Analysis Overview
SHA256
2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10
Threat Level: Shows suspicious behavior
The file 2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:23
Reported
2024-10-27 21:30
Platform
win7-20240903-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeQJ\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQJ\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintZ2\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeQJ\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe
"C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeQJ\adobsys.exe
C:\AdobeQJ\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 13ce9afc57811fce4e559aeba6b2ba66 |
| SHA1 | aecbbe99f20c0aa03293a41d4e31f287351cb7e0 |
| SHA256 | 7d950f7a65a47299ff39ca8de958e0cfe2e9fbc60b47c3b9914cd29b7c5dffa0 |
| SHA512 | bafba2cbf6d87b40cc8c17a4fb5fe3b13e090edbf574953bb60ebfef5aef4e5bea23b0f162248a4a72a28ea113e34e0ec6b6e845da971ffb25cad408d8b3f2b0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4845b935258a7542114fc63a83575652 |
| SHA1 | e7cb1ba2d5872fdba8bbe0a7098b1ed58a489fe6 |
| SHA256 | 0eb70d26a0ac285a99e3b6a801e5cdae771de1ca848169c9a59e75d2e11f5146 |
| SHA512 | 14a6cb3d75e94b0c8a11ecbff59b0ec0dfa22b47390bed818baef759d0a4650fae8ea373c7baf423df6de475405ad0e8c9ce84a39114cb1bb15eeb0b277a09a6 |
C:\AdobeQJ\adobsys.exe
| MD5 | 654899cb706002ccf4a1fe0976299310 |
| SHA1 | 3b36135caa794bba09e77dae21a5d7b19de1e32b |
| SHA256 | 1eb4da617d50d5fc17349d33b4d7a54d5097bfd1f793dccd0ab0bdb0a1384051 |
| SHA512 | 7c987904d0e9d4d0eb59823c774bf20658221dabd6a1060295a0cc69e54e997e252892150088be7b82d41a2c0404d207e2865eb4a4226e468f61849fd356befa |
C:\MintZ2\optidevloc.exe
| MD5 | 236d5ed277e0f1d057612eb281654b63 |
| SHA1 | f334b0aea16949919c11fe92edc680ab58c6647c |
| SHA256 | 36b11632f2d0f7780fda3d2481c6462eb7e4e1bb010643afb003aa172469484d |
| SHA512 | 72ec6cd814688a57f89b84b42144e391bd8ce7a9cb7c08d5ffdd33a9a46b2131dc925568f168ee222d1d275c9fcb614b18b84724269bd612e527eb765a85581a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4993db0539876eee257ba1f5cb6266c0 |
| SHA1 | 912d18d11a8017d6e0c4be01bb3f2481aedbd648 |
| SHA256 | 2506e6d35dc93a9e0437f271cfafe99b1186b21c7d023fbc532a3afa127564d0 |
| SHA512 | 22320fd33c1fcc2a2138628024818de36d4a84f782bd7217322a8d772d0b146f8d1e0f56ad9c105a50ca34d24366267d551369a2cc3f3f75fb1e330926038264 |
C:\MintZ2\optidevloc.exe
| MD5 | ddf00cf70e0914e6514510fd6cbddde7 |
| SHA1 | 264ba1b3f8d62b93d4bd3504dcb42041736db5d3 |
| SHA256 | 6aff4ab509840ebf0a7e71418c4439dbd7c9239942f23b7c10cdb09ea4251d5d |
| SHA512 | 4db6ba32e1f6c661cf4bc49276d0cb9825e25014e83ec204050dfa7642b07156644c128def821fbf5efe9cc3f25ce9b53b7e141d8d285e39adc94d33fe782e69 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:23
Reported
2024-10-27 21:30
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\UserDotF8\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotF8\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidE7\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotF8\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe
"C:\Users\Admin\AppData\Local\Temp\2d6fc1d100b94c030b25a17c9f94278061e789250d5755df37115e73d308bd10.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\UserDotF8\aoptiloc.exe
C:\UserDotF8\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | b7eb3c67ff3c6ad932d8d94b19239a27 |
| SHA1 | ed9519d1a96bd060f077b8712dcbce2de4ebd0b8 |
| SHA256 | cf9ab436c0f27235399e016ddaec3fd245d734614e0ab532637ed07eff67d5c9 |
| SHA512 | 87001792e0a2f964d16f6b9a3fc865d0964ad6146dea86bcfbf9836a08c13efc2b46e516715eb05024f8e112956d0ba1ae96c6df721a87c1ae53c50c6e86853e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | beed12bfae7eb5f1a6a909f1a9c1cab8 |
| SHA1 | 6cdc4c40884fa91289ae10b35a2bf8da122e7a11 |
| SHA256 | fb8e04e4ce20a539562fda95762f298f61a3c7d2c16ceb96db06933760069409 |
| SHA512 | 715d1715a14f50ffa88e32842e2d42f97552d0b2525e2aa245cd566a64af9e439393585cff8ac2d11562bd0cc0f8b2ece38bf5a8dabde991bd0ffe379f540a06 |
C:\UserDotF8\aoptiloc.exe
| MD5 | 0604c2683cdf367367f68c1172e84487 |
| SHA1 | da09a710f885f674d61f6073d68763a3a6dd796d |
| SHA256 | 0511689e6b66197c93294c10bcf3cdf07eb294733fc52568ef43f20e26c7b740 |
| SHA512 | bde2cda5d9f69456014a12ebd8b0e636c47b3e4ecf9ef4d37d5815668cffd77eba6d74a63280002e238dd6ebdc0c9ce53decb6bc2077858a7dd702caf84c653a |
C:\VidE7\dobxec.exe
| MD5 | 8c5310e09ff0ab53718b8a89690941e6 |
| SHA1 | 692591074d7eb4106fe8d09b12a0368f96ee1a6b |
| SHA256 | 2f99d73268fd50c03f847c7d7904d84f0828986ce4f2e3bf1bd1eb0e4983e788 |
| SHA512 | fe82f71997ecdb78b7a1dfbb3270da9dce6d5a0e2694cf64423e955f80d76604b9597a7974c89b0319f8d49f08e5a08c7875de74e20e6f93c06bac5948853ee1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4b4383e319929fcab9db7e38f00dce19 |
| SHA1 | f3a5742b27eddf38f8e2593cc9681307bbfd3a6c |
| SHA256 | 595d4fe540e92e2b7b1dce444b3bb7a39a1db4abfc743a46c2bcea6a033cabe4 |
| SHA512 | ab192154a77501eba01637d44fc020b7514ae44b6862a3828cfb77793319fc37ffb1fe0f2ff4ce1d15b340f0e4fcbfbeedf245de916be74834729c06cbece8b4 |
C:\VidE7\dobxec.exe
| MD5 | 28ab7272aa8220f0fb7ee63d24a63f64 |
| SHA1 | 2a483f4e559f8a69e301ad88d4e4b3a8a9927222 |
| SHA256 | 3c2c18000bf86e02dba9ab1d8fe56ecc9184832b3e242bbe8d531627c90c31ce |
| SHA512 | a7ee7834c2b418b01a7c90b5c51143c30f6b930fdcb314373bf46e99225a0d19b53543af3de34dbd039034cf16bad8ba358238ac3b7cc30c3a643fcda8b8ad8c |