Analysis Overview
SHA256
32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253
Threat Level: Shows suspicious behavior
The file 32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:38
Reported
2024-10-27 21:41
Platform
win7-20241010-en
Max time kernel
149s
Max time network
127s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDotBF\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBF\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxH5\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotBF\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe
"C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDotBF\adobloc.exe
C:\UserDotBF\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 123bace1958a0e35b6a2758823479cf6 |
| SHA1 | e5670718afe0a6d768ef875e71975bfe1535e923 |
| SHA256 | 7270d28e9ffe280b6ba5ab26497ffc0aac34e5616eb2675e9cb7afb2094ad1a1 |
| SHA512 | 19a0e7e82ce6af2d4eeb4d36ee110f4854dff1bf83220d864703cc742782bcc143be3450de409ff9bc1a7e9c3aa780f36b44e46d2b948dfcf94c74c42b2e075c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2409000418287ae0c804f83fe81a689f |
| SHA1 | bff43494ebbd97d3e68d7794147a58345f4d6bf9 |
| SHA256 | a053761d2a882d796eb6252672e4fa46217efe45b9f183d53b00fee38a2f1f01 |
| SHA512 | cb31e7969859dc48667b446a4c235b5213667352fe1c205fb8ee859e4b92c2d45c46a3de8fc07613f1e312184964cd5d13557bf2f968eeadaeda4f20d77198ed |
C:\UserDotBF\adobloc.exe
| MD5 | 1b91b320db05ed7bd8446440dc1fe864 |
| SHA1 | f03dd0f0982725cb145df8ae53c78e7c1814a38c |
| SHA256 | c71731811d4117d109eb550e79b53772c4db1a05134b8c257b8210e55ccb11c2 |
| SHA512 | 8634786bba669a1a2ab5c07bb6e6da0e1b89ca5e1afe7ff3676b93e091b7f06091f69734aa1f766ea99c124e0662c0dc9a3cccfd385903c24ca945d7c0010ef9 |
C:\GalaxH5\optiasys.exe
| MD5 | a4c5e533004381a120d796189ad6b438 |
| SHA1 | 43b2b50ab44e9605408a761e417bee631deb7b5b |
| SHA256 | 3a8494a2d11070cf98406a641db267e6e6fe47352067bda3a647e4e8737d0875 |
| SHA512 | f34448c01a4effcfa1f5bf929eee8b491de7e2370c65e6a8f6db0fcf447e2f599e85b7b150c3c5ed61cc6265bc79eea93567920ccec4ec5ce46bb6ca6be3afc7 |
\UserDotBF\adobloc.exe
| MD5 | fbf4ac0a3ba30649719d439b9d3ffe6f |
| SHA1 | 6b77cd8cfcb13b62cb799e6b70ff0f18e79f2222 |
| SHA256 | 7b0b5b250f75254c29abf2e2d506d9f9dc3522929bca1152de284e4a4d4cd060 |
| SHA512 | 43365074d89ec3165d0646f3a5e74fb63f9eb4c05f60a35c3068aa86ce1861d66052cddbf64cc499698f0e85749547456b701dfaed74cbf5117a178e0a320843 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 39e224ee76bccc9f7e306df48534ed23 |
| SHA1 | d547e8ed0d96b4964fa1ded4401a7336a46dc349 |
| SHA256 | 2b27a56ee737bfa202ec6fcfd7ed88dc4a4d6fbf75d4f9858a45738f0586dcbb |
| SHA512 | 4bdb17f8ce091f3332d5f220aee2da5f5cd3b47af869e3a171bcb484b04a4fecd559baa148f2a7adc130f22547031d7e6ac74bf74a3200a5cfcc65b292103e4f |
C:\GalaxH5\optiasys.exe
| MD5 | 74e4c0fd53d6df52e6c4186a7d1bffe6 |
| SHA1 | 66542214da786a11ede7c79f93d9592d2fa8d4ca |
