Analysis Overview
SHA256
06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12
Threat Level: Shows suspicious behavior
The file 06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:01
Reported
2024-11-08 22:03
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDotQL\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQL\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEY\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotQL\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
"C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDotQL\devdobec.exe
C:\UserDotQL\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 9335f3ecb07534911e9331aa23d6532c |
| SHA1 | 64a73a5a527184f91019779c187a507975cecea6 |
| SHA256 | 80e156367805fbb35499f333d37244fd002e08c38ea6e4ea06754a02dc18778d |
| SHA512 | 657260a4023c23fa7a4a9e851e3e19975aba3dcfe85d78846a88f187211f4c80661104b70ba28f53352f580916d6a3585b519877bd3ab68dc2c02dec12f12450 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 148736d6bedb945b9dea407558a831bf |
| SHA1 | c3fde95a2cd68bb3770433c9f04659703ca823e5 |
| SHA256 | a017a2e4fe636ebb5f4a53e0ec5213e54e6d0d26e0b2c0a273595786892ba37e |
| SHA512 | 0ac3c8410aa66b6c5ae8f32dc16d205bc9c3dc3ac1c935aa4d8acafbe9b3ebd96212bd75272a1ac5e68848b90b817153d64d07378afb0a474e7a87f2a3cfe62a |
C:\UserDotQL\devdobec.exe
| MD5 | dfa06a7019b3a5272c70208dbe9d368c |
| SHA1 | 041e00bf018d8e40423f35782b77cef1e09d7e16 |
| SHA256 | b00f0db3504917fccec31ed8033d46e7c3d3bc73edf7e59547e2b4f52ec0da8c |
| SHA512 | ec35a941e3b6f65ee52c12f99ec30c05bdeec2fa69388ff02573cd402f84c4716712df6adc474fc67e8fa851f042b8747c06c78d458e893bca871a0ee844aab7 |
C:\KaVBEY\bodxec.exe
| MD5 | 772cefcdfeffb915c8fb04a6f785fb37 |
| SHA1 | 555b079112ea09be88f442dd0c92db7d9b358a5c |
| SHA256 | 267dda70cc62a96a897b3e8b3d0fa249bdc95a866d89e279468b472398a6c904 |
| SHA512 | beec194384eeb5be09a7a59c398081567162345c5734a82093ad8c80dbd138d2aae2770cb33a8ede0c8acacbd44d53ecdfcbc73680f2e41d637e31feff1af4fa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 75896cbd8a9329f9a23683fad157c1db |
| SHA1 | e84bc72a5f5c941adb6dd64989fc3d3ec4127c22 |
| SHA256 | 5316a514d2e1a65b7373ec47a60984e733261a20515b98b0c2a39cbb97afcea4 |
| SHA512 | 08c4714411c1c95116d953aa9bc78ed623edf743d6b18f9ef577d47bd0da4f292e773a61760a17b5743aa0e0097b620692b6c2c32e4b240cf0eb9973fdd4e2cb |
C:\KaVBEY\bodxec.exe
| MD5 | 00664a79741ff63fcb676b413d2b1ae3 |
| SHA1 | eb425d49bed86534fdeb446117b2a3288dcbe4c2 |
| SHA256 | 605b61f3c98cc3f210194ae8fd839ff614a25b71a0a7792dc3ae9294bd597e12 |
| SHA512 | 8dccf34e3c80cf87d2434f48cd994a50bf1dc01381926507105ee45b78a43c2136d59b5eb33d65cf7ec05faf20b7fe8a9c2f39cee714aa9a3112057ed64d5ca5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:01
Reported
2024-11-08 22:03
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrvKO\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvKO\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMQ\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvKO\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe
"C:\Users\Admin\AppData\Local\Temp\06addf1695faa4b9644dd0cd6b551b7190bd9a150c0306f2c44ac4ac8c80bc12N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrvKO\aoptiloc.exe
C:\SysDrvKO\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | a275d69e0bb3d97071782b37a2afffde |
| SHA1 | 1421f6ea00909aeee0183b80e304c0b8d55f8e39 |
| SHA256 | 6177adfa2373810c9687372cfd415cdf53c16f7c7b4e35e4a4c6046c6373826e |
| SHA512 | 3e3733f77e668e158735b4903358fa67686bb189c7e46a0b1fedcca56b44a76f0323b2f88fad16b228fd206a8a731dce7bbd033347c0829e65998019c6808d63 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 974234e2024a5141e0a3f207ed07773d |
| SHA1 | fff2f5f5c51cfb2b88746a21c01a314d50cc2367 |
| SHA256 | 81f4b77294a982108683eefbf9ca858f69c9cef34a792fcbd60f241b9dd606c5 |
| SHA512 | f20575107544cb961195b1420f3c225fdc99ea11cbe1cae44e50164c0145aef38f70c13f7dc1f32d8e961dccc94267d8db12186455c37cf3b55a43b1d78984d7 |
C:\SysDrvKO\aoptiloc.exe
| MD5 | 4377fcdc62993ce1dffb5d08714b8b0f |
| SHA1 | 8d4c68e5e3cb5dcc564b27328b69f47fbacea9f5 |
| SHA256 | 37667a8f28887f184c7b42b92d04aae5089043ba7fcb0bdcd7ba3b084ca45711 |
| SHA512 | 4f3ae57fcac23c6f9fc2725e42fbdabdb2049abd9f033af3263683ad684fbfb708de6680e7ce376ca3baa5c84675982c0dc429c999eb0aae951eef0a30ab06e6 |
C:\VidMQ\dobdevloc.exe
| MD5 | a26010c1243d4924f50bc28f4c9836d3 |
| SHA1 | 15797bfc341cf85bc809e0eeac04704c0dccfa0a |
| SHA256 | dfdd5177a6ec3cf2e7aa404dc73384f38d54d03f3275c96f0b36abff7916cd5d |
| SHA512 | ca028327e9089759d03b2df5c359eb59c6b85dee38f05c169312d9404843f73d43beaf4ad46f8ffd368e9a2d477d788e2dafd298aa42b1ea9606b91644649e50 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b32f01c609a15adaca850ae1807a9332 |
| SHA1 | 25e672f157b0622c010173d1a314293f71a2276f |
| SHA256 | 8fbb15d9aace682c3128e3139c9d8fb61c1793ee5b4bbc04ab2e198acd994fb2 |
| SHA512 | f50aa2d8cc63cb78227ebcda421a1bea33fb1536edfe49fc921ba4caa1afcea791afe7bab6305e899c24304564f6ee03981d02d2b99cbd5e30c798418e0ffe2f |
C:\VidMQ\dobdevloc.exe
| MD5 | d5c10ee29bb098c28be488ba504faf27 |
| SHA1 | 7d31f467ccb37832e321f8403e2497ab30a1a956 |
| SHA256 | 97fb5838213d13a5864e9ebaa56f363a5d5df39f481d71833a1f9ff39284a985 |
| SHA512 | 814a15ea040b1cdcef37d8c7607a0125333dfa4330a5570b15fad3721008151def9eec7ffa90a7ce2ec2bff66bcbc5f62a0942587b75645741097efd9d4691c5 |