Analysis Overview
SHA256
fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522d
Threat Level: Shows suspicious behavior
The file fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:32
Reported
2024-10-26 00:34
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
108s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\UserDotY2\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotY2\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8J\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotY2\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe
"C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\UserDotY2\xoptiloc.exe
C:\UserDotY2\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | c83d47a3116606431f831188f4cd898d |
| SHA1 | eb49c41640e587f5c7c3f0b45ac57b7725432b18 |
| SHA256 | d257e1404f6ca9f3ee22f9f4395d2ecfe0b7e9df26e5018144fac6acf6cbd9af |
| SHA512 | 8e9ea0e599212d4ccc21df3ba288e0a097fec165d1d37f0725f6469dbf2aa2de98bccf61b7b5ee611a35667b7417d58445e3b1cb487451f13ca607d348913743 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5edc62bcca8237d1f5499a37dfa1c670 |
| SHA1 | 3934cfe70b9db3cbc6cab9dbe05b68ba40f0bf74 |
| SHA256 | 63bd8e55f8cc10a97120dc5b5831d9a915e2d99f44253eeeb4ac028cc3e17e54 |
| SHA512 | 96f1358319152d23d4218a5f3b03ba1b42fc7e2bc85d272a37b8ec3ec87f4aa3bf7bbd1067c9156db2f047bb5e11b9573b0d4ede980c895bba68ada0def426a5 |
C:\UserDotY2\xoptiloc.exe
| MD5 | 01566d00f1eb5c0663dd8c81ab4646fe |
| SHA1 | 8f7f448ec4b68358f96b9e9210232e811dfdf308 |
| SHA256 | 3f308815b6fda6cdc6e4ef5138771ff7535c686f0b300f6d66ac44c712e97ae6 |
| SHA512 | cc127d032659d4ed81b254e52abfd19d9f5fdbcad9849f705708a758242b93b76a0e57dffaa1d72554b8ea931ff17de37c250341463358ae630c1c44cd184b45 |
C:\KaVB8J\optiaec.exe
| MD5 | 421358081cb46eb43b0d865cd7e9cc34 |
| SHA1 | 0da60ea230f95f542a2f27d2932aad54a5b02a89 |
| SHA256 | 7f37c3497f815ac3c53cdeea373e5c059297e6f579f8d8746b40d9ae20caf452 |
| SHA512 | f4339f92fd9d55e9a5d7feb797566ccc6e9f078bab88415aaa0f8bae591256269c4dc956a05f100b9ef70b73e0566fce3d1ffe846b316159bbdf66fee9ae39ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c21e0cae6a70a51e3257976636cd6838 |
| SHA1 | 7ea0ed0a259941115799989c0fa88903d2372db1 |
| SHA256 | 144ca19325b3e0ff03ac1ab17da8f1fec906134f1f1ab556a9bcfd9c2e545f9f |
| SHA512 | f3d09573b35f9972707432257e9002f80f6fade7eecd41c5438941023ece549b9288fd6b96c6659947f2b708192c47730c9a24440096bbb3c96c0ed085c1d09d |
C:\KaVB8J\optiaec.exe
| MD5 | 91515374bf7ac58964a74fb8bd24c0c6 |
| SHA1 | 2d4d7016dba476a228f4272720f7cb31fc06d7f7 |
| SHA256 | ae54d51f030d94d9b119efd21a723e2dc3a5b32b3886bd5084f99d419eb77805 |
| SHA512 | 216fd006480c23cfb48bd5e795a45476e64cb23346f37f7ce141e5c8dd3767bed92a66f24b715827447709f2982aceee57cd2b85f9fdfa4c34cb7099e4cc03d3 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:32
Reported
2024-10-26 00:34
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrv0S\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv0S\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4W\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv0S\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe
"C:\Users\Admin\AppData\Local\Temp\fb9c73c5d5193db732f634a227e33c2ea059997c7004e786f71f560de74a522dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrv0S\xoptisys.exe
C:\SysDrv0S\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 0a9b875943667c26a28af618efff4742 |
| SHA1 | bf766b3f8550b6a0c4bb3815a59712a2a4f68518 |
| SHA256 | e46fa57f1a3978de34efe69f3b831b710fc057ed96dfe78017c1a40178d0992b |
| SHA512 | 45a6f9b63e0955c69bbaabd96f98aadf99ee5c085e32adddbbada0ee0fcdc70b3e92b18247f76e59a7d3fe8cbe4770625e20bbbd912a930c6bc6bf2a71e3c950 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9fb775bda3020df40a2f6a03004214f9 |
| SHA1 | b8043193ab3c071aa8b4ac52d8f157450520b16f |
| SHA256 | 82b9d472c95f480df03e7ff83d7364b641e0711881663a40182f35850533202c |
| SHA512 | 50a5985b25fa663ba36c3245ec28f03421876606240a5ef1c194324402b877c01211069a0ff13dc7916bc836cffdb960f8c3622d61828f67fd8a362e39418064 |
C:\SysDrv0S\xoptisys.exe
| MD5 | a59b55254e6f7f6d4cde0dcdc2698338 |
| SHA1 | 19dcfa1ab6defbece75093b42b39f9e1445ef940 |
| SHA256 | 8c3b418f72fd8c73cfaa4de61e5bb62b04b6756ae85a15e8fbef9c190e231b0f |
| SHA512 | a158614c012a6fd5a6dfd78a705f75010d8fe0aaa7abb851ada6e61d129145d9edc2d98b926a765a8761ea990f78026d1b2bc5482755f8aacc6604bfc64f9285 |
C:\Vid4W\dobxec.exe
| MD5 | f05f0bdb6165515d9f44a301b5caf193 |
| SHA1 | 5b67b81bb43e5a8663c133eca6d467125456e522 |
| SHA256 | 991bbfba81c8bdf960ef1abe1bc02d3a67bb6e25adb5e94e3746a0c07e64c4c8 |
| SHA512 | e14da7b68d336568295671558194308b4e25836cff6204ca639bb9ea3199ad8e3d40d7278e0f65d1e9fb9593ac52c86151e65518d2e78c68287cec811c4051c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d80494e8c9ee12c219e26e88814b6971 |
| SHA1 | f9a009cfe21b50d03e5524f14b201064ec14ed4b |
| SHA256 | 8e91caea3f54f9835a75fbe89164a7b42c99cce98c0230e44eeab6072bc7d412 |
| SHA512 | 5be5819662e32d48c88a68e769c8bf9164e26f7e9cb6114c378415ff93377d26223a81c852dc87cbdab01bcf506b244e7efbe0fbdae72f25abad11a028adaf5e |
C:\Vid4W\dobxec.exe
| MD5 | 8de453f2036af10dfda4ebd6582a88bd |
| SHA1 | cf3f5186d8398bb5c0a5c8d8b0552c9b3d0672cd |
| SHA256 | 3284b06a3960eb796355c0355b7142c8a58118ea797e6d029a7b8da38d5c5b8c |
| SHA512 | 69189f5f3e14d7aba70006271eae5658d686bf6c1ccdebaaf37db5f7a54c8d1a8f1226b89101da1946d896bd04d277fe181358f7dcadf716f803382b57cf1df8 |