Analysis Overview
SHA256
2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed
Threat Level: Shows suspicious behavior
The file 2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:13
Reported
2024-10-27 21:17
Platform
win7-20240903-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\SysDrv7V\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintY4\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7V\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv7V\xoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe
"C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\SysDrv7V\xoptisys.exe
C:\SysDrv7V\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 5f5aefbbc48094bebdc4b8dce2347617 |
| SHA1 | a6e8ee18bf3e0a10a0a7ab08f1a273f2c89f7cd2 |
| SHA256 | b7393dd8822ab04292a068d8026dcebe2749aa679fc099cae2aeae97d3c4bbb1 |
| SHA512 | a6a062c42be8f97bd702fab5cfa1fcb4fbbf0c5ecd5d08a98fdb5d4736e4f1d6a45fabdc88f9978a939ddb6357fa7824b8f60dbe3d6d70e0c448c276d7fe9259 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fe23cf7a41b63711247430ad13345684 |
| SHA1 | 324e62e07c505fce60e25a2f6b80c2913b4b5738 |
| SHA256 | fe3f738ee392488ac31ba315ff47dff4daa2852c587138f05ed343b59d742509 |
| SHA512 | 6d4fbb49e1e9dd2d2066e3c6453a85ea51fb83f95f2153361fdc874192ea978412fbc77bca0e32ab5b8d14b4ff7358ebf690db773ccc2d8a3e13badeeb933077 |
C:\SysDrv7V\xoptisys.exe
| MD5 | 43457b8c199b9af929b07921fb91fc87 |
| SHA1 | e4d7bf31f22e294dfb6f52605a17c964b625fa5b |
| SHA256 | 2deb40279833a5d80f3686edd1f1528926551b5ba74e3bdd98233fe990d1dcac |
| SHA512 | ef44d9e424b57d5b0402481e4dc331a73e1aeeb7c7a134e533c5c5c3e4278c4a780228d716c2b66ddad9815140cbc0bdcfa559e0802bb33cddf77a0624257abb |
C:\MintY4\optiasys.exe
| MD5 | 15f6cd1d7c90e4fd6a99d942ea1f22c0 |
| SHA1 | 6f2410c4f56231bca6f359b2eebdfd8ecfe20bb9 |
| SHA256 | d6445876a0c667fa9307a3a1aa8bed69b24150958e315399be2acad1ab05dafe |
| SHA512 | 482a5f9df89f6b79cc655cde0cabf413465f5864d2e3300961d5b4e12e6f7b8678034146249bd7f00f72fa23e9a3a15f9ad753c159e1ecb8633bc951b40734d1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a7d5dd148060c9c3f081be4d90899437 |
| SHA1 | 15ab889a47b56e4821eed0f8df082afd70e026f4 |
| SHA256 | fdb73ca933f33ed8bfd9650c9f6e631ee5d923c80308476d934370080d4e23ca |
| SHA512 | 80c018850ff7f98a5470b9bb7ece61e4a2a53a1abd94f3603b30b4059555dba870df975270146c596dd095f28ea1c03bb3e6fdeee7156610d078be0cb363c490 |
C:\MintY4\optiasys.exe
| MD5 | 315b76935837b4c0b9d77f637a74cb9a |
| SHA1 | 2f155706b8c565142b405d00718023638690cf73 |
| SHA256 | 83c1652956d89ff7830228a342c291e6058e1c7749211818115d56fa7be4ce1c |
| SHA512 | d2bd647ec426a379057f039b276a0738984a583546bff33bb0a9506901708eb949880fb2d07b3a7ed6d601d623b3c913c41f097f6c0128ef9ad5e29b627a8480 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:13
Reported
2024-10-27 21:29
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\Intelproc4C\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4C\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGT\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc4C\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe
"C:\Users\Admin\AppData\Local\Temp\2a7cd2fa7d3d3c9f900fbe80b15757992f66a73ebd04bbafe82136d45eda03ed.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\Intelproc4C\adobsys.exe
C:\Intelproc4C\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | bfcaf21c5cfb60457916bcd6b99ec222 |
| SHA1 | 58749fb86218940ce16be4f051563cd02e91f71b |
| SHA256 | f268795652f36f9b8fddf16e469b57e8db3a56132e4a547abb6c14da1f236602 |
| SHA512 | e6de78f67b3307e4af2f1872d7c6222b4eaab5509a8a134748bb3c9df75304fa5d2a497d058f430c03f6c91e188050f65e2278269b20c5c4496d4e303d2986a2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e6247168e930f788f753654acae4d9c |
| SHA1 | 6687d198146fe702affba81594d90250e7f34aec |
| SHA256 | 30e0f0c2cb1976a56d667acae78cb6f41d11ecdd5304ab16e8d3762da3003b55 |
| SHA512 | 931de67e5735e88bd56b039e9432f2b39ffcc8e532a0e75e14afb3d2dcdad6979f6c47f657cf5b8287fdd81aaccb389b595d2ef645aba39e75c7312aa9e2c1a4 |
C:\Intelproc4C\adobsys.exe
| MD5 | 2fded837dc92109ce955f65d6f774df8 |
| SHA1 | ec9e5b77f9e97b04d2a1bf8b9d85260f3749e44b |
| SHA256 | 1682e6778e7e7d6ca55f865bc1c1aa445e255b044470faf019dfc17130b97bde |
| SHA512 | f4da715a5df134d2b97d6a9f3801c4a7f853db2dc1d423f7b570f23138d8a53d65da96932e822519d2a32827d8e7a50ce44f25a5cc152409f2a62a2c3a766d77 |
C:\LabZGT\dobaloc.exe
| MD5 | 24161ed8bd088f6f235a9a6da9af1087 |
| SHA1 | 7c7e125c807f2c57c8de4e4171a3054d469eec4c |
| SHA256 | 03f62352122a7948b41ed52ce4bf1777ef5722fbe7a4b9d9788e7530a4a5bd18 |
| SHA512 | 20b40dbd02ef542a59da024e3c91bbccc06ea3f91a4e3b7e442374b182bbb9a2e0828c044f5ccad802083536d9e39edb6b3715d6fe1233b1138c5f004655a2d2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a31ee357d81f75b403207d7c84dfefe8 |
| SHA1 | 069f95cfb4b489ffcf8b130a7f5e52f6ec918908 |
| SHA256 | 800805632d10b9403b36026dd64e04e8583bdf62b713febc8d624040ad80f6c7 |
| SHA512 | 0fd4c5c13145f1c449475008b666142409903be535a72d7c87598b218c0d2eef207e1df7b5c3e246e6624ec9f3a497360a607f092a91c071c3673c742b35faf0 |
C:\LabZGT\dobaloc.exe
| MD5 | dcfbd5cd463d1e16ed300443ab57f823 |
| SHA1 | e1851c4356a3f394f92407fc00b559ccae9f8ffd |
| SHA256 | f645dc729c31b4513ee9317136aad71f4c820e4a8ff5e7de960e3f05215b2ca9 |
| SHA512 | ba85bad4345ba60fc61d9465d8564a5698036b8cbd7857723005d49fea801ef5dcd8e34c5a8e544a0a3a6a43e5d0da7f79345773dc61c04f4e7cc4de694efe1f |