Analysis Overview
SHA256
124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287
Threat Level: Shows suspicious behavior
The file 124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:49
Reported
2024-11-08 22:51
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvPC\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPC\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAR\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvPC\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
"C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\SysDrvPC\abodec.exe
C:\SysDrvPC\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | ea93623332821ab1ff104b59324bc94c |
| SHA1 | a0d6f2498fbef65967f2e3245405cd7387dee7d6 |
| SHA256 | 349663df222b5634b17db98aa0dd0fab7d9762387df4edfe2ce08fd2919e3fb7 |
| SHA512 | 0c3daf332bd8695ff7cbff8e33db8d22ed0113b898cb988d3bfb7490bd8021b2a316d7caa42677fb73c013fe407d6686f97df87542d34417fa756603e444deb6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8ec0023952d03d5154e5a19790f640dc |
| SHA1 | 8bbb572cb647c92a2b98a90972713ba315d4377b |
| SHA256 | caa16f9d3175e45b6081e2f2e819a365cf01738eeb67b8865d58e16df9a2cc97 |
| SHA512 | 1d95295863089aa85469498aca46eaef2190c9d6fcc96269cbc00fd44cf8523323f895d0aa41551664533348dbcf4ec448b62b282a1658a92b2e21f47ceeb50c |
C:\SysDrvPC\abodec.exe
| MD5 | 67d2027f8824b7369d01ed99a320f7c2 |
| SHA1 | 2254852735be28c83c4558e73b4ddbf33f2ee240 |
| SHA256 | e2817ec6e047a7407e5a92947e1765c81b481c61f7e1349492616dfe4a387125 |
| SHA512 | 461784eddb6cb4c22b06a8e33b6681059818c1df43d7bc35214c16ebc6d9290f5994d25251481e75084e2db190544bfc21422affd2b61a28eccce4c724df8841 |
C:\MintAR\optiaec.exe
| MD5 | 192b751a0d7753e6e15f764f6cd9ff9a |
| SHA1 | 0eb5e6928ee1c190279f10a2f00dc31cb8a40dc3 |
| SHA256 | 9926f46aa9316c4a6ec2d22be5ef0b4f28ba42b5867f8bdfb682a8d1131a5296 |
| SHA512 | 163baca775305cf722c1a37babe081d0115fa82e083f83b2f4881aa2c28b5ab69172e8c8e42caec6ea94303db2226120266798b8058b87b821acde68452545be |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 24149af154da5fcdf391c93ce3337c57 |
| SHA1 | f383b70bd730c747dc1a091dc5179b5dcadce083 |
| SHA256 | 1aefd425d284d642d4b1eb4b26908dec77e5b9a53be05895265d25a908d92970 |
| SHA512 | 63b8475ede8672f0945e03c618e63b8ddd7e5e5084a35805c98a0dce0ed75464c781ad8c2769654ee5492c9b5b6bfe9bfe405042ea81f8278e55ade95e38d341 |
C:\MintAR\optiaec.exe
| MD5 | 6bd2c663ed8807c4a06d9d525a0505e6 |
| SHA1 | daed1e919dc741805951ccfa50e0012e69f8efef |
| SHA256 | e4ca5c6ba4171f193febad64c1425c581e4b4812c71a2f71df75febe53c800d1 |
| SHA512 | 3edec5c463be6fb40b52866933a66d743cba15b521f584bfb2191a60a899840e3172fb2d458360945404453fe03540697861b518580ac25120381b315ad72a83 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:49
Reported
2024-11-08 22:51
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\FilesFM\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFM\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxR2\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesFM\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe
"C:\Users\Admin\AppData\Local\Temp\124240f84b44d907352ef68b32bcdbb4264c6208c09e972792bb3ac6a7209287N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\FilesFM\xoptiloc.exe
C:\FilesFM\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 398e06f9791371ccbc0fe034d01151a9 |
| SHA1 | 37d2cbd5f4dbd2912f4184e8e85f0dca4200f8cd |
| SHA256 | f489960d1a8bdc395d0fcd9e45d08d7937bff45d4ad6093d289989578b9737d4 |
| SHA512 | 628259a2f2ed6d3d28d2834f15f87e81556794b8b4c66668e473e87b7ccee9d6ec42a0c2c1f851e6e8efcc3a4792698c4b0db2eeef069b2143f133fbdbe3c2c8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5f83c9a36fb55e3aa2dbcc29af38a6fd |
| SHA1 | 103d324d9a0c955c8104c07e36e84755f5779e79 |
| SHA256 | 55c2dcd34c37e97733cebf6f64c66144d0c742e82919df7e767ff9b7f039bfd4 |
| SHA512 | 3e7af3b99d3183d3ea3e6ac602bb8a825ffd3ad3b19c83d06a81a369eead3da3a6e19d34c581ae329c2e5e966d00ba65067d80e566476a4dada7929325cf5f8d |
C:\FilesFM\xoptiloc.exe
| MD5 | 074df255acae097444fd0641ed4ef9dc |
| SHA1 | 9b7520fe3ca7d60c5f12d91baac07253ae1eef01 |
| SHA256 | aa08c0196ad600e29a1646cb6bd2fe2b536d571cbf2af8b4112a9584e5ae03df |
| SHA512 | ad4c7024d4cc44f9eb5fee98c9c855c37244af527fb745c2e9120fe5efe1079a18ce4b803c2fb1e841ef34e4b2ffaf1bc149d1ee37bbc866fd915e08743b73d8 |
C:\GalaxR2\optidevloc.exe
| MD5 | 5e588cc1659d0a578210b4cdf8acf72b |
| SHA1 | faa539374973835f337e8f7b6cfa44eb231d88a9 |
| SHA256 | d8052904a7dd17cdf746c406793be222d2b1e2f945f8069262ac2e8d5d9a45fc |
| SHA512 | d457d07481f0815438faeb6a3ac7a9d84cc7e2a28ec9c2d276c530db3a60318172d4b32957a78a91238079415d6402a4057a9daa34a372e9ba31521d2835ff2a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a67decdebf38832d6d37da7a3b4cfd68 |
| SHA1 | 7f6040df4052efc31ce245a648ad7cca035674b4 |
| SHA256 | 33611e614dd81d9633026b7aab3b9aa91e38d389cf76af7aabcf4a4e5623cac6 |
| SHA512 | a4f424722fc5be55a60b42683202e7b95cc6a8d5039e0367a95804f29eb5955ddb94a4d490303e612af4ae5c5e93797e4d62f3ae354f297f28dd2a2f5e5b113d |
C:\GalaxR2\optidevloc.exe
| MD5 | dd8e9d15755d08e0dbe71e8e2751fe29 |
| SHA1 | 8a1ebfc97f0b12c9c855f5cd5a8a89cd1c276f82 |
| SHA256 | 1abc979f25679a214bceaf6b9de86590dca8b3ee3718eab43a0586d2755b30fd |
| SHA512 | 069ffe72e8c36b8f7e71d0c104ce99a6812016aeaefa1876375760ed64bc610ee9d544e6960d61d318c6194c80c8a988b429189fca46fd41c4e07e8a7f213a04 |