Analysis Overview
SHA256
479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25
Threat Level: Shows suspicious behavior
The file 479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:41
Reported
2024-10-27 22:55
Platform
win7-20240903-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe4B\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4B\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQF\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe4B\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
"C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe4B\devoptisys.exe
C:\Adobe4B\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 787397178b2f56995e45778a5954f4ea |
| SHA1 | 385d61038a10f2c2ccecee73c00c8ac8e149d3de |
| SHA256 | e380324c51400ff27ad8f23fd5efbbca8b58b55f7f07b1f696412a881a0022e9 |
| SHA512 | ae45201522929308bae4487dc4357e72a39f2b14f521d3be80d993380fb8f5a590d58f58e74b765884b308e1b8f10336d04f100e1333fd7423341ce23a2a0e2d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a59372e5223fef88832a9f2e239e9918 |
| SHA1 | ebdfdfd57153aa68c236a69819fc7003835ff093 |
| SHA256 | 05e03bf3f3072ad2c0ebd7b32b2cd1baf905f50becef61f10ac8ffab92200352 |
| SHA512 | 9f695fbfb619a3312b9590327fe926c7674ebba3efab1bb2c7f2b5cb2a894e4ff976568fd5b52cfeb6a2b3f0e6ad01c3a7b9ca47f29d109d33fa7a777adcd49b |
C:\Adobe4B\devoptisys.exe
| MD5 | 765d7fd38dae4b678e9739774dccd5a9 |
| SHA1 | 7927957224b1808bb95ae61a376e4290f5c51542 |
| SHA256 | 49979c354bfb76982060d8a08bb6dcc2b770a0a4557b75ba13a23d5fd86a827a |
| SHA512 | cbca945d7495050880a97f9312780501c2c5c1fb1044ebe6f004291f0dfdd6977fbb2ce4c821b45c45880a27d718ca74116dd8d3e64c7d7e8e9d5471e9516c15 |
C:\GalaxQF\optidevloc.exe
| MD5 | 2ade6bcb611e62bd919afe5dd7b189fc |
| SHA1 | 1deb37d54da074be0643079627c7c01dc59647aa |
| SHA256 | ec30b070b09169a1284f775dae13e998864c6f97e4f3c4c41616996611d34973 |
| SHA512 | fc2de3e405e967dac49e27dfcaa84fbf1eb56ffad997cbe97c1f9e686fa2b6de1823b7809310d225a227d96acf90796d9faa864fd847c8af71fecf9b3b59b923 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 422eca694fe480ab695db9bc9aa0e206 |
| SHA1 | 8d551359f5a9b355f67524754463c155531a3ca5 |
| SHA256 | b8ccebadaeae7789abd667117e20c054724d087a330c0d4d719546b1aa5b01df |
| SHA512 | fa5e91dbc0f297773a2863d2de470919978ae0e25292a363c4164924d77177a85d609675c54acc62adc822a06db33ef201f7c69d476b1a053f20a51955f04ccb |
C:\GalaxQF\optidevloc.exe
| MD5 | c82b9d4b89c813e26710d004d0beb780 |
| SHA1 | 6af8e77a166876419e46641c197a7ed61a7ffc06 |
| SHA256 | fba6a53910b1afef0b8f8963676bb75edfb1559d167225d473eb42abef957355 |
| SHA512 | e4b12f804818a82198adb388ef69722f1d0f96c8fe4e4b4bd7c86b91ad4f8031cdc2d7cd0853a73f03740e58d0a46ace851e4c807a46e8da4e8e03b6d6de01c1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:41
Reported
2024-10-27 22:53
