Analysis Overview
SHA256
618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0cee
Threat Level: Shows suspicious behavior
The file 618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:03
Reported
2024-10-25 21:05
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\FilesFQ\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFQ\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIG\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesFQ\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
"C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\FilesFQ\aoptisys.exe
C:\FilesFQ\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | d5ad9b4b7bc6e189d02eb26961d70243 |
| SHA1 | 7bd32e8ce0888f243e42b296cd0062bd5a98e7bc |
| SHA256 | 4a57fcc9b2158ca35e7c76c08ff8095d11ee9ab23f4562073b709eeb5b9784fc |
| SHA512 | 64cf1334a8b98ba3332e61b0c8b5898dcfc2878e14f0b91658e031efebd53492a65574c5f631aaddb5a7a3a2a74e088ce411dac67986a6e86981bf63112ea6e6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cedfe78d9060f90e9026ab36bee01d66 |
| SHA1 | 5e721a36585250980602b6d635058aa7a1873f19 |
| SHA256 | 8af86d6afa0509bbf23bb25c64664f0907a71af247bb68dcdba58a2e16208bb9 |
| SHA512 | 668ab55028c47c61ceb441f673eb731c0cb2538e34fea62156e958770c5061c688ba44c0523d936a8308bab637075d4331191621d332512d2ce57e2e9320d90f |
C:\FilesFQ\aoptisys.exe
| MD5 | bcd1603bae8c525072a48b859b09243a |
| SHA1 | 66251caf8c43c2692e5ea18d32e78dc57cc347f5 |
| SHA256 | 6190a418c908778e98a5e94f361fa675266f67ea4b6cc5245af3986ee4bb4aa1 |
| SHA512 | d6e90c5a3ea825479fd8ecf4c042bc6a3ba476fe9eb1e1c773688282e3cb32ab9927d7795ba68eb464f5943de5cde9c569ed673f3358f1bc934d438cf9403024 |
C:\LabZIG\bodasys.exe
| MD5 | 6e0372fe85c74e911b5e15b4502c6916 |
| SHA1 | d16cd52c38301c7b423ffe3b9e4d85669aa04705 |
| SHA256 | 7d0ccb0f34193316f3f0e3774cc9e253090a60155db2b5d8539bdf62a808e293 |
| SHA512 | 1dd89567778107a0bfe6504434045adf56adf6af6c290bff9a38464ae15aa69b2be629f8bf876adadd40582e4138b0b8e3c0a3b96a930105f2b9a8ae2b9feb53 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5da4702dab34cdb5584cc8157d7cc72d |
| SHA1 | 170465417fb4d989eee32bd9b7d30b0be836adf6 |
| SHA256 | 05fea5f93fef3366218eacfe1574daa937413261fac2cf63e3bd038b343d21c2 |
| SHA512 | 12d7a9531e25b10d3c0c3ebc5543d9a817e6838874186fe8073ae73daefc66fdc4f7d47861449674259c8ca8d8d4984dd4badcc8257f589c4f32505165199010 |
C:\LabZIG\bodasys.exe
| MD5 | 02a68bc7443c0cddee73b388f31c5dfc |
| SHA1 | 3e791b36457202b6fe4fd0a0fe69a86133a491c5 |
| SHA256 | 93e3fbec605c9013792a61e8c3966b08f70f403ef9cda6f06a530c3c0fade696 |
| SHA512 | a725766449546b045a10fd0d00e54049b9464de3fd7c94243ce8f0132ee2be8fa79abed8ee48c3d0aef02d9c8b00af1571c68704c3c7f5bcb3a1a4ee6b34be66 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:03
Reported
2024-10-25 21:05
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\UserDotAN\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAN\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7R\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotAN\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe
"C:\Users\Admin\AppData\Local\Temp\618c00da043ace75dc3a1f396b9cbee36e3383ddf20eb219d0afb674cb1f0ceeN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\UserDotAN\xoptisys.exe
C:\UserDotAN\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | cb878078b21f1fd0de9d2894d931049b |
| SHA1 | 288a75c82e8639ddedb88367f6220e51897e3750 |
| SHA256 | a8035ed32a9851c3daddef20d6117b9d195020c370ba4520cf73879f05cab8d6 |
| SHA512 | 9636a681574911cbd871c660b12c65320b63218b07299fddc4f94decc6bb61db2ac29b88ca657d461ce0a1609487d376f8689b9a2e435c93a46faf83bad5c21d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 690222265851bcdc6e37806892ff5067 |
| SHA1 | 3af3bb007f117ddd3b78a41139ccc67ee3e5e920 |
| SHA256 | b86603b68ac91ceee63f099942f1b84c82f7f903dafd8e47a49c9dd7dbac8ef5 |
| SHA512 | aa5f1869ec952a1e2cdc972bc3b116394dfd4ef9ef0034c0b17c49bd21c1a35165b857a082266dfeb10122e292c1146a9dc43f4111f506f6eb302030de832e00 |
C:\UserDotAN\xoptisys.exe
| MD5 | 0c53f1b85de1701f3428a7637c39d5e0 |
| SHA1 | cf4aa23711763d53e6ef56fdcf5e8ae83456cadd |
| SHA256 | 808a886c3a350b7416c102d6a213ef6983fdb2c78e1599b2055bb0cceb5628b5 |
| SHA512 | 30e94f0c1b006ce7bf437be7aa28c6b08a4eea724f1f5ad903893edc0ff077a4347da3710e49ae9e7e08ab35995c30f035e7c0868fa4153ef08caa2bb48825a2 |
C:\KaVB7R\optialoc.exe
| MD5 | 884f40695dd45f26c5aeddbf4a3c052d |
| SHA1 | a6751b783a6ac8739325b863f6c7843b883539cf |
| SHA256 | 054bf27eff014ad4b952a50cd53fd6a5ec9ffb49ecb8f8c372633f4d008bb450 |
| SHA512 | 659b493d1da230610a88de2938f2b73251df604f8e9f9840b51c5c9df040fe66b3cb786a5730715501f3cf044a331a213543645e95a70d1bb3015d3b3baa54d7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 54a4672e73477409a092df5ed582968a |
| SHA1 | 8e885ed6ae5df5041ed0df5ce81d66f87ad7c8b5 |
| SHA256 | 9642e240767d603d56816dea2943e7ecf4ded98891b50512001ae8c23050f58d |
| SHA512 | 5ff2152070d17cac4ecb5d43b5330f140edddefadbdfcca9f1cfee97adec7a3d8d389ae17779ad51014373955aa2d9b7e3c88571d3c615d55fb8eec546994fe6 |
C:\KaVB7R\optialoc.exe
| MD5 | 010abc54ad22b0097656874fb22a7154 |
| SHA1 | 45bdf3c1248bfa8c3561f645584b422b09487bfd |
| SHA256 | 705f76c68555180f761c8c851afc45b406822827d7f5552bd4b1e0d0b4814633 |
| SHA512 | fa5324f35df376fc039ce4e3f804a6f788d3702b680d932e1c53d240d96195a223dda954f583c38f94a775656386606d2c16788dd30a1aaf3eae959c47311545 |