Analysis Overview
SHA256
12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9a
Threat Level: Shows suspicious behavior
The file 12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:03
Reported
2024-11-08 22:05
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDotUK\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotUK\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR1\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotUK\xoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
"C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDotUK\xoptisys.exe
C:\UserDotUK\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 9977db21dbc1a058b2e2d12c2589178d |
| SHA1 | c0f5ad30843918367fc9dc0c3731721265347f74 |
| SHA256 | c78c0ae53af901f6bd1fd76a2e77be8b2cbf9f8017f8cfc879d2e586ed5e9f35 |
| SHA512 | d9f1cd9f7579cf8066cabc62210b2570a35b01e99c6ad70fc30e4daaa6d600ee28729ee81b7ac1821a4b459810f8db2276a0a38e676a30d1ad9da9c1fef6e212 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 371d2731baa9176ce83751d3d7c407f5 |
| SHA1 | 2ce89d8229f3487449cdf28abc2a1087d88fccce |
| SHA256 | 2ee7f2fa73a95b9034592652e406cd987d9cb2d1936f02a2a94ddf66ac0a8144 |
| SHA512 | 42e0c019453396720fc3640d094234bfead106b2995eeacc90965f3b35dd28708b50f8efa581c9d4929bfdc19d08252b213a2d2f3e91b7d82187292b948ae515 |
C:\UserDotUK\xoptisys.exe
| MD5 | 6becdc36c3794aed9c20263f8dbe7791 |
| SHA1 | 6c2a81a411de992f0c25ec7dbfa5624fef824981 |
| SHA256 | 4c74d923245ac40864f170ab7cd0ecfb1cb8124ef0def7ad10225c388f4daf1c |
| SHA512 | 34266eb8ef96e946eb62e135c65dc4742c8202ef4a576f4cac1e2174e79118d2c5fafa77592a32ad0bdbecbadcb666c3efb3f6db155f1cc57abd8174e66ec943 |
C:\VidR1\bodxloc.exe
| MD5 | e9fcc5383800946079f059d203f41f2b |
| SHA1 | 47ae2429ab11d098f35aeb3ef590496561af7263 |
| SHA256 | 7e14c280160271f5e42ef581acd17c95540a28d66ba0d1423749b6ee7c4b1094 |
| SHA512 | cd2fe8edc5765dacd9c34ca7af7e20dd450a8e9115de2258acb446802098fe6d5a6fc4a210c0891a29f8d00f5454818dff44923c889158ebc2e95ea185dfeae4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d1cff675db1b76e26080a27d196a27d |
| SHA1 | 8e0b82e8c5e64c0f0d12247a08e191a8f43fef44 |
| SHA256 | 0570d9c8f07968fafcc86fa1350c8c15f316d7a9a61879956be236fc75bf2624 |
| SHA512 | 36e9be5cedb83771f322dc0a458325e3f4337f321508c8789513d12aa6af2b8e696f9bb2aaf2c74108be296e51163a72b137df2ea60e1fe5351dd5e0be66307d |
C:\VidR1\bodxloc.exe
| MD5 | 871e915f458fee4da6ab5747003d7d04 |
| SHA1 | 712a43ce18a698457acb26087b3fce573eb4ceb5 |
| SHA256 | 2ed9ef581ba55b43b26123f5bb25bd497a139fa2d7c27eb590845da3359bc598 |
| SHA512 | 3b24f8f113c4cffbc2c5a56a649c13730fd1fc2ffaa2f885acb4c98a93c912e557df343824a6490fcbba1f73173596d912e65c754546ed03c8060594e15b785a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:03
Reported
2024-11-08 22:06
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Intelproc1G\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1G\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBWV\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc1G\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe
"C:\Users\Admin\AppData\Local\Temp\12ca533a8eb1932d431f3b33c4754d6c45faea4648909fdb14b7a596142bdb9aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Intelproc1G\devoptiec.exe
C:\Intelproc1G\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 4663b171841e4a8c3f03459b0d60c180 |
| SHA1 | cea97bfb20874fb59129ed899534f33aa271eb5d |
| SHA256 | 382594befc3826151c73de0414c562a455112c13f8108ac889b43686edab10a5 |
| SHA512 | e958bd8bbe479e96689d98071d0ed02613687cd75c4484f0edfccf9970484167cd67570beecc0c7cd4179c250479fa25668a3ac038e27cb10f961c6a1395d5fc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fa4eb8019a99762d7cd67092debce36b |
| SHA1 | 45af307883c4decf9dcbe655c9e303a3582fc998 |
| SHA256 | 8eaba290a7758c6b157ed4381c0fac26f83f131d8b18912ae7245eddb9c50b06 |
| SHA512 | 4521e37f24402daeba2419e4c6b719be20a9f41abd7aadded97d5cafe5060a9da24de1e15711b5f241004ed5e761986634810a7b850a5a472d26c78c3621b2fe |
C:\Intelproc1G\devoptiec.exe
| MD5 | 869b4d587ec8fb5e8cae9c25c685ec20 |
| SHA1 | 44b12d303b4577f2f9bb41e1d10340482c18597d |
| SHA256 | 9110e958104377bb1f6e44b64342291121381291412566aeb7bf4f532fd0eb87 |
| SHA512 | f66a1cfb7099dd7edef5c36229e0070a501e4b44d0f08d953906db1fe2d7dd4629b43cbfffd6f2773897cf2a01938e516bf1417fafd87eab9c8e31598457374e |
C:\KaVBWV\dobxsys.exe
| MD5 | 3af12101f00220c4c3fbc47a927fb514 |
| SHA1 | 9ba037b241a3b6dab425f918c74ec8ed87988111 |
| SHA256 | 41efff4b7c37d76b05a4d7966d4ce0cdda1abaf4f72c7e64471f4cebb20b4463 |
| SHA512 | 53b61ffd9a3de62747fe93b5dbe487e8fbd4e4ace25f7e76e7341ec32321e5aa4186e653c8fcefc2e50a91e3ebdd4678b221b71379ae18387a9435e093b69014 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ff94c7701f1782cd0e070285dc5c552a |
| SHA1 | bcd5e4e95f47d39eedb2b1500241653d273899f4 |
| SHA256 | e5813500512ef9a09a7b3f78c1333726789e651ce193df16bd6e4801dbaec02b |
| SHA512 | 8ae9c8a39b14f700be51f8443dc8a3867f07348df0fe5b16d346bdeb895a505545adeed92b34abb23662d6ba5a8abc4596a85d7df02f3894c09e7322c907f50e |
C:\KaVBWV\dobxsys.exe
| MD5 | 1c3941cd4a18c484a9b1e32c2bf58884 |
| SHA1 | a6ca8bbd25ca32f4b110a59c0d144996c4baad59 |
| SHA256 | 7436763bca8c7da2635bbd31e03ff7e4328650cc5392150eecba042a3d653db7 |
| SHA512 | 55936dfcac462eff19c8d2821b7a11451262adb520c2fd4ed4e2e5a09491f35bee6700b70841360a739e4e31778c2818b74089a0f5e4c96ff901072e8c574f3c |