Analysis Overview
SHA256
81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281
Threat Level: Shows suspicious behavior
The file 81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 14:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 14:06
Reported
2024-10-21 14:08
Platform
win7-20241010-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocDA\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDA\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOV\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocDA\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
"C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocDA\devoptiloc.exe
C:\IntelprocDA\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 06c284af3eee9c354c91a11ceaa9c2c5 |
| SHA1 | 9b9caa0e4cd5684f6f14f7df17d6a637986368ec |
| SHA256 | afd445c6356dd62253fc239bbd931c8d76e82e6017820d1c3fd9a2b5397e2c59 |
| SHA512 | 6edd7cfbc67ca443fcc5a929511a0c732d25eb8909d88e3502443fc70c1a274c0c1184dbab3b61219e45b1fde5bb278ea1644ccceb4243d8aa2b1c76f65014ac |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 246990f3df5ee902e609070782234d87 |
| SHA1 | baa7294ec0b081c8a4afbd3b3b5d3ae883b6378d |
| SHA256 | ef07da7d2ec485faf199040633d4cc2410c586d5c01d49e8d0ee70b6c0eea449 |
| SHA512 | 388f423f0be98c33e94798f3b5fc63912a77a099b78baa1096d5b4dc98fb7408f97d09f0e0ba16b04dcb734039057158b5c7a99a6a1f7df567bcf71d6534998c |
C:\IntelprocDA\devoptiloc.exe
| MD5 | 6ba76a2523d8758801d460e83b045f60 |
| SHA1 | e9d4803d9e80ebdac44f694abad3ff1660e47a2c |
| SHA256 | 1202d03192d7f4c2f00b629c16d27d1671f667857a9e6498b6ca1504ca61d958 |
| SHA512 | 3bf2b9fc054382fd74e4dce8af9206ffe360dbe9a3935ffc925a3c54ca2cf16cd1915d5b3e79a6d2a425cfe32ad7ccae439002729f5815676a273262f277a650 |
C:\VidOV\optidevloc.exe
| MD5 | 1cdae0f9db8f43a46dcba7f8bff780f3 |
| SHA1 | 005ddf225bcac2864ed87870882f7c7f5b27889d |
| SHA256 | 242fd72edcbc67ae38f8b551bf451592a56817c3a54e75144d85e1aa5bdcfe84 |
| SHA512 | 203a5010fe1ace346c8218aea276c99070215af070ec1d6e070b9bdb9bc796e247c1d3f1d850a914536d25be525f81c61a98839b57f287dd7a88389453c59d95 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 17e1756e81b9ccbd5c8310a1eb95a4c7 |
| SHA1 | a0daa095a6c26c89e6463218152c376cb5f13997 |
| SHA256 | ad90ab695789e54adbda35b86076ffa560ca798d5dc90a4dbe4315c0fb30a4c0 |
| SHA512 | c8bca9425ca12f4ad860601dae79645469997215746b9ddc1b246eb23de3430bb88ab95d5b823f28acb23c697a4d951fbc9ba2cbf6dfd7f644e9a3af159ba776 |
C:\VidOV\optidevloc.exe
| MD5 | c673def79898eb6634cc7189733ea732 |
| SHA1 | ad71b1b4e10769b4107e5e091a7e79e026d877a5 |
| SHA256 | fac1e415c6eb34d38bd015c6bc87ace7927ba602b610906806de5fbd80a66979 |
| SHA512 | fce34a10a06345c9a78e5471dbddb9557c1f81c08a67320a80743f5765871a820b7554e19fb0754c1d949d67320fae9176269bcf552f097680757b7a66b52109 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 14:06
Reported
2024-10-21 14:08
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
110s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\AdobeHA\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWF\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHA\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeHA\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe
"C:\Users\Admin\AppData\Local\Temp\81d247da528fd47ef2e6773204f5f0aff56e16f0a484cce1b3bf217a50568281N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\AdobeHA\abodec.exe
C:\AdobeHA\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | c9cf926f245f36c4d22b62db54335ec2 |
| SHA1 | 56a9b9b0e6098f560a27bd08f0f65f63c0a87ddc |
| SHA256 | c86747233a5ccbe6ddd3a490454f7f385c3ed806bf00da85242017324401a7db |
| SHA512 | 834db0551c3de6e77812fbd57d93216ebb1057436789a33121004300d898a75b825cad442d6fc6ce18f3a3b6ddc66326fa3f47d5b982941adab90540dcb37840 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bf3ac8f721c346a999b35651af86d8e2 |
| SHA1 | 43d3a2c14abfb970a1577c32d6c74b107d4f31b0 |
| SHA256 | 5bb0921bfb7da3aea4a40eca1253afd55b895846bf8506d2ecb841ff1c59b653 |
| SHA512 | 75059437184a3fb5d64eae6b619477750f4abbb59483153854a8d3b8364b8596862c6297638dc01ac98e75e783419dcb9fb83b40e99dca389de95f08b45e4d3b |
C:\AdobeHA\abodec.exe
| MD5 | 541fec65455d5b34bd07a7b314994d2c |
| SHA1 | 55079bcde6bbc149b17389609709433e60bfb3d4 |
| SHA256 | a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c |
| SHA512 | da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e |
C:\AdobeHA\abodec.exe
| MD5 | c2b2acf0f8e200ca1969f8b7a2703454 |
| SHA1 | 5cd716b21080599f03a555919207831c2ccdb5f7 |
| SHA256 | c83ba2cd444c995b05d8d9b93040da48415066844c3166510c5dd27ff3524b36 |
| SHA512 | d0e0bdd53eca43f361e8bf9230879293585eb1bc2f926e5944d0eb371b46712da7df02f49a50296dac8977442184c706643897d6c33708184ef2a73454b6c078 |
C:\MintWF\boddevsys.exe
| MD5 | 9d1ab53997f65bc5185b49b6e2479ef2 |
| SHA1 | cb532aa628a2837e0752bd57d69b4451291e9f2d |
| SHA256 | 833d0577c3514dc8d97bc71854a30666efcc5ad75334cde6ade2f634c6ca0416 |
| SHA512 | 68ff0256151067ddddd4d98e0d075a3b5c7197dc87c2c65a12e0de39931c65a5d9b8f70f0c35857130625c6c4b51d2f212f5c74864e5f8a3b52afca76ecec0cc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bcc190c9fd19871f6cbac75c66a5d935 |
| SHA1 | 7d549713e91c2114d4d46b9ed569d5c73eeadf09 |
| SHA256 | 559be818e05fd6ba84f5de614955bf3bcc429659026f3ebbb7535b978ceebe05 |
| SHA512 | 2f63c823ecd949ac46f1341c958febc4c92a24510114c494813c709ea925449a95e1cb0d6117d1d0a925eb5b6e6e31a9a174380c8872aad79be772206bb4c616 |
C:\MintWF\boddevsys.exe
| MD5 | 5244a0d911bd0209858fb5dd73f185bd |
| SHA1 | bad354400dd074b1f428dfd77bb1e9d0fa33eae0 |
| SHA256 | 3f18d1d03400c4d710f34982399fe5eeb8c6a1ec26c52f5e60d3fbdbb38a176d |
| SHA512 | bb44dae1f47d312ba70fb07f3f78f118fc54476508654d8c920ccb2764e193de902fd13dcd82f6c9f4e48de5c8921272062cdb118ddd04725d702df7195b6d9d |