Analysis Overview
SHA256
855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbc
Threat Level: Shows suspicious behavior
The file 855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 16:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 16:37
Reported
2024-10-27 16:40
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocC3\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC3\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLS\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocC3\aoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
"C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocC3\aoptisys.exe
C:\IntelprocC3\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | ea9ff6ce5e937ec7db51cd811d75fe02 |
| SHA1 | ca839344255afa489f36b37d04d40fddcb70040b |
| SHA256 | 5165801607e39a7e3b3f84b110400f614eaa2622de90cc539798a861188ce65c |
| SHA512 | dc2335cc5d82b88bbb2170b8e5cd49de094cabb11bec84e56428b0b135155b44138faf2dc1df516c107db5799061003ebf86abfc26d6f8b6fa3ae0d83826d5c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5c45561aafeed9d102057ff1eaa71204 |
| SHA1 | 0504ddf5770340c411c47eb950918102cd6a7bb2 |
| SHA256 | e1685284d4f6a26f72fd86358225398be8938b49f6eaf6ae09d8901c4c1689f3 |
| SHA512 | 2d955ba406708f81bd3f9aae74535df256648f6e39820a4c945f6a0fc2d0e51e9b275cf3ba57a57886d515fedc8c52290567ee6aa6b0c514f22aadab338e727b |
C:\IntelprocC3\aoptisys.exe
| MD5 | 331e23406f1e0a6b7953ee820c5347cc |
| SHA1 | aed20833d129eedaa1ea57146894937875b3fe17 |
| SHA256 | 89f05efdff8a4bfa6308686804b41e1688d185796370df4800fdf3d68ed58430 |
| SHA512 | 93aafe1886edecfe4384139c9081343e394724e64a0179a343258888b32d69ccb742e994f46a4af632315cefa9327be610a5589472e14ea4672a6230b28dca9c |
C:\KaVBLS\dobxec.exe
| MD5 | e065cfacb9ce96e72181f3d3c098c649 |
| SHA1 | 233c392fc02824104567d3574167b5103bc78f48 |
| SHA256 | 0dda325d7359c97bee32c9aba78a9f896e73a170dad600451b0167aea077c1cc |
| SHA512 | 63a95ac78083313eaf995e3073b1d76dfa1a9838d4bfdcc834ba03358b2b841e9e640fded058ae6efcc9d31692d5aef1afd1dccc3354975410c04b90c21d4a1c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d65abb649d8b4eaf5b54674c20ae74ba |
| SHA1 | deeb6e66b960834d4631e3f39d3f0ab52d06229c |
| SHA256 | 496c7afe025e43f79b3b986c02962c3da212bf7ff180971c53054dcbf2da941e |
| SHA512 | 535e1f8a0394e58ef84691d9f1e0ff35d694caa6879ea188412622e519259bd639189c4681154528448ddb77f1ba12af2b305e5b6a43702d7c24e3e75885e27a |
C:\KaVBLS\dobxec.exe
| MD5 | fc3f560ba33de3dde98fec3d148ad456 |
| SHA1 | 583f98f88865af58a7c91182c77a04aaf3504d68 |
| SHA256 | 080e04dc80c52bb33f7ccbffe0422838f6fef169a313553be025e784c98d2c02 |
| SHA512 | fb7938d634f2eb9dec407684f26e7b7104c5576f583476496fca8a3f761d4c458f405124448c41f32522bb0744667b7a72bd5f065fe21343639f0d8744afc982 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 16:37
Reported
2024-10-27 16:43
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
111s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeVV\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVV\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGQ\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeVV\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe
"C:\Users\Admin\AppData\Local\Temp\855a66ca6f7b38fa88003f93646f4eb50dfbdc7817125aec346c40d8da95acbcN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeVV\xoptiloc.exe
C:\AdobeVV\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 6bb29155239750101fad4ff8c09190c2 |
| SHA1 | 57dce6e588e17f6cb0d1f8d9eb125465f01999cc |
| SHA256 | 2ff8e50905654ba1bb780d1f0823ce0135bdcc475d199b030e7476dad6b80f91 |
| SHA512 | ac0465f62a6ea293457bffe969d87d36a7d0e5b6468f3379ffed7f1ab8ecc34fd1ed226d430849b873db029a471362ca928731254f70456467a1f39807ab3eb9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6fd3c3ca20ff86d72f20e5d57f204f8a |
| SHA1 | e259f4cc5950fdf3ad3f36dffd1fe1fa56b75f0b |
| SHA256 | 904ef58f6e1aaea782a3d572333e175ebd11b17325c426c215ef50467bf09df3 |
| SHA512 | 17cc3ae1ecaf1fbb8d2f3e73fe8d2a795510f2ea392043768173196072cd2dde02f1954e2e92c33588bf8bd51398bef2e8f1e9c4eb6dd1fc62f18099d05b51e8 |
C:\AdobeVV\xoptiloc.exe
| MD5 | 676d3088e61c3a3c5cc184fc80eb28ff |
| SHA1 | 711808a61c7b5b7876cdc19054f195fd01eff33e |
| SHA256 | 5768245f669621acba07dcc230394ddd787888835f1965472bed1e012cd0a5b9 |
| SHA512 | 06f8904ce16dd6b26d012a5a957e51ff789be2bd599de99e8e5bc12ad6c54e37887ebe84546d4f3b53af31ca0f7d6938130c115b7bfd6b90ea66d3f580b13023 |
C:\LabZGQ\optiasys.exe
| MD5 | e585c9db4ade290867d9f5d8153553a8 |
| SHA1 | 2f26d4084f98f975cd5d2bc86f8f25624ee09795 |
| SHA256 | 0389692e9e5230a3f5056524ca863e733120ee442b08c3cc34142fbeba77e05c |
| SHA512 | 75f5dba59223d0fdf2fcb16e9f4f4b95f5d94b4c21a97a3a45724a26215b4f27bf8b7871008db2c211759166251eb5566786d4c65de56033ac08df54214ec9ad |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 164fa383cff100fe7de01774c06c39ed |
| SHA1 | 8af7c13fbe2475af1fb7c9f77da7f0c84e34b380 |
| SHA256 | f0d5494d92b01cf54fe9207409185349f63e75f7a6c7f046bf2e4c3471b58c3d |
| SHA512 | 57b8baad142146d6d106584757e0de421b75b45f7315e599a2e9a829c29fb8e0b1631c6c4378fef1abfd19d35dae29251f6cef62d4977d4720def0c3dfaff5b4 |
C:\LabZGQ\optiasys.exe
| MD5 | 54888a51746778785649f8e54c1bc3ae |
| SHA1 | 8905646a7cb16b4627320e07cad6f1c9ce2babd6 |
| SHA256 | 9197df6fcbeb7c9d2e921fc66200c25cafc9f8b5c309a2ee5fad9fe96fb16eeb |
| SHA512 | 19578794f2aeb7bdc8c97147d9333ab16781ea3be954aa67ec80d6afe9c82232cffe06dbe30234ac2b89ede93ac434565a38dc030a88e90f7ecb3cf9a117d0d6 |