Analysis Overview
SHA256
9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0a
Threat Level: Shows suspicious behavior
The file 9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:56
Reported
2024-11-08 22:58
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\IntelprocPJ\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPJ\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVO\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocPJ\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\IntelprocPJ\aoptiloc.exe
C:\IntelprocPJ\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 7d3a2be3e79342359eee08f91e3ff343 |
| SHA1 | 1f9cc926d59351d1e9bcb618e2e08860167abc76 |
| SHA256 | f37cc54d6e4d8994cdef37954626c7d09712b98c6ca2bca73384a27fcccb9c89 |
| SHA512 | 4c66240460bf9f0d93a00dc68ce83bb012ffd65ce9102f7694d38dcb7f5a62c0f3cf2e8976cdd7200106e9334c22c546526a3fa4bdce5b9c76da7b20af4bb788 |
C:\IntelprocPJ\aoptiloc.exe
| MD5 | 801beee79e3724b97b2abb5d6dea1a7c |
| SHA1 | c6e5946b6d43578793637a6dc672bb3ab7b75663 |
| SHA256 | cc0c637ee6fb39b58c55d6b5f902404de554716da89692abae4753740f03c3be |
| SHA512 | 68e94ed3902d4b67e0155aa63c1ae98fa43f5beaeaaee15c264df11920655431bee63fbbb944d508066ddf4adea841b56ffe48b126d7cb9db2e003951e0a8266 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 562e6815f8f52c39e8a05c4651bd7117 |
| SHA1 | d0c35e9cf5aaf60b539fcb4f6430f12e13bd52db |
| SHA256 | ef4d728e571cc96f7e58a2ae6dcc918d7d79d2a40fbdd7e2d57a283a640ce075 |
| SHA512 | 5a22b9fa0754e83cbac748a7e13085b8ead11131ae17c890b50c973326409eca9998cdd5fc31063cbf34a45858a453764da2c93a7311a1951cf6a74b0e6c6366 |
C:\LabZVO\optidevec.exe
| MD5 | 01b1255701d529b787dbbd24fbefa25d |
| SHA1 | 4aa15aced1bf4e9b5a75f77c4680a6b8b7f53d0a |
| SHA256 | e29118e858b820a30ffd55d3419c6d175b04d87ccf38cc0f74d155331a4fdca6 |
| SHA512 | 3a965796d8d0419f0dae1dd47af96d76b0c47a80b7c6a6490701f06bac63abbf2b6ec7cd17cb19f30e163eb513bec0103202f72b45e5ba8e7ea3d09628ce8c0f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 60f946a8ff82c9507ddba9db39450ac6 |
| SHA1 | d87a24b58b504ebfe48bcac8232bfa527df4ed67 |
| SHA256 | f9f61ee0f97f271d6969213531810b42e2d786d04fc027c987c020367033e46a |
| SHA512 | 71ffe46aae665ca596433d7fdf32627eedfaf191041436c6db8c21be9502500c29d67f78262cf0b2f0f21a15dafd6c953eadf632457d348a1c2ddf57e2cf7a9d |
C:\LabZVO\optidevec.exe
| MD5 | 63a0ef76826092fea4e01baf01c034cd |
| SHA1 | 7928773c93e5415d90fd843aab4e88e2aac63b3e |
| SHA256 | 352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a |
| SHA512 | b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:56
Reported
2024-11-08 22:58
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\IntelprocP8\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocP8\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXX\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocP8\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe
"C:\Users\Admin\AppData\Local\Temp\9a38f84baf0934882be057f989c6df5d6371da4d79af07f17dc622485f076b0aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\IntelprocP8\devoptisys.exe
C:\IntelprocP8\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | d9355b932a2f3111c0a844777417eda4 |
| SHA1 | 35dc36a0a4368e52d47d1d0f6cf6aa0654fc3a42 |
| SHA256 | a8370d80f6adc6132d4323af460a2939819e25c70f0ed75028c647a3803c9be0 |
| SHA512 | 8e9c5ee9f143abc570b1008e0edb62ffc357ce61c58116614a3bac3d485fe5c33e3d0365b28ed938caef29d76bfa205bb920f2d4c6cefd0d8b721511ec9bfbe6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fcaea7b76b0e21bf60930b4909c0f057 |
| SHA1 | 9445e986c1c73656279bba0e4cb22c35f1724243 |
| SHA256 | b2b72fb66b9952d800fa3cfcb0d34219d17396a8d32398a0c1f00e5d40a12472 |
| SHA512 | 617abd0b56acf5605c0382306d2c8ef34e7f9e18cdf19a77f9b03e59eb918f3dbf62307856d7a95f8b65797c5934d1b23855ef3b352c2c03bf6f50594da9171d |
C:\IntelprocP8\devoptisys.exe
| MD5 | 0a6404cc3bbf2135abcfcc84ea75ae6f |
| SHA1 | dd2774bedaa068ae4ba628c84c16d08063047bfa |
| SHA256 | f4fb96614be3ff20169ea1700f2d1a9ee42643b7405fefb3fd6cb9e919b50a46 |
| SHA512 | a536c2c7f7c108b6f224324dcf6cc2e13a80eaa6759b3f15e6b1e8588fadf1ae1dea2b836acc9c3b3a1acbc8b775a837fc45f6415530e93f328df0869409f345 |
C:\IntelprocP8\devoptisys.exe
| MD5 | a04b09f03eff3192c60700c54901ec0b |
| SHA1 | 6c3399d1da12a0312dc05fe95390d8761acb78cb |
| SHA256 | b660ce4aeb3336d9309c3b4561615cc954b342a7cf427aceb6472c39760100a6 |
| SHA512 | d7c6f1b954fdcf1f867824d8e98aa30b39595ebd6ce75048220d0ec9a306feca7a4a0f6eb0f0befb7d4f8947ae1c6599316cbd02ce85773446d31287266f08ea |
C:\VidXX\optidevloc.exe
| MD5 | 55e5583b4ab728b17c5b3939ee6edcea |
| SHA1 | 72522072be08beb75fb78497b1a8cb28a12a5f14 |
| SHA256 | bd991b1100364fe54837dadf697935678b2d3f8ab6a68f900f333d2b9b9b2425 |
| SHA512 | 2777032158ecfb8d3ed613b16505564a3ca37c0ce7eb7d2c51651345b4de8c5e2bdbfe99d8a4198cf689200047e9891c67fef952c70b32977fd9753df00eb782 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 785c54c5d24eb900c7fbabfd93ac2250 |
| SHA1 | 1af2ae20cadfa75423c0142ede5c327cd2e5c268 |
| SHA256 | 0aad6d062df8cab5131fb9b7c21f629114de9109b67753ae829c96ad519a487d |
| SHA512 | c4e45ac62fe63cbfb14af8bb1ac12657ae54817d7fed4c3444517f82d8391fb33bd07059f2c7250c5cebd7ae5abeccf389fae50a8a5860a3078f6fdaa41c40bc |
C:\VidXX\optidevloc.exe
| MD5 | fcd715620aebe94a77fca5e29bd4db67 |
| SHA1 | 02d5ef7053de1e626a8c44b81e41a097ac06b13e |
| SHA256 | 898fa0b796d2f6c4486990a74f22e56a29ab436ec6e7b0702310b3090ee36c74 |
| SHA512 | 9ddd12107b0c0594279aa0270542a7c61f7debd48125934c3df9bb178d0b00c92497b1750f65474ab049b7cfc70895d48d2da674195fe4ea68a7f07b7562ca97 |