Analysis Overview
SHA256
8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825
Threat Level: Shows suspicious behavior
The file 8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:04
Reported
2024-10-25 22:06
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvNQ\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNQ\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ81\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvNQ\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe
"C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\SysDrvNQ\aoptisys.exe
C:\SysDrvNQ\aoptisys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 0b4a4f8c5c7e436b130082f0065395a7 |
| SHA1 | 11b57c34eaaca55b315fc077c9efed9952565905 |
| SHA256 | b2fccac29d0ba2d9da4701a8a98c72a58bab502787dda02c3e507714c30de31f |
| SHA512 | a39e7e29603b9e4394b5d477bf4aeba3bacc607f096937876666102ca1c75a93ebc795a54f765c5115d1887e86065f3264832adb7b2daa136b38b08c9a34ff1f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 758f86194e54e50a284cb76d5859f2c2 |
| SHA1 | feea887ec6fd150570bc5fbb2845cb136554a9e7 |
| SHA256 | c48e29efed38a5d5366d0fd3ef540dd1ea3f14a9e08040b586b393b57b67d959 |
| SHA512 | 9985bd71d897237bb75dd6ee98e2ceaee9eb2cf66c6a48e5616894d48cafe1ac264b475655c4349e1159729b208ca2a962a7600e7f0752883114b0913eec8659 |
C:\SysDrvNQ\aoptisys.exe
| MD5 | 54561225560aad2546dadfcde1c1d94f |
| SHA1 | 5bf0caf64b258b0f18d53a9e45efd4506656c80f |
| SHA256 | 03a7f6a182fd85636ba9a0dafdf4552300ab6c1bd8a5eb86761a0fcaf4486289 |
| SHA512 | f2c2cd7963b31f9c0bff47af68751c46f6dc1cd07079086a3a68eb24db18a8cc98fbad8894055bbd1fc4c7fe2847e8cfb1a56c4c53c069d34c67234aebad1e5d |
C:\LabZ81\optixec.exe
| MD5 | 9d9837d43e8f11313db1bc0b4e2c5f16 |
| SHA1 | bc1f27b06b086dcd8ddfe8d1fca5a1af23d9387d |
| SHA256 | 8ba613e02aae251bbc01ed80c688d927872278f33f11a7f28ce433b360583c30 |
| SHA512 | c6127793e553d0ed89fcdfb97f12fd255ed1d7d8bf8913d472fe4a5275495f878eae5ca0d954f9f8e8207da6b3c50ceb52f7a2025aa3a77cdbda716a1606f88f |
\SysDrvNQ\aoptisys.exe
| MD5 | 0d47deab8e8b8b28b6dbcd492763527f |
| SHA1 | 90aa8145c200edc5dd2da676585f7324247861b9 |
| SHA256 | 60b485f69ea87fc62f9a583d007de4e5d25306953a040106e6af1f02f28d1abc |
| SHA512 | 82355c9f5d88e654ff9962575609b3a0b7a54b5cd145c7fd9f733225029eb746fe1c6345e7ea6126d5f2b0d58202e4c57ab5424a0091b040472e0889d9c12d66 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b60758d447dd3096378a668230d1b2f6 |
| SHA1 | 6fb8cae65b19778b26e293f631c49fcce1b82f4f |
| SHA256 | 01f0433b59d9489be8cccb4f9fd83d0b847b6d83df34a1ae922c859cdffe3584 |
| SHA512 | 809df630aebfa7286510164b777bc1e8fc90c98352602c94d5f636923486d5954cb3db7006bbc8275869ad02c65684a8ee821239fda3e60b8139e0cda8b68c3a |
C:\LabZ81\optixec.exe
| MD5 | 8eeed29f94f08af0cee1c453d0b8dce1 |
| SHA1 | 65fe1ca1f577f7f0916242369aa525a5d8531f4e |
| SHA256 | 23279841cd129ab83f7cd501f75c36db68d56c4705f1ee67c9faf3d31b160ce8 |
