Analysis Overview
SHA256
fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132b
Threat Level: Shows suspicious behavior
The file fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 23:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 23:35
Reported
2024-10-25 23:37
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocH5\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH5\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7C\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocH5\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe
"C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocH5\xoptiec.exe
C:\IntelprocH5\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | d4a1447243e5c13d0e21b6ab894fe4f6 |
| SHA1 | fc2df751fc8e96a6e3bd43e8ce107352bc3b67ce |
| SHA256 | ba5f0e2f6775754cefec9306b1b0614e777e3ee78bd9f452ffd3100471cda9f0 |
| SHA512 | 7d2ef355e902dc205ef7eb2a4426a6e0e293aa367f22a9faa4d91ac214559d79f0e7815ccf2d34450f47b357fb8418cd282d6b1a104d467b5f7ba4951dba24a3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ea0e8493712d04ad964a61b1c0f62084 |
| SHA1 | f75fb2c372f48ec5971f04d3ee07517d7977ed13 |
| SHA256 | de2d57ea6d3d0210f349052823d080420311ece296fdaa9cae5e1d80e3d129c5 |
| SHA512 | b7f78131231ed4bd7946536dbdf3512d2ad315d77b509457bdd86097ae6a3de16991b87867cbeb9b2589dc4ca45275b36bda76c60af6e075a3ea5bf3b58c1a0b |
C:\IntelprocH5\xoptiec.exe
| MD5 | 9388e57ebbb164d5da77d8feb692e28a |
| SHA1 | b42da051aea4b078bc43d7da99fd80d71913921b |
| SHA256 | 55916fe98ea4c5992f2107885b71299bdb2a3b2deb4dd643272e8eeb036ad801 |
| SHA512 | 3968aaff78df58acb63d77ea4f77e4c8849eac43e0deb8bf2e6ca5c2d14d91d559edaa135ad13afb487838fdb82f8a16020d95bac4ccf941d79a3c8620efe400 |
C:\LabZ7C\dobaloc.exe
| MD5 | cbb3f22bf78582da4c88c1dc6520963c |
| SHA1 | 79bb65eaf7f60e55f3fc5f64217c204880ae9fa6 |
| SHA256 | f58f26b6a5f6a85d9895a923714eebe9fc1b83478b9fbc4dee1beb1e9ecee34a |
| SHA512 | 4e3664c465857e0f7c4e3bae17c8cee88564e673ae996334a7312bc0d0b439250c6366e0e7e7f886a562ebed17c8a68b44c41d23152f7b6a7a46cc9b5fe52178 |
C:\IntelprocH5\xoptiec.exe
| MD5 | 389bd9a76ac00213d16b960c349b1425 |
| SHA1 | 49504504efe19b560cf0950a386fe49616a6eb2f |
| SHA256 | 37b4c9c363c28a180a7e4da39e3828af2d9f4b97b20635f5a052b860b4e4fa2c |
| SHA512 | 9c9d41cc4dd052f6dc93a661259ce0e9b7a7c37123d12d5de05ab4dd19dd0fadeeac82c120404a312f3ade01ace0d0e2bda14e91654bcecb869aff0507d59046 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5919c829146c6fcddae0b596f9a79bd1 |
| SHA1 | 8e2eec003f9230901e187cafef3a07143f9b8bbe |
| SHA256 | c3bd9346b0f05bf4eb3d69760fd73182206ec9f40447fbaf35280a93fdec4d81 |
| SHA512 | f02190d490fb25c5641ec7f0a3836cd018cd4542f81856038fcd95da7bb7687e804cd0274ee1ba3dce3ebee23ada33eb16cfe68182b6065bd277fc548787f093 |
C:\LabZ7C\dobaloc.exe
| MD5 | 278e56bbf483e1ca0b00299fc83b2fc1 |
| SHA1 | 0105096677a52e4cbb74012c0ebd797e462ee4e3 |
| SHA256 | e845247066b5d111dc433ea3d5a25a21f9abb67a033b5694b2185ef09ce6d237 |
