Analysis Overview
SHA256
4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41a
Threat Level: Shows suspicious behavior
The file 4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:17
Reported
2024-11-08 23:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeNC\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNC\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW4\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeNC\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
"C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeNC\aoptiloc.exe
C:\AdobeNC\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | c8d9ac54abb6fcc2947f37a2be0d5d45 |
| SHA1 | fb02f3f168868abfab5debe1db540a4abcc9f96f |
| SHA256 | ecb269550a4b84adb3a56ad57ad57ca565cfa787cd400b656d1905dd9b002807 |
| SHA512 | 3e2476727aa7377adb129ef41a6cfe9d6bd008a2191843dc5feba8d6d266608e35bf334072a34cbea5900eebb8b6901cf1c519c8d20ddcfc21c42723c69403eb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 249fcf756fb182764352b3dedbfbd9bf |
| SHA1 | f518f570ed08664eb37adc49e57eade25a8a5538 |
| SHA256 | 1db47da37f726d385c223a22bdae37178ddf868511909907116f3f84bfa34f93 |
| SHA512 | 80cf3c8d265aa529f5cc4197c1d6f16719a6464c5f46897bdb101954ab50c3a0fe004d45fa4b8508aaa615667dcca7cb7efe38144881d19b92ba7f4ff4f1ab90 |
C:\AdobeNC\aoptiloc.exe
| MD5 | 13b09ec264017a6746855080acb54b38 |
| SHA1 | 493183de9a35747d99796797521c6e53c4457519 |
| SHA256 | 40f40619be4e9e9002b327ace01e72ae13b1271e2d07369c003d327216959092 |
| SHA512 | 78c4c913e591cda1aa36ddac15d2432654a00d245d5189f1e4ccb7e2ac5b0974815aec8d723e47900fdb3a5e30f9e6b8182043605d7452023d45f26aa5606416 |
C:\MintW4\optialoc.exe
| MD5 | 9c572b0d02ba45d4cbdf9bb8de22ba14 |
| SHA1 | 9a75ed5e18941b3c42578754a1077f61bc475be2 |
| SHA256 | 2d84cfe1d9a5cdc0a99504f086d21682e81cb480de8f2355428d3bd43361b39b |
| SHA512 | 871addf24fc3c2c14d24c00844bdc24f088b6d418995e97a3e7dc3a421a53b7b7684f256d397698b71264ed94a5abec9252cd2683453a96cd7907c2af90796a8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f0a65ae704b67c221eab61ba1a5f653b |
| SHA1 | 8cf6801e8aed1cf79d1615c310da06bbf43a70ac |
| SHA256 | 053a36e58251bf9006bf4bae29af28361d3e934ca3c70a528674e4e61d0bf631 |
| SHA512 | 31d8d94e7ab3e3707c0c03796bd89314ed71102266fd41b7e730b5eb393b31c05bd94037df3d80871614a92f5663c41a9239d6fbe290b917e2113071cb9916ce |
C:\MintW4\optialoc.exe
| MD5 | 069c7d5ebc20ead441519fc2807acdfc |
| SHA1 | 94eb49acfddc6450c4810d85271299b49f964a2a |
| SHA256 | af2d7152258913747132a41b113c445005357f268ca6a717b1a8a42c3ac7052f |
| SHA512 | 91dd10db98a2c08140dabc8a5cbe76768d1878b4cbf579f7f2c7fc0466e81b35f6a33d4dc31c97b393de15d2bb730f141974d3a6784c8f6a2748d67bc75433e9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:17
Reported
2024-11-08 23:19
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\UserDot28\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot28\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1X\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot28\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe
"C:\Users\Admin\AppData\Local\Temp\4517cd19808f9049f8b5dbbac15a3c2be53cc9249338432154af5c1a2d97d41aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\UserDot28\xoptiloc.exe
C:\UserDot28\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 6e89c0767aa75008b202eeefb202e756 |
| SHA1 | dd12847de72cc30a1c5c071130e7c2c0bd324f18 |
| SHA256 | e270a2b6618e20d60a34f6f8415de46cfb7f3d25f94e56da3031751f61450dbc |
| SHA512 | 671e07470eeba4b920b0b5692976946142c271ac4ee229a877430ad57253d81987247e48f26adcb2aecfe1a9dc72f993f3a43ce6bf88456f4fb297ff3ba12ec4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 66953f6c7985957c59221f67d3d2c4e9 |
| SHA1 | 036f61cb9985ab0185759b2fa777b6f36e857986 |
| SHA256 | 591ff7cf6c3ee90c8e149ba655f8b3dc7febe86b2a14de637f6f74df86bd051c |
| SHA512 | 6d4736ff4377b32c609fb7855640b5d5bca13ceba30d349da570b1422576fa36bb3d2f84fff04a44cdb4bddff7590a11005047e88a9a7f82db9853cf7ebbdfd3 |
C:\UserDot28\xoptiloc.exe
| MD5 | f67feab3eb40835d467699d1ddcb038b |
| SHA1 | e53f7297d8285360bd48f3552530211c877cf928 |
| SHA256 | 2ae376a91dfa26c06123fcc113301464ce0cc3314b1543021029eb3aaf69f96b |
| SHA512 | 1f49ecef3c8fe16e59fb3c6178fb5c0fd4482792ef21c68e3381ab79b18bf9ea7a0514cadd65e3bbc3a58f257fbe3ba14d02ac27f544e0a5f6fc614b44fbe8f5 |
C:\KaVB1X\dobxsys.exe
| MD5 | 723f1c3ad1336d278e84b04968d246bb |
| SHA1 | a3cdff3cd39907386016f9aa0ced7f803f67314d |
| SHA256 | de7fea2a9af76f58de29e62f01aac4df88c9730bd21bde061fde94c0b492fbf1 |
| SHA512 | 425193df402fa93f2ad4f57e2580ed3bfb66e5921951bbe68b777fe8bec3b9bcdab2a0ee59698ed51d10f262ad5a5ed61be15b84b6139e893983923ca2560289 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8704453e7c2e8918b18ae89b31a69d04 |
| SHA1 | 4b36f9be162164363714467a18afa7515410675a |
| SHA256 | b1e01208367d5155cec00eda287a44ef9338bd1f49c98dddceb7408eae078079 |
| SHA512 | ede5ea7dd08f34e4f630e2a9f7e0a85e383c710906a243dca390102d97e8dbcae1271e39d989f0c2642ac50bda9bb0a99eb4d11b36a0643b571db29723eac2af |
C:\KaVB1X\dobxsys.exe
| MD5 | c0f947a72fc0f3c62416a88a72c66709 |
| SHA1 | 51d91a91af0eadbd490468171cfb69815aee8420 |
| SHA256 | f832d6bc26ca1d6eab5f07d9efe546db5e9623d9195f5a8ec3eb287ff9827bcc |
| SHA512 | 19d0cdfa1d51c2ccb1a3c0a3b7061f5b5eac80cf6e9ffe83a5b867d112afbaed52e30220f3af6390405a84f5448522bc881618281f46211ad03c1152654dc054 |