Analysis Overview
SHA256
c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4c
Threat Level: Shows suspicious behavior
The file c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:38
Reported
2024-11-08 22:40
Platform
win7-20241010-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\FilesOS\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOS\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxN8\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOS\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
"C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\FilesOS\xoptisys.exe
C:\FilesOS\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 3c9f37de37548bbb66872f1666b93df6 |
| SHA1 | 6c5aec038e2f7c4c89d29d67248144fc0b102877 |
| SHA256 | 804647d727de232030e04d06a988f05e41909d59f4b023680be204c6a30add98 |
| SHA512 | ef590ac0ef8f78748cd3a0008625c5a69968a6a9e1f859bae071e21903f3bac5e96de62765603c410d9851855468653b10a88fd3ccd3e40e975ad80f2eaf7440 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 43e74dae0f285af34c742be1346ca218 |
| SHA1 | 6c09d5a8da5a52e35d4482c553a711ef0fbc71ca |
| SHA256 | 0f434aeaef313ef65ce514450359afb87441c09360be659c5226ce05dc1d1221 |
| SHA512 | 640352961e0722d6dcf8a720a3a38229f5d99f0f83222a7f5dd6ea2e664a6b46b029ca49cc88efbf558330d0a6a194789efd76bb27d2e524eb20c41c766b98e9 |
C:\FilesOS\xoptisys.exe
| MD5 | f47d3ed1ec0191e8e04342d56042d404 |
| SHA1 | 048d0a6133bdb3c34459590b4461b37b8b7a9bd6 |
| SHA256 | d51705ce4bd3500a7460f8b0d2b3eaa8e3c96647121b2a5b7093c1cd65bfc11e |
| SHA512 | b3aab846a94f8eca9f1ea3dd2da460f381875661013cb7e663e6743c503e4cf6687dbb488921c4c21abd0a5653431348b4d7f3facfc5508417702272cb422c24 |
C:\GalaxN8\boddevec.exe
| MD5 | dc722a0a73cee1cc98262cd5e6551c77 |
| SHA1 | 9305e0c49e5fe4f8f5df90c79a63c2832d90ae47 |
| SHA256 | 010279982d9eb2ab3a880f63542ed5e190e6ccf1a9e8607686d7506927d41663 |
| SHA512 | f0f62750b5c5a7687883873260ce96176427dc16fb9b9591e6c69e637712b83465b1092df3c61ae407f3f0e4f4511d1800aae62b7d5860866b9e3739e7b40266 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d6a5b10902594aec6712842891e21201 |
| SHA1 | 2c53ed6e6cde78f565507cea31bbbadadce29250 |
| SHA256 | cd6fb8a0ab697b6cd8b90b03f4ae52727d635712f7744c4365011992bcf99977 |
| SHA512 | bc6518b5497b4e9019588037685e0c2dce7f4550d8134a8c00d74629ebacb82d731d41c7e63199c83f5e93536489f3561999e581473e550dd5fe6dd640159648 |
C:\GalaxN8\boddevec.exe
| MD5 | 863123681298bd5462c226091bda452b |
| SHA1 | 0fd460c9579adf2bb754d8186541fe4372ea9d1d |
| SHA256 | fcf83987c86f3b54956a6279341961ab17402e83058b0bb8436bb70a00c457a2 |
| SHA512 | 681fbb44aa718a465fa1022a7944c2c87946272cc0b48b81c9b12a5a30b54ae5790e02e1ffaca7b369fe6750e9b1cf1baf373840f80b8498de53365f0cabb9e9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:38
Reported
2024-11-08 22:40