| SHA512 | 06af6dd8b596b6950ac49f34664a7eddf23e599e76d3ab04a5abd930be6615814fb993c9c8faca43eac17b273b9cf8fb52e3f9f1b478ba49d1298b346f58dd6f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 23:35
Reported
2024-10-25 23:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\SysDrvIW\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIW\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZNJ\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvIW\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe
"C:\Users\Admin\AppData\Local\Temp\fa8683e6074e413d311b3fe1e6d4a236bbac28fde546637385c58569f5a0132bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\SysDrvIW\devbodsys.exe
C:\SysDrvIW\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | aeaa6b4c2521897abfd197c8731f2174 |
| SHA1 | 5627439824ab54281be7a9d25f933392ff6449f2 |
| SHA256 | 2f2476bf0c9691b97264c53ad8700dcad5137bcc2532e931efd820b985406476 |
| SHA512 | 0249bc041c024e502f602606e77bad9853b762135eca5e3f5140cfaefda6c26b0bd64d5d222e1c49dda4d6ad8b0c9b495aa2cecb6f2e75002d0680aa461a1e3e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2d57c01145acfe85e5f4f652b095ba84 |
| SHA1 | 4e91932711c7ae0e08de16fbcde1eae2bd15f802 |
| SHA256 | ea85461d704bfe7a026151e8dfe0a5c857e456e9381685ebe145b0996837ab82 |
| SHA512 | 9e26a7b1f9a75bcd8a6eed3447edfd2153377b6dcc4f25a4ba508f3db284d8163acfa8db32933d4f4076a8f5205df83506b054e474252c36cec849d50b0cc878 |
C:\SysDrvIW\devbodsys.exe
| MD5 | 1749123ff2ba93ab1b67f8f5524b0d10 |
| SHA1 | a73f816a3336ba5219905983e810a00b7572b2b3 |
| SHA256 | bb3aeaaeb99f7f9d62529399b5baa77fc44dba9e7170a95ac6710f3daf7c7a6f |
| SHA512 | 91da74c5f7d3a7c2421f9a2c5491023f04654d3898c15b02214b8aac5f92019e358ad556e5c4af9bc3a3d69fe6374d15a128ed201c70f60fa9c3aeee8e8d900c |
C:\SysDrvIW\devbodsys.exe
| MD5 | 9529a4d2df2dbaac8ccc91b72f1655a4 |
| SHA1 | 11708b41f59681b36a71c7acd8eca7ad12d7719d |
| SHA256 | 7b31698bed63b607415a81695bdfbf1e5f8f8aad47ba630999d7b8202261ff78 |
| SHA512 | e43e82201dfa1258fe4c7245cd80ed2797fc9d2239ab9e2f8d65e9906ccc259a47a31864dbfcdedb906c2e3cb3361e07e6d2888b78789a9eb10f5f35c90b48a6 |
C:\LabZNJ\optixsys.exe
| MD5 | f3dd906d60525ba2db419afe3565952e |
| SHA1 | ebaf6473c9470b9bf49c81776a1216330976eb0a |
| SHA256 | f9eceb5be30c503dd63fe1ecca5eeee0b4785558ae1876e4041c863bc5a04e26 |
| SHA512 | 39924bb0cd94f1d1d1b7c0eb35b863ff97d9158f60fe9b2f0a16a6f81b9c2055f517a820fb3be93a5a6a84db00c2fa1c42ae3894639491ec020a663d21ae6d3e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 75417847c8d2b2511903ae3289b1b9f3 |
| SHA1 | fade094533d6e5bac7e64010731af4a0f72443a9 |
| SHA256 | 1e5b3222309ae1150cd8a100f5f9663e2b185e2be5f5baebaeed9d9d02d30d4e |
| SHA512 | 8f2bee464c5bd8999f9439ff2834f6b08f3e72279fd3384c2229ac96d6e1c1aed7a5fb3228d9c562a6db07d50c32d04affad6731582c80da79d8e93909ca16f8 |
C:\LabZNJ\optixsys.exe
| MD5 | a4714de87633f4115eaab6d0595c358c |
| SHA1 | f0ae15ee64198ddf28087b58686dce5bae21b6a9 |
| SHA256 | dcf02863f1984890631708a9eb82c56aa4ec9a7b1286634c583dd9404ff8c110 |
| SHA512 | dbe16d34222a2d5653d0f93c18d0a94e368ed9ad7fe3ca0f0fddee44dcafee9d66b5ce7414228dd3de05f23a0ac7f74c41aecfa0f3b8911ea1bad62dd6105460 |