| SHA256 | 041932a87492702bf1fc67f03267f17972785ae42e263646d4a0808437be0630 |
| SHA512 | 6cd426c8eb27d484063d4667b0710a184143aedb222a4c704f1076b038fe84c239fc849d9de83eb5fdb9c6e2dfce6965afc336945d952e1c3e5798c2e5bb482c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:38
Reported
2024-10-27 21:42
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\Adobe9D\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPE\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9D\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe9D\xbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe
"C:\Users\Admin\AppData\Local\Temp\32df7b47cd8d0b2cb4afd1381f964d04976f89b51762bca1b386297558746253.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\Adobe9D\xbodec.exe
C:\Adobe9D\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | e99ed2e6225b7fcdaa7d8894409d13b3 |
| SHA1 | 06a75b7738e2ce9a218896f36b0cb51194ff1830 |
| SHA256 | 5f2027ad5ed9ec9aa1ad48f447e8a24174dc871fc2fcf50ffc91a2236894d345 |
| SHA512 | 66d96b192d0a3b985f2d31eb870bd41d51a8368a584607a51027df7a980b474938192dd432b242fd6e08cfc59b6976fabb2338d852847030e9c7853871317421 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7a15070c9bda31ce3f74be79ee28faa9 |
| SHA1 | 7d43acf93aebecd0a3276a8a56077facbef48d16 |
| SHA256 | 3283ff91b66a7f88a4f33d9d4f4ee2ac7be94f36abe9f5ee08f4b577c3c33574 |
| SHA512 | b4d9453fe5885f6439cad263772b0a77c678609386ab487b75d28ad732d9135752440ed06f89f2beb7a35f17830782112667f6c19741633a715f0c4ae7b90db2 |
C:\Adobe9D\xbodec.exe
| MD5 | d6a8d8edfeb5b209819643aad8883f9f |
| SHA1 | e3fda8f5ba9143a3748279bb08666a5dbcf0c886 |
| SHA256 | f2841d3752146e417ae0caaef01bae69d443f5394bcf93240da342d2a55c34d6 |
| SHA512 | 0171cd699821c7dbab828a2cb324fc32285732168d207c945052850aa0c8c2999de08638db4b5973735c3759ad3fc17440e518025808afc70796cecfa62bbfec |
C:\VidPE\optiasys.exe
| MD5 | d0486a750dad8d63a1f51670beaf8792 |
| SHA1 | d9e09351b425d79ca35eaf930d4635e97d3a20b8 |
| SHA256 | 6b5ff2a0d794e65a19774c7a6f7e4b7c4821438cea19b6afd59961fb01eb10f8 |
| SHA512 | 75dbcd4866717a542fdf1250d0e9e34b3479b3bca578b775fd96f2047665c384a30b3dd603a982d67925f94f645bcefbef6f57c9c2b009ef89bc122dc6178e6a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b3021628ee49e540aa2a2880519c3140 |
| SHA1 | fb07b356ff82c082e278af5b2a587c8447083c85 |
| SHA256 | 3d2aa6f66afdf2c5fe537acd330bcc752bbe230521d9e17237f19ee6997ed263 |
| SHA512 | 4ccfad4c6de1861fe67da5af2cc8dbbcdf9b4c01b2a953e034e2c9365b6174f9df223194ee82e2eb2d63e6bae8b7a527e9e23c12b8061da04694e7830b47a363 |
C:\VidPE\optiasys.exe
| MD5 | 2c368577e9554133d02c83bf54a3ba6e |
| SHA1 | 49b7a9ae2d4b99497643247e01905888709f9fd5 |
| SHA256 | a133dd9ff9d9f10e5866c760cdd82f93cc9b63bbc2f61deeca3dfc19530bb3bc |
| SHA512 | 6738917ab34d25b7951ccba929c783d529abd278da5610a245c6c13691fecc1ae024dff9e6702c16321ec7300ee950a2a7fa1088dce430274f937ce643d834a8 |