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocRA\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRA\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxP8\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocRA\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe
"C:\Users\Admin\AppData\Local\Temp\c1dd65c592774f62b3725631366ea8b05660b1dfc049577daa68448cf3278b4cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocRA\aoptiloc.exe
C:\IntelprocRA\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | f8e484cc6cb00202163c465b97fe8bd6 |
| SHA1 | 8ef010f19c53218bcbadf34497f9aabde37f32c2 |
| SHA256 | 01b79b1693a1d63933c1ce0fcf3b233167969f4b6134d3ffb51a34aa52e30af0 |
| SHA512 | 27f93c1c0d89efc3cef250e261f059c7951a460a4af4d40631929429a5daf0ae4746257703edee4e2d96bfc21f0b24d6205ee4150cdebb2b78ecb8c5819e74bd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 06c1c81701bf99088ee128c65e21b1fa |
| SHA1 | 17404868537a8fa76f0a0c6d6c262d2372408ace |
| SHA256 | 4b8a3cf0574a3af95303e3d03ab068229e6dc274dbca5fd3840a9b47f4f6b363 |
| SHA512 | 494a274ce46e6225d0301a1c509d51fdcb2a610fff911ef18fb857ddbd3fd49dad33a6e8d4ac998faf42d9f4c55d66db327b58616cf40cda989548481b5a5f8b |
C:\IntelprocRA\aoptiloc.exe
| MD5 | ea02732ce515056907b93a5cf5ffdf52 |
| SHA1 | afa9370c6c9770ee479b6748dc3b830e542651ee |
| SHA256 | a54fc3e011dca9dc76e40038ec4ba73091ff440916c1307f29f7f5f17f5414a6 |
| SHA512 | 997fc9f5f63cb30e3fc1d10fd76cf0c7a53ee89c06c6741f059858987286844212c197af40572a7dac5bd4c1052124b38cca1f817c51b68246561acb5b66c1e7 |
C:\IntelprocRA\aoptiloc.exe
| MD5 | 03be06041b543877be92277560087914 |
| SHA1 | f28d20007f7088d0beaf6c40707609a9b8dd9d98 |
| SHA256 | ab1b1c08bd22e92530fcc21fe8d8d90ecb08681786c07151e1d0d2b91fe2b2a0 |
| SHA512 | fee56291e99dd939851e205a95f3dff7ce29fdf95e1892e37bf27ac0b147f56f27cb46dd083a329ffd33521d1f9dd1980bbaf9db2c366a7369d7192a9a2c43ef |
C:\GalaxP8\dobdevec.exe
| MD5 | 2ee5c3d8602fb571814f295d8c2b93ff |
| SHA1 | 270b24bedca1c79062c50e524a90a748eb89d7c6 |
| SHA256 | ead41c53762acfdc5bf3c53bc87f02074c0a43406ba92ed00f067410c61e12c4 |
| SHA512 | 6c7000e763d3cbb78f67d48c76adadb75680bedfd516079e99009fea6cfabdfbddaa98ffff10f8fdec9611b43d724190d259f038c0901bb8422c471041500d07 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4f4175d9379bfe68015862710532f4f9 |
| SHA1 | 8baaee141f6b6b0612e515c7e1ecd506e4e5a6cc |
| SHA256 | 5ceebcf3f2abb8c0f50e2278ebb72b57c7f7c4f5626be7281bea4d8878964eac |
| SHA512 | e8cd5346ec927c03f9a995b7062353177aa26dac73f40121ea21b62e01755b7315a003bf7e7f25d6bb52d5320cd7b5fcb5c12bca93d016af4712b9f7af6778c7 |
C:\GalaxP8\dobdevec.exe
| MD5 | 45578479a84404c4c9207651743f4732 |
| SHA1 | aa5b005b5fa67dc7661a7420b7185e94491f8124 |
| SHA256 | 78899659482d326209dc1ade0a831bc60b86237679f92efa3727d1e76a5c7e73 |
| SHA512 | e69e1f0d2c4d612d6cca1557dedb61c406978fd05d24500e1f53b7605e9c69cd24dc1c67b4aa36e6b4f0e2a6a303b2adb95655fdf9719c2869fdc87de9cd1a5b |