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\IntelprocSI\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSI\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPY\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocSI\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe
"C:\Users\Admin\AppData\Local\Temp\479ebbf378a872ce739b8da7ca380f1dce05ba39ee594edaee8c4fa6d2f00e25.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\IntelprocSI\xoptiloc.exe
C:\IntelprocSI\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | c85347494c2cd0d80f42176ca20f0988 |
| SHA1 | 6f2c23879877867e1755a02cfbe9cb6403abba18 |
| SHA256 | 54c8a0e6c982c187123fefb5416b6c7e94203df41030cf536d86ef365ec00a0d |
| SHA512 | 48fbe6e294fbb698aeb2ba6d6f5787c574840deba57823db45bc66527be0dcc8c268ffce1612a45ba4776d2ece9db6226f1f0fc8ad0c994b30e8e349b611718c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 810954374509b7f03e8f521aa4f8a234 |
| SHA1 | ff83e8660286e2e511dc991922b473a8e535a5f2 |
| SHA256 | 359c57240bcbcbf18e82fcfd728cadb4b0ed047770181159fe154d1227f6a246 |
| SHA512 | 3806e4c347af4f8ee1b9c8e09d71f6a99d8018417c459ff9bf466ce97adc05caee1f4d911569c52cf506fbb2090a98b611277e79a1e9a18a636cb9cd869358e2 |
C:\IntelprocSI\xoptiloc.exe
| MD5 | b56f9d07f4c9fb3754ddf88108663214 |
| SHA1 | 360e04f68ba5da5cbe38954dd6cb56f1554f3fde |
| SHA256 | 0670f68791e51281df887008d31e211a8d4ac71533b6e6955e4816ab651ac12e |
| SHA512 | b8f01b363afd87072a63a30ddf3a11685fbd1cdece93fa96f22f7a2cd59246e292161fa178841d3303c9e3f70f02ebaeabe09858e06d44ffdd9e187482f68b71 |
C:\VidPY\boddevsys.exe
| MD5 | 77d29b019f71378b15caf2f7c745cc54 |
| SHA1 | 45d2a146ba50366c7816d449fce2484861a1e1cc |
| SHA256 | e21be902820b19c0c4de53cd2d3702aae766faf51501d8bd7aae2a8fad63e7aa |
| SHA512 | 552ac2f96f94cea1e1ea6a429f525148d8404b51203cb2c4fd5f44e01dd00d85a6015379bbd37df2c309230bf5fbf8ca77b2f43024d8b77da93b8667047805e2 |
C:\IntelprocSI\xoptiloc.exe
| MD5 | e4eb3841ba70669aa886724e21e02e3f |
| SHA1 | 056b186437d71f6510b86269d66de26d5cb052cf |
| SHA256 | fa4323e524d334ac1c942e62dcf13d44648eed98b28730b57164f26379dee77c |
| SHA512 | 39d29c4af26d7b4a50b3cb4b790436e56b932f449d84abee7ae13da5ac5b1ab3c5e77d99ed9cb8dc3f11204ce24db96434a8a8349888688644ea586b40706bc8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 38c20db17c1abae201930452dc5dabb7 |
| SHA1 | c754b208ed9faaba01e0dd147648123000fe8016 |
| SHA256 | 95bd2ed2a0bb1138b66fe44340fd0b0e0a6eae7bd5011e178958992c2d11fb1d |
| SHA512 | a272ae6c270e75d24e670c84e5d1f0311231bc2d5b73ecbdb60093a1b53d5e24e1a5220aaf90320502ce9d9519c93cfbbbe2e98f9c4c484c3f65e18443878773 |
C:\VidPY\boddevsys.exe
| MD5 | c63848866215c225285289a4cb925349 |
| SHA1 | bd26bbc7d160701fcf45dee8dc11b80cd9186713 |
| SHA256 | 8992a1157d52cb4f87d8ee6b7998c43073ee7110f2f281aca02c7acc65079e56 |
| SHA512 | 80389b91ac41fc1310549fb5d55adc501cfa75f518c4de240687cae09dacfec5fa590fdf2657c214a5b7bd3088754692240eb4e02d879a8b7ca748c486391f74 |