Analysis Overview
SHA256
f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300
Threat Level: Shows suspicious behavior
The file f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:17
Reported
2024-11-08 12:20
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotGQ\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGQ\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint46\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotGQ\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
"C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotGQ\aoptisys.exe
C:\UserDotGQ\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 2093bdb63980e1eabe37449742a3ca79 |
| SHA1 | 16ad7badcceb82a716c082dad3f5a4c96cac6d27 |
| SHA256 | 0e095891b72979d732b2fc815dee3e09d6d591915773d53b342aabc975211fbd |
| SHA512 | de32271dba15fe69d7b6a733e59178aa8e57d04300cd74eeedb8c101c4370693ec2c0c019d3055f7875c37eb7cda20660d33731bc1f04493e8dfd2e73a086155 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 25cfb747d46960eb807349597769a625 |
| SHA1 | e3dbcdb9f461443a5b2c82904d821ce9793ebf4a |
| SHA256 | 258e3d58d164517e613022ad45ff0c6b14ccba3739f39be1956b5893da7ea209 |
| SHA512 | 842240295b0cd69ec84df5999fe8fe9050c8a83cbb7f774eb0b1187a145d87efd75de0058217a6173b8600f62f67cc3c019450749053ccbf8f41efd98fe6227c |
C:\UserDotGQ\aoptisys.exe
| MD5 | dbdec9b8130fa7e62301ff785b30176e |
| SHA1 | 28b649ae1dac701a57b12e25341c7d6e48d3fc90 |
| SHA256 | 03e33497f1dac91bc7ad0c9862073256d677aca47beca745179311b2c7fa050c |
| SHA512 | 007596c3ba13d009e40379ebb5fc2bcef75debb6d7360d1342bdf650dc9a8e8e96467b7065b147ef510afb046e5c3f2e839b6bdc0400fe1005304f5a1238092b |
C:\UserDotGQ\aoptisys.exe
| MD5 | b10c8d38ee3734ca2d0a484fbfeaf595 |
| SHA1 | 95cddfd8090042448d5ffb15d179d0eed8a69ce4 |
| SHA256 | 087fd3eda96f434466d0348ee657cf89f8d3563c2483ca73c867fa23549399c0 |
| SHA512 | 1f194e2086757502c2bd13bd50054de3f2c803f83c4219afe72b407319d8170d68a17e2b9870c88c114fe9fde977f4d8682edad61757500b88c9aab3726b4a73 |
C:\Mint46\optixec.exe
| MD5 | 4e3f0403281081be22e935b61607e38a |
| SHA1 | 8a353b0fd989513c50be92552a084e2b464cde55 |
| SHA256 | a2d5837eccdc818c27f27ea24182bd347934612294d034840411da38b39f857c |
| SHA512 | 56e64b0abe8de2cdaf46de63e20bb49330fe6df252496e15f2157795f67067eb6a5f7f5dfc0d9c65f7ef3db170f0cc5e09b78fdd2522d84b05e57bfb83b52471 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 88a2edb7069f99a3d17dd0fb363b8ad5 |
| SHA1 | 16eb5c516c1eeb8e86d2a7e1348cab64ba0a574b |
| SHA256 | 8f6047773cd259ff6068458c3d4a4c38cd671dcda656ca687f42e4358400e35e |
| SHA512 | 025d405260564bc2a8d086051cc1921a57ca8ca203b687e6dcbe774843fc58299efa323d38b200b9f80220fb063a98bae8e6af4da952785c5c1a044378488877 |
C:\Mint46\optixec.exe
| MD5 | 9f4b14bf6e2e5746f36526d2b13885d8 |
| SHA1 | fb90e42b45fcc872cf77ba1c9fb7cc5cdb6a4616 |
| SHA256 | 23146081297e9dbf693d84d4660d2e2561aed7fd0ca130467cea16954d6599d2 |
| SHA512 | 34b96c016b09e34187437adbd3ee80a619fef5cf69cefe32295d1ae344f453a75732070cbd57299e42a9184b7402c78b5eb9d18bdb77cc17edf9904587518b9f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:17
Reported
2024-11-08 12:20
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotRG\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRG\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSJ\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotRG\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe
"C:\Users\Admin\AppData\Local\Temp\f997df7ac1649bd34a1c87873bc68a10a9ed6a9fffa92cca8320faca2c98c300N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotRG\devbodloc.exe
C:\UserDotRG\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 4f713cf3e5e2f9948819b223fef7f2c3 |
| SHA1 | 9c78f2f07d7ce6772e9a1a0fdd5375e9d7c6fdef |
| SHA256 | 7de7725dd1e5a02ca5cfdfda45e4975dceea14cf129008a3cba2de7dee43a799 |
| SHA512 | 24abf01f633eb02e7f4587263d23461b9ec637bbc3632f6992389bef0ed9aef1fd28413f475f432bed72d625051a932a9d03468144a2489315797e200adb61b3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b6df78d53bf5f072b4016cb6debcd339 |
| SHA1 | 856d69f7aae3fcc730f851c5ad458dbc3efbe69b |
| SHA256 | 107e354383e4fc2bbe6f232ff795616b93061c286bf309d51ecd4aa4768e3ccf |
| SHA512 | ef1e9cff07414e3bbf033e49499b2902b4b422a07f2ff8a26ae4a86c214ba1a61f42954cc34e15d6e1bee56dfdc79bdac0d01be3a6ae353bae47726f02b57272 |
C:\UserDotRG\devbodloc.exe
| MD5 | 789e2dfc4f795e4eb44baaaa0a95e88c |
| SHA1 | eb004f5c155a09091f2862768dcc6020d1c80ec4 |
| SHA256 | 27724abcd44193f7de37a980fc271905c86e8cf1f6a22f93e569adf74a79384e |
| SHA512 | 576d7d1be66f32ab03b096dc56ddd50ca11cf434d7f398c98f2cc0724c80576a5c289ea4756cc65f432f05820f0fdeec747262dca2bd0fc659c9bdbb7892d82c |
C:\VidSJ\optidevec.exe
| MD5 | 45f3a6dc655258fd56bd4d48e0cbf22d |
| SHA1 | ba2690c3561adb860b577f4708a7204ee84a2179 |
| SHA256 | c9c7302696f21ef2ed7b16f2bec909bd99b0472c771a1b25f393f21c38e04bf1 |
| SHA512 | 8abc6ad72fe21c8f522c8170f0ae44f0cc2b12174340eaa72793ae204e48ebdea72c5c1b2716b0442ea7b947b1c0ca2f86552aa1da9e90e17b8f0c4b5e21b44b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7fd491ac5722e37348858752b02bfc64 |
| SHA1 | 3052abd184ad5633e9806fb383ad8a76973d064a |
| SHA256 | b3034e6ad0b5ef770eac122ab7388c1c88cefe8f102d316372ad2c9bb92da6c9 |
| SHA512 | c7652b0d6121ce843e77182c771e85722be4e91de8a968113ffdbca27bbf6466867c327a4f2dfa27a6f0814814d252e255313dcc53915b2739e2dad81b16e55c |
C:\VidSJ\optidevec.exe
| MD5 | 8b9ae61de40b44909197d901145727e2 |
| SHA1 | 49d4b1c0c0814322a45047603f0f3d6b63d27110 |
| SHA256 | 63c754cd29e2cc2c925cdcc221e7b340259e271ef52f2563eb322e066078002e |
| SHA512 | b9fa83ca0a358d065fcda0e0c31ba46583bc9409bd9a63f57871835c0237d3c75bce3fe030de1de5ef28388d245cd1f1c47d6f1a608dab6fa078633e9ddb9723 |