| SHA512 | 94fe38a4a34d4ca0715e3685138daba25cf491d432f371402c6bb9627fe9f4f779c530d65fac7f94813f8ba2201f99cfea6c6c47aeddcc8bfb0f2aa65c1d509c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:04
Reported
2024-10-25 22:06
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
111s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\SysDrvX4\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX4\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGP\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvX4\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe
"C:\Users\Admin\AppData\Local\Temp\8fe0161a0629d4228c0d1e071f05738d6340489ed9ea433a71ac027562000825N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\SysDrvX4\aoptiec.exe
C:\SysDrvX4\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 9d6b39f552a83791cfe1ef5dc22bf473 |
| SHA1 | f8c9697a35d130e5df692532fd1b680b34f6e1e9 |
| SHA256 | 4b87ae9bda03505da589a60a9f485aa16da43ef4601d3dbd952ed7e70fce5688 |
| SHA512 | 6ef07e95e051ed34bce30f153791a7de4b282782edd3bdfaf238565cad98199e4d0f786917a76dcab81ae2dadbad7f2b5313cc98743d613fd5c691746533e83b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e29eed4aed140beec60055021fddd2cf |
| SHA1 | efba0004e36e1ed944129046875dc8ccbc10c3f4 |
| SHA256 | 65623fabd8fca6d5361a829d3041d68d5f2a9fc992dd89aabe5f6b632ecc7325 |
| SHA512 | 84d722266dc3946cfa631f04f472768379fba275402f0558fa5e80827ef3c459c582362df1d57f72268733e2ab5bfd6d0cc4f2c3900f05feb07563931fdb47c9 |
C:\SysDrvX4\aoptiec.exe
| MD5 | 0b2e98815f92339933329876e19c64b2 |
| SHA1 | 2969ea617d6ed2e60f311f1bfd6e69b2eed02c6d |
| SHA256 | 88db282559ce291b3593cb78ee26dc63ebc2e8a069639373339fefec2cdbba67 |
| SHA512 | b9e706c06266baa63b3d510b8ad1b4f6a09ae93badcc2da51197eae97cf66b5444bb7dfb2e13fce34c915582bebd948994b85236a103b020fd01361deace9d68 |
C:\GalaxGP\optidevec.exe
| MD5 | 9458c062ae02e2fc10c5dfead301a8c3 |
| SHA1 | 452c8b77f10b0d9244fecd14c0f83da52cc91994 |
| SHA256 | c08ae5ef15eab975b5bbf3481fd5f7af25c88bba2bddb8e45f1071a51bf411f2 |
| SHA512 | 6f5e35d657f48e7d1c93ee8e42d0f01c0e32f8c77ec92afefeba4c0ea70d32671a63694f5bd415707ff5c365db9865aa53bd47be3782c599ad2075d6a51b9d1d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 50dc8c09c94422c2e75e566f497f0cf9 |
| SHA1 | 61a7045e6bcf0ee714ae444d12597a2875ae730d |
| SHA256 | d55cb109e63311c1cd62677c8658d6204cf3a92ac86e6c705b98e9b137588664 |
| SHA512 | 83aef4f992b4c10ceaafd67076bbe8be910ee85a7d6e0539ca01eb8b3d9b8d7c272d708bc82ffe0d498fcdd5262d56fd4d86695a0bca914dd3bc5c1e7053c360 |
C:\GalaxGP\optidevec.exe
| MD5 | 3fe207829238faeb7bbdfaf073055da5 |
| SHA1 | 79f4b66e62a64377faf7b6d815b79b2cc3b83f14 |
| SHA256 | 4cf9e5ebd96c65dfd89e01084632f7cb793a4974828833b810f3c35fc2f78f96 |
| SHA512 | bece02ff372c156b97d4cd1473e55736aaa3d4347cd2379a510245b5e431c8fb9792cf2f3e626979197921d5cd5e3bc79c60edde696ccf0254037bf693602d09 |