Analysis Overview
SHA256
e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086
Threat Level: Shows suspicious behavior
The file e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 17:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 17:32
Reported
2024-10-27 17:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\SysDrv1Z\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1Z\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPJ\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv1Z\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
"C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\SysDrv1Z\aoptisys.exe
C:\SysDrv1Z\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | c9d690f958245817fc17cd778fafe548 |
| SHA1 | ba74af20f9f4022dc0a90578606326446e75293d |
| SHA256 | d535c697ebe6b3018effde9cd3af46ffd977f3ae93ba81cb950d85bb4e6dbf79 |
| SHA512 | c107226f6aa1872754d22fa628e95bf88d5e37d23c680edd5f1bf09b1c0d02ad09b281fe27cc6638e4623ed4b9c2a507a994dba730a30196e4e929efb799aea2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eafef88255edf1034ef40f0fb205c787 |
| SHA1 | 5c09ba9ecae0c538b55e14e6b3afde4fde4b19f7 |
| SHA256 | 37839615fcc987308f343ead0f1bc44b4f4f76741a1fba482f5a75a32c5d1b09 |
| SHA512 | cc51433f434bb509cdf90b4481f6cdcbe72c6c988ec5e4ef1fa50f94a522d99e72e48ec64af34bb8baa60bbb9e385c59ae7c190040c737ec315793b6accaa73b |
C:\SysDrv1Z\aoptisys.exe
| MD5 | ed53093af7ad4a2557c4f4fc5ed7d93a |
| SHA1 | 31cd930cc1dba8792f4383a18f5765387cfad6d9 |
| SHA256 | 79cd5a6761c8c571ab38a8b8476219902782aeacd16da52efea6657d37d3b6a4 |
| SHA512 | d1106cacaccfba5cddc967869cf173192bc1e8f983813de34ce698b9a1097da7c5f112dee171e05a4200a0a290dabfe4883919afdf20707ffeec7dff4df90b34 |
C:\LabZPJ\bodxsys.exe
| MD5 | 5788db80ada36df5877ffe1fd35f98c8 |
| SHA1 | 2ad7e881815315dc2593ee9e517bc814010c35e0 |
| SHA256 | 639ac3413c232d5b9ed49d0c60b829848965fcc00fb3248b2cb560663daabdd7 |
| SHA512 | 9488b286f7fd111ddbc07cf5e7f8b98dc41d6a82a43e010b8dd561d963fdb48103d9c466f3b320bcdedede24940a6c6df5e1744328452cbc5b57096e150d3eb5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 588c93d52d10e7f16e988598105793fb |
| SHA1 | 8243c07b5605cf84d8cae76c8aaeccb741af5647 |
| SHA256 | d21cbbb425354645e578336aaa2221f67388afa162b1021f4b59ad8bd2207fd7 |
| SHA512 | 2ab6bb1827a920858ac29d820f785a355cf517256809b34f894d6052ea405972bf675687e0e30bbd653fb7bb44158ab8b1cd30420876c6a94cbf6057c2f11a53 |
C:\LabZPJ\bodxsys.exe
| MD5 | 6f8bf765a9696f63019c28e09a4bd97d |
| SHA1 | 79dc16c3500b8f70a06d6773169ee17c4ee55367 |
| SHA256 | 8a9a0ebd9a6e638aec6706ae41a5e7a5d34f14048d40a36c13e8df9ff2cf8725 |
| SHA512 | ad8b16eb54af861c07a35663667f7984e49ec2ce4c64cb2484da00c040dacdbd0d9ab422ca13d479d458b6b3535a34ec9253ae99409aae8964dc0e3b387f7521 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 17:32
Reported
2024-10-27 17:34
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\AdobeYI\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeYI\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxUX\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeYI\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe
"C:\Users\Admin\AppData\Local\Temp\e73550aa17e1e92e03973ed7533b3f5a2cc6af807822cdd15a63be4c118a7086N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\AdobeYI\adobsys.exe
C:\AdobeYI\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 4149536b9227b4e02071b94770952886 |
| SHA1 | f0747b7cb9dcebfc33d3296adef5cc7fc13fcd16 |
| SHA256 | 0d792e71e221e578973ce197c73ae0de2b299be676e03ad91d65ce9552f984e1 |
| SHA512 | 11d17e20e2d8e7074be4a84e7bda0cbc8f48872f68ed36855d3ac8138c449077831691bee28a3e130c89d01fcf2199b49d6fa1a1cdf4f79e82d7f8af45f1fa75 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ddd2b10a801d372777871bec50651938 |
| SHA1 | 01a53ae378e5598b8597fb7e7cb74de2112139ab |
| SHA256 | cd79ff5dbc003fada298a1945f2ef4ef5f116914d35fbc2a3e176cae7634bf42 |
| SHA512 | 877d5db152870802bc9a73fc6f467f6b7d766828dbec1fc0cddfedde93a5166535bdc6e71993c4a1bcb6eff66c3bd2be44820faa5131b60036f30abf3112dc2b |
C:\AdobeYI\adobsys.exe
| MD5 | 3b477f47d6f8caae63a2f1c0e85f7b79 |
| SHA1 | 59740ad26bb9ebd29de1715af29c6e0317487548 |
| SHA256 | 8e142bb68730f5c875b94e32473b39e19e14f4227f4bd7f021c828cb35d3ba83 |
| SHA512 | 918f34b88392f206d1687e5b36c36dd7c1ec104584b2f9178ab7bcdc0d836d492ad73d35955bfe0d57dcbcb6e3a9f99d792e44ab725f6cb574ecce707544203a |
C:\GalaxUX\boddevsys.exe
| MD5 | aebf8df897bafdbe1f72d99c04455d6a |
| SHA1 | bcd783466be3431826b1facb65fa864dc5d421aa |
| SHA256 | 7ca99160fbf28242ac1b0bed1e7943d0908b4136bd44c90c3808f7917f08889a |
| SHA512 | 8346123c8c1e4a03eb33603be70dfa40fe2b3ba07d3d322957baafd8a589f01bde554dac4bd75613e848f1ac75ce2c58c0b7450f42b9753247f77108b42e6ad2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 35cb595ff132c2620534fe2d0f922403 |
| SHA1 | 92557fe2e37c4f4235950280de0839e24ad5efe5 |
| SHA256 | 8b01800fcd266baf75449dda633816e6394ee492e4169fd0515d80e841a81066 |
| SHA512 | f0a79fddb91f24e6ca71d8c41bd9a97bc2919f06b26c2c3368ad8dcdcdd6d1d50d1427816ff2e0fc2f62c095b2005d1305810edc15dfbc9d9f1182c4eba78bc9 |
C:\GalaxUX\boddevsys.exe
| MD5 | 07e82883123d9ae3b4eecb5436022666 |
| SHA1 | dbd61f5489aa9f265ca77e722d635355454a5be4 |
| SHA256 | 8e5d401c2f1b04884c96364431b71d14505abfa208b2cca4db7f24d361979cbb |
| SHA512 | 358c24f77c4eb1a2aa5bfd2f57e3717742260192b0a74bf2108a2bb5be3c35d6da8d84094d986d4bf54d9469e534e76fb279adec99eddfe36503540e8f63d85a |