Analysis Overview
SHA256
a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2d
Threat Level: Shows suspicious behavior
The file a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 21:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 21:57
Reported
2024-11-08 21:59
Platform
win7-20240729-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvAM\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvAM\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB06\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvAM\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
"C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvAM\xoptiec.exe
C:\SysDrvAM\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 5a061281d10a77bd1563f6e00cb64bdb |
| SHA1 | 866119ec0fbf5b59de45f9f22073a87306cd07b5 |
| SHA256 | 6f385fb226000a378408202e3e3d438e8e57dad1916aa430510afcaa9471b609 |
| SHA512 | 285d33318a575121ef9d852fc6d9a99234cc388e39a439ad51fc58fb179b2f9ee5370900c79607150875ca32ecdc81acce6f7c17b7053edb827b1c4b59e63f11 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 20bfd7124296a56be4ad1b3cd72ce61e |
| SHA1 | a840c36d50054e439364034c96f218ccaa74446b |
| SHA256 | 25c578ef5919737405e67595e15bc20a2a49a0c658bb9fb42279fcc186e0afc6 |
| SHA512 | a168901cc403242ed61eda206937402e003029ae314e4fdda536feae9015eacfcd1f4b8cc2071c430722c941ad525ebd695e9e39bd1b3112e7b729a647402e99 |
C:\SysDrvAM\xoptiec.exe
| MD5 | d60e6b91843229018a8d7faa63897350 |
| SHA1 | 681efeda7061d44185d10ca124b9356b3ac16fbf |
| SHA256 | fa96b80a0aede2e756b47a23365a805ad7f74d148262748166ffe1a8eaa670f1 |
| SHA512 | ac3ac18238ef9d29d587c29b38b8bab96e95b4f12bcf87ea71c2e3749166c18c8f61304ba581abc927d1c41284b9f8000c41821660c59044b7e1c511578ef786 |
C:\KaVB06\optixec.exe
| MD5 | 942f6c4c2384b145aec0867ce4aefe20 |
| SHA1 | 2d23d42520d8481ef0e29117e5a00b0f55db9279 |
| SHA256 | d3b6d95d083b99271d0580d7a9638ca46bc6fcad11c9d81d90b46f8bf8dc04e5 |
| SHA512 | 280cbd3e67158a18ada67734aa5de0e30f988fbdc5db42cc5c2827088d7b9eee385e65ba4c0ad519a8d22099e5c8654a9501dcd60d04aa796f5ef7468bfc11a9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b6b0776da040f7198cd5e70f71295726 |
| SHA1 | 088bf8ccaff40cf51346df8c630bd0a9632e79c0 |
| SHA256 | d12f7f57fdabf7f7fde3ebef65bd8e33b1bf7de1e4c83b7d1730fa2cf56a5ef9 |
| SHA512 | 11f3b57fe37c99b6dcb706b3ae53c52526846f95a2e8a04c94c3a3cf1c296901374e91b7bd9cf9d512cdbbd74316fb6dd89cbc1ca732cdea916d54fc62855cdc |
C:\KaVB06\optixec.exe
| MD5 | afd7f4578acfa0d270b991586cdfd22e |
| SHA1 | db686f7ed8de446e6605868fb3b2b4a684e30f85 |
| SHA256 | 112f19f8b1e8347f1ad74b3026d45e809479e0439cf466b4e0f118e8db936084 |
| SHA512 | 4c72edab1880006fd21238609e484d07a1d7b82bc7055b75245b937356dcc5b23b6a3927bd5e28360b79aa69e4109bbc9aa535cc32d16cf93b44f8da9bbbc2f8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 21:57
Reported
2024-11-08 21:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocFT\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFT\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNC\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocFT\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe
"C:\Users\Admin\AppData\Local\Temp\a1c719709b86d03ea22f26eaee1bfa1e7032b1ca6f2922388bc796c3edf84d2dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocFT\xdobloc.exe
C:\IntelprocFT\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 5b82cc106f7bd815d82e2bc95ef2144e |
| SHA1 | 9daec5d99925f8bc63d4c13804889799be30af0b |
| SHA256 | 2289ec1d42300b48baa80c9bfe1becd2baba7339ee930681f29079af79ab4663 |
| SHA512 | f08912b9b194f9b212d4698ef5163d36c958e0f7a05ff94d0845d8292f3e0a11705d724bab6f3f70d190497689265055a9e4ce5cb9efb8375629017d3c4d233c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 701dbf1ecd0054eedb47cd021b9cc453 |
| SHA1 | 162423eab564bbff4240251d14f2f0b698529519 |
| SHA256 | 7b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578 |
| SHA512 | 17f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283 |
C:\IntelprocFT\xdobloc.exe
| MD5 | 730de6f3c43df5ce8b4e5f87faa3cec9 |
| SHA1 | 76e7a53a073936a5bf252bc93521df8fa12a189b |
| SHA256 | c96f597439ba77c0b88eab7848946ed2adfdc50f7257ca2e857e827c1c820322 |
| SHA512 | a173e50570a7db3c4771a124a1d2018ef7fa947f79d9cd1513c8e2d7b7ff89536915bc5d7124c24a19b6888846fcff80894cf5efcfe21f04156a0c6c90b05b15 |
C:\MintNC\bodaec.exe
| MD5 | 4340c5af6e8404038ab5805015895c05 |
| SHA1 | c00d24afad04cfd26e3dfd544f67e8e7ffd47759 |
| SHA256 | 71c1adee2c548c270f834b22d949916130eb8485183d664458182d440a7157d0 |
| SHA512 | bdea9a4321ad8065e4d2306f28c85f62c362400987323d2a1b7db845b041f8ab252c72a73df0d7dff5f3c1bcc1661f51995b28f7d8ed0638636bcb9f5e1092dd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 40878f1230354d0fd041f4f470710fe0 |
| SHA1 | 11aa86d24de207762e1e586688f64e3cadc9d37f |
| SHA256 | b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca |
| SHA512 | 45007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97 |
C:\MintNC\bodaec.exe
| MD5 | 1626f324fa76ed86c3814dcca605b817 |
| SHA1 | 6ba221c51a418fecdf56b3277123fcc908e7593a |
| SHA256 | d707cbac79a9ab9fa4e4101c71e673b5b4fb13276cc58cd2a7fabdb5994eecd3 |
| SHA512 | 5979cde95fe4b98963df21a664dcd4ea7d1f3f44b353030b9a7d024d4710af23fa8cf7ee277fca027e2725aa603238d2f4fb552887d27727d824a991b7598f47 |