| SHA512 | eca9780437acd15b004dbc6a6d05884b2c64d82c33e1226e0185f85491f33f4ae643998df6c2c448ee527a8b281d910a8209c1834ef088981b66846186679d4f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e8fd9cb361fc1c595cf659c49b594724 |
| SHA1 | 1767c72787b1d4ed95f76734e169962a9ef34161 |
| SHA256 | 7c067c262e5cf4cafb43712980e3dfd51a5b6e538fe57c4649eda595a48701b6 |
| SHA512 | f57b46d3088536fb53345f705a6a26a1661c9d81f3bbf5898574919d7e4dc61fa8e7ef47af91196de52e16879d9db6c39f67fc7226e6f71270163954cc1ba55b |
C:\SysDrvDX\xoptiloc.exe
| MD5 | c2a0e31345f0cca6624c5fe85abc5571 |
| SHA1 | 63f9ebdcf246e4c9a997222939e50402f5cf1383 |
| SHA256 | d497857a3f6012aa2e79ee00a2ed02dd4de8d5a9e44c1770b60884d6451e1919 |
| SHA512 | 1042cdfa04e8cd3757c61dd3da45b00089b65ee340e140d95094547d260945bb4b5f0009a15e9d794b709751c515602a69c957488ebea502af3d7defac9db628 |
C:\MintM2\boddevsys.exe
| MD5 | 286e1899230c4b996630982ec2790f87 |
| SHA1 | 54376cee9b1f22fa50bdfb0094696733aeb66a3d |
| SHA256 | 2ee60b367794776b9b3851b87f52f8aaa2900f58c7b48a26ad41d6a1ed1338cb |
| SHA512 | 981f4d612df3403138ff57d96ac519ccb6d6ebe5678885dc7aca500c1e07b9346edc3fd06fdd6a233bd901f1321b937f35c821acb18655474730ec0daf1c6c3a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fc7a2da98b7a663cad2b355d08d1d21e |
| SHA1 | c0e47b213e878a21a2473f92cc3968607f866c52 |
| SHA256 | fb108e294ccd1ef31eba001f0ce05fbb24d3f73b0cdc6fa461a971394f8f2926 |
| SHA512 | eb560eebc2025f41ffb93b58f93046af034ba90357ef11f45224caa2ebf7655889f52d052bd00d0a8ce60e322a7300debeb5da8150a3b9c2bcac537aedb315fe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:34
Reported
2024-08-25 09:36
Platform
win10v2004-20240802-en
Max time kernel
119s
Max time network
109s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Intelproc8H\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8H\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6U\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc8H\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe
"C:\Users\Admin\AppData\Local\Temp\06ab4933f4afb37257e7667d54115260N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Intelproc8H\abodsys.exe
C:\Intelproc8H\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 2c7ff2af4ab298cd8125f0e3763eb37a |
| SHA1 | 1b1ddb367f14b674c288c5f7cbbae7dcdfa0279e |
| SHA256 | 70b8595d98f0a96143f4ef1b40dcc61635ac4ba2a96c28d3dfe6da85cf6d5971 |
| SHA512 | a0341a6ccb83e6cbb78b8ad0d98541fb23b9e0374531b5786037ea6facc4096c84b015cbd80c19f1e0f41e351dbc99e81ca85a510bc051dd5995313dc9f0a3f5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad1792ff874d021ad2079e9573db9b5e |
| SHA1 | ec5daf04bfe5d3e5d20fd1ec2e98354167b3c980 |
| SHA256 | 9c701101a5961d762ecb60e10ca5ff7c7d9aebccf4a970e4ac9bed97ba3c5d4a |
| SHA512 | 6856847fdd1a931d44d9057df720924530cc94650e7760e1c50a8023ddd03d7afe45a8f1dc9add5d01cc5367f8eb002a3dd9af45262567b347657c0b1f7c4e4c |
C:\Intelproc8H\abodsys.exe
| MD5 | 730fcf647371d2be0ab62507a736ba32 |
| SHA1 | f8ef8f0089c35b2d59cb6548f990f735fd86c491 |
| SHA256 | c253f4bc9c014d930508a42113f11cc78a256772c03aec3da17578f529db24ba |
| SHA512 | 56cbfc1ecaf9327c01468608307040ee0da26fa680e4f3f8439d881ae8a4952c3588084cfff7ca3b6479407cfba28a2166b47e8236c2852c1dabcf3a51dd75d3 |
C:\Galax6U\optidevec.exe
| MD5 | 3159fc8dce15d04331f6815541f603a0 |
| SHA1 | 3940a252357ac6aab66663444310a0c09304618a |
| SHA256 | 5e749ab7c054d20086726a953c06d4f2f1377d1918c4833d28f08ca85072023f |
| SHA512 | c95856215c483c14533572d55b8b409a369f4d729a2e77a6a6a8211100d16dc5aa63f6e76772e061006f0821a6405a7750aeedf3a30434c97d533d42d5637f7c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e1354dde54bed2e3bd2945901c566dae |
| SHA1 | 0a3bf5d97cb0578286c6962f96036c7412af20c1 |
| SHA256 | 43d6a4b00a6f5b9b742b8d7ecac9667f392ffb1b472bbcf32189b94b657c088f |
| SHA512 | a2d4b5095c4c79175ac8f8264854fafeb1f3ecc6121bf351e9994a12a7f9390bec12c9875dcdb88bf0109fe998d2f2f17e02d2ae3e97bbb7c31fad81f644fde6 |
C:\Galax6U\optidevec.exe
| MD5 | a77102dc232b9571bb41bcf334388820 |
| SHA1 | f16bd67b085bf76f710997524f02b9ffb67eea75 |
| SHA256 | 8bcdf63009ad06e96deb0120bb72bd14158d73e06c5f7ef30c1583f3f25c851b |
| SHA512 | 4fbfe00a542fc167a09b4e997b9708f5dd41945866f7466e59db96da7b0310e6ee29aa8f81a90b23f52b0765864fa06c85335a3db2636fe86622344d6522aee0 |