Analysis Overview
SHA256
324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa
Threat Level: Shows suspicious behavior
The file 324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:37
Reported
2024-10-27 21:40
Platform
win7-20241023-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDot7V\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7V\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWT\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot7V\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe
"C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDot7V\xdobec.exe
C:\UserDot7V\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 112c0bfe48e05c13a842c1d8623345f2 |
| SHA1 | 8dd10f0861e0d7c6a7f0cab54f9135d12dd03233 |
| SHA256 | f299a34947a132ef3e565ebe54a524be1b78ea6ad1db22fd4c2a3380e7f647f1 |
| SHA512 | 5d8b4978a4b29218d78bf39692af507b39ecbfff76d5d5328db12aeb44b05ae37ecb55cfe58a73e04e39560a4e5a63520bb0c0b1654284957d6132fe40a25f7d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2641201f4540053c8e8df465d90cb534 |
| SHA1 | 7a32bee94f7f41f362e1195ccc8a2f11e68414b0 |
| SHA256 | 2f4a6a297f306b1d47df2808fe665394d06148c58213a0174fcf0f29d6a91e77 |
| SHA512 | 1586c2a1b3e977485d4bf4c0e6c18f38a5f3527c5c22ad8f454f65d3b511f5e6da2cde99f1b10479cd2962699c6a368f8f3f742ac813aad292f46c80160d560b |
C:\UserDot7V\xdobec.exe
| MD5 | 3119a938c00ded11b16931a7bfb08c2d |
| SHA1 | 6a51a7a20ee1d7b6e638983c3437ba7a3c8be42c |
| SHA256 | f2c82320c509e516f1481b81b2433d5c5d5d65c5f4e6ca98e3cfa51af4c3bc9e |
| SHA512 | c23fbae464ce973ced08418d1ab912337ce79301ec5de2a9d88b9c94034260b6dd705f35286b49076a13fe72254fdcfb34fee5308ad564fc5a21fcf75ae42fac |
C:\KaVBWT\optidevec.exe
| MD5 | 42dab42f5167660450268fe3e373b6ae |
| SHA1 | f6a3f9a69c43637bda548ec419ab3953b1c9ea6e |
| SHA256 | 79d9207b2587df1f83af9e89c4a818e05111c9b55fe5902ceae8633473418c5a |
| SHA512 | baec8c67a07540351a488b497b6226e0253ad49679194e94b5675e4be56efa113b39c636fee651858ec1815ff6d3d475fe10a9ff9d6f90cd4c6d0ced56134113 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ea5a0b8b70a6566d497fddde4a682267 |
| SHA1 | a31f7dc05ba7a1c75772eafd1ded14f94220164a |
| SHA256 | 5e04492d65c89e22be0a71dbe5ca9a4f9bcfb489599a74e32da4ec51c7973c53 |
| SHA512 | 819f19e8dad077ca7567f8d20fc6a964a38bb5331b8b5be9bb46fe8989e08ec86426be94af71e1499a5d1769a0286df66bf291dbfd79fa3634f1a018892b022d |
C:\KaVBWT\optidevec.exe
| MD5 | 550acb51bea514220574c2ca043d34f9 |
| SHA1 | 795aa08c11d402e8c3ad37e76cfbc08feda32b7f |
| SHA256 | 566ea23661daf6d53c6a69aa7150b5dd2c70f5d621b1cb564f1b7e3c6704ac08 |
| SHA512 | 95e0b2223554b2f55d8845ff488091b5813d7ddfa940fad070ac47f1ba590751eb10bafa0b3fabace525535056114671f5a25b752492d11a5e0bb5fcc20d0f67 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:37
Reported
2024-10-27 21:41
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\AdobeJX\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPA\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeJX\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeJX\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe
"C:\Users\Admin\AppData\Local\Temp\324b9c52ffa1a693d0d0dd42a1013f255fa4d7a9b3aca6720ba4cd8e525ee9fa.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\AdobeJX\xoptiec.exe
C:\AdobeJX\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 236140352f567da3456238bd58e8cfd1 |
| SHA1 | f8f79a3d511f602b9d5efc79d8f9c975087cff88 |
| SHA256 | dc29d7ffd4004a805cc6b27045332c7bcebddd0d23f0bfe0e2e5d506f1bf3500 |
| SHA512 | d0b1dd497c59a9a1991115a27cd9ba31d2e1115b2403921cf58a1a34d884ce168144a37b4b2e10ff252d58e3bb7446d90e21b0425a167614a4dd836a6dbbbd8d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d0233f0604378ec65f7f0a406e6b26ea |
| SHA1 | 7faef11a51b6e168580d315d465b9b86b3e0b326 |
| SHA256 | 9edbda8c9feca13176760394d77f1723e30bb94a3cbeb8d7079fd37048e76fbd |
| SHA512 | 8efca3e22bc816c19a774e6368e792960efec7d54994e3e056de935b931996df5983b855c699902239a2c5545b9601e9f08b6b3809c4607af7c5ae6cb48c9a63 |
C:\AdobeJX\xoptiec.exe
| MD5 | 5928b6cc50b60f1f03aac193de0e3c2b |
| SHA1 | 704963c11eb64e327ddfc07d724f69c09f6d4b12 |
| SHA256 | 75a743d52dd9b47c8062a9f4bcdfbc11dd423313425e2a7d1f82ccbb19f5daa1 |
| SHA512 | 9c9cc2701fa4130bc0a66603660be1f326d91c84713240a4da304cdf5e38f4978852dc5de938cf30f50562b36f2e56b91c476509322cb862e2a378c52fbe0507 |
C:\KaVBPA\optidevsys.exe
| MD5 | 7ace9d0a9503d181985bd33e5f484116 |
| SHA1 | 8c96208e12b7d9f01eec5be67a21ec05f2f6d2da |
| SHA256 | abeab2f37885da6f9a9fd75d77a48636d353d997a084f6f147ce1c8622f8d1c4 |
| SHA512 | 6a38ff055a42305ac77d9c73d2cc5578acaf705a73ec5850ca9d0247c1852ebeb1aa9da07b8419ea095620a6bfb468da0882dbbfbfd951c87a8f68378217de3c |
C:\KaVBPA\optidevsys.exe
| MD5 | 0860ba7ab87e6dbf893e728aa4621778 |
| SHA1 | 6296ec6dd59bc3b8a68b647437f788d3632c62db |
| SHA256 | dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2 |
| SHA512 | 6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8ce93b77abf4de4ac8c5560e24ca5854 |
| SHA1 | 0c012cb180610f25f7c2f811b701ff0e66927d39 |
| SHA256 | 28d2cf8628180eb75ae591b99ffa463af86fccc0d231d59308b3815ef4f6f00d |
| SHA512 | 3c74332c0864b2afe5658bec671ae495e584ef69d53ec95b8d9af15a408eae9b063c88d46adbfb187b5ca5742e530049e476fabc1eac2251033f9adc6c4976cc |