Analysis Overview
SHA256
0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0
Threat Level: Shows suspicious behavior
The file 0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 23:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 23:50
Reported
2024-10-25 23:52
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\AdobeJO\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeJO\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRB\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeJO\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe
"C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\AdobeJO\devbodloc.exe
C:\AdobeJO\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 8ba6dbc2480506dcc71f3b7828a0b6dd |
| SHA1 | dbf500d7c56aa75cc72f96b0a8be1bed266731c0 |
| SHA256 | e378279c6d2591b34b08220e445ede801474dcc4eace7b4b05c34b212de3083a |
| SHA512 | 7ac708663ef64af530a4aceb7b89634552136513a12acc40b527557be0415fc251fe7c10a12d01d9967de059e93dd77c743676c81d2fdcdc7937fc5043ce1f9f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e96ac680e159bbd72b2ee5d90aa5a5ca |
| SHA1 | 214d2a4df9a96366949b6dfaea9438f93832e911 |
| SHA256 | 5bd7ba0114631984027ea66bac708e2cd0db7879ab9e5ab60c144103f49e52d3 |
| SHA512 | 37f50682492196bdb727f09f023ceb57abd1eff831139eb4089043a4334a21f90f34d59fb5bd293dfbda62cae37e5026b95a159121276c121bf274dc47305b2f |
C:\AdobeJO\devbodloc.exe
| MD5 | ae4ba08a73e9d34d6e8e62e113e79869 |
| SHA1 | e60272d2badde279f0abb5646398df9458c9ea24 |
| SHA256 | 731d7b5cb4af36ed984d9e8b2927e555931c0fd18c2c6605d8a6f2f8a545d18e |
| SHA512 | ee9b82a76bd9efe53d113aae125f4d2dd73bb28f327c6d42582a251a5a865cf893524c72b836b84ff156feca8c3580fcff668a3e4e4529c81e6269efa049be04 |
C:\KaVBRB\optidevsys.exe
| MD5 | d433ac31da51c439b9ebd4d90414137d |
| SHA1 | 21e94d6e8188e53688fada17f05c07f50f9cc2ac |
| SHA256 | 6fc65928ce2b41724bc62ff267e2228db36113535e7bef6fdfb01eddee9403a4 |
| SHA512 | c6f533e0c88af68166352351227ab9593d875705b6f160e194048da09c12764fb4fff1dcafbfc3911e311da878d5507ce75228ae3e28efdcbb5c16d544e1bac3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a1bfe8e2bd0b3de9cc317a92b1b8608d |
| SHA1 | b997c7d4b32f29218507f10aa0e3a19cf809ab54 |
| SHA256 | deaf2fd0987fdbebc8136e105f99c708b499caee9cfc0a49a4c70621e2977bbe |
| SHA512 | 19d20c4e92bb77ad69b12cfe8c2f67cd185555f1b34559631624ecd0df5ec44385779080255b25cfd06de8b338fb5cad09a9f2fecbf9c11be8b903a829203619 |
C:\KaVBRB\optidevsys.exe
| MD5 | e019f4267e6400e90beb6b39faa8f88d |
| SHA1 | 231f66b5cbc54f5d55cff910d0391252155e04f9 |
| SHA256 | 60a0156fbe93450e191506bf88dfd43bdd5040b86016ab463c214bc2b63281ad |
| SHA512 | 9c58f4bd414332cf4e693c12872126d8f9fb375125c000f2228854fd1040f3c07e9abb26d880c630b7c9b3c2c68b15f8fac6523fc645f6d73356800b8e9fdff6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 23:50
Reported
2024-10-25 23:52
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\FilesGB\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGB\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxBN\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesGB\xoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe
"C:\Users\Admin\AppData\Local\Temp\0087706ecbfb4653a71826bd6c06352e988a3c101387e1e2c92d9f329783a9b0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\FilesGB\xoptisys.exe
C:\FilesGB\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | c1a4487f5f7c141bdb35c8517cb6a933 |
| SHA1 | 454cc685463801dd993b40c8659d1b531a2fb52d |
| SHA256 | 3eb6e31cf1aa5d56b4ca67de37f4a0131c8be4ced48f6fcff0928954327288a3 |
| SHA512 | 91a9f91884d1702a2b097521f9a1a50b27d9bf9eab0f1de806256d316af54cb5b116cf47096759a2af39de3b93d4b64193e94b4ff695a7f88947086576ed367d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fb629c27097a9d1e9aa6ba647e5e72dc |
| SHA1 | 907995c5db6a62f6ae42fc0da4fc6d9e3cfcd900 |
| SHA256 | 38a4f0c9717bbadb656779038f13d4f4b325ca26b9e859c3c89470263c841de7 |
| SHA512 | a6a7246cf0b65e8520d6f9669cde333b5ef7711b308dfc007a978caebd32d5fef8a5293775bbca78f3dc87353ab78247151fd22b12335708e0e29fe74080c56e |
C:\FilesGB\xoptisys.exe
| MD5 | 11b93a518876720d738e1abade1142b2 |
| SHA1 | c97ca8326b2ea6ee239ab1e86879d484f5599ab3 |
| SHA256 | 056bc06739d13d9aa5794220c413c8354448ade3a48351c0d49a66b880350d1c |
| SHA512 | 995454d8ba9793019aeb510d626a787a4aa21ca52cb003470088454db3f01c81f4a17619d735746643a0478bf693a4f35195215b7cc98c5eabdf3b85fecbeaad |
C:\GalaxBN\optiasys.exe
| MD5 | bc6a72bf0a05aaa456c3e87c6fd44523 |
| SHA1 | da270726beac548a3dc0a55424f9f3584f03bf62 |
| SHA256 | 6297e3213c1ad611e18e2fb51ddf519a342f19acc5bde1047d7c71c923d7d36a |
| SHA512 | d1accaf7ea052288fabd09033a85c469c2b6116f37e41b70ec36a26dfecd082588b0d171d69ba4086df2047bd0506f1af3ba80346bbf6cf5f04feac05a63f212 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b656a368f8c1a1b91248be6821b9860a |
| SHA1 | a4241127a3f734a661d683d4b6973b05f7b9c46d |
| SHA256 | 55d6aa669dd032dc0f87ba491e3b423058cbfed6678167ef00af4c9542c0bf90 |
| SHA512 | 69ffe093db058b0ba10d101748db814b1383fea4f4345ab2c37e99696a64eabd7e66078a5b15ef601214ce9e70a43fb6904bcd575b6cc9e67752eccd9910b874 |
C:\GalaxBN\optiasys.exe
| MD5 | 9a363fa839aee75084ae4d89b038e121 |
| SHA1 | 0ffa06d59daceb0eff77e74c5385be0eef4a7e42 |
| SHA256 | 1acb3b1799078e1d5066682628df70447939430e0e3fade8b116e855e520a137 |
| SHA512 | f7a9d14674afb002d2909f5e5b77781bbd78ffdf3ee63e1cf492ba929a80ad34a806dbd27968379091418f9b086b38dc1f4ef80fac466aaafe68cd93c4d5a9d4 |