Analysis Overview
SHA256
e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0
Threat Level: Shows suspicious behavior
The file e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:19
Reported
2024-11-08 12:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesFA\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFA\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFC\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesFA\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
"C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesFA\adobec.exe
C:\FilesFA\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 5f910f81543631aaa34176a845d6e05c |
| SHA1 | 326e311bebe86d878ca7d6f1e773bba52b6c1a86 |
| SHA256 | 60142e28861dc585d0d2a5ab70b7807fdd2ffcc4f787bd8b9ceb7495da271455 |
| SHA512 | bb9c31afceeb09a02db361a62b9cb186c4f6c005b09cd117894bdfa442ce12fed34291070d42307bfbf321e34054b6307a5452d2230cba2404365813015ec6d9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14b3992cce671a73a0c560447b8636b4 |
| SHA1 | 207c7f5c315337c8dd9db6154477eaced7b2564c |
| SHA256 | e4bf3376ba33103fb3f10104a14023c82845de5c99c7b2c50b88e3536e343fab |
| SHA512 | 55d50a7438cf71f9d73a342834a9d7f0d5a5c2b1101085f53cd7db91ad5c8fe9d8f777b823624d5ec810213ab805e36f41d81dc8b26de80c58e58827d30ad521 |
C:\FilesFA\adobec.exe
| MD5 | b653131fedf698436e569718ef262593 |
| SHA1 | c2c02d060d088dc4182e9e584d544623f4a278f2 |
| SHA256 | a565b9954b25da2bfc627323e6e73ff18b98f58ccee59a6f1b8c937c7bf36281 |
| SHA512 | e759765f550aa75dbf7a0513e6fd3fbb5c69e8bb83ed269a5cecc744d654ad3b785058a72a5190bae6bd254378847b42438ed0977c7e9d92a51259de6d4a57d4 |
C:\KaVBFC\optidevloc.exe
| MD5 | 7ad0bed9a1fc387b319abf0219aa4657 |
| SHA1 | d95b00034d89b1143157f286c4ea7f4e56f77e0f |
| SHA256 | e871ef45e9a99bec4827519709907edcd776c4159da9906e6e706b184da0da60 |
| SHA512 | a44152864dca94e6362370d8ff2d89d855d734cc5686a17f64f1504cf1bdbe9a38fe42997e87a9bdee5946d626c995680bdef6d2c0b98bef356406532e3798cb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6c033df2c2703423e81821e17ff1c4b4 |
| SHA1 | 3aac19f2e69c81cf1f53bb7981acc8d553ca116d |
| SHA256 | 87fbabe400e7c0e41a61c55ad0b366ac5547501f176453ef33ca3646c80a6821 |
| SHA512 | 2ab50b8dfc85efc5c50d0654becd0c153d3ecdc645c216f9d9535e65310cafd711e9d95a3a0cac3a4d6a0ef38634e3d62b70a7d9a9d47d82fd06df121c1af56b |
C:\KaVBFC\optidevloc.exe
| MD5 | 7d75799469f8abc715fd891a9a7fb06d |
| SHA1 | eab6f28766adcd1b29418d5fa68262505fcd3dd1 |
| SHA256 | 730fc6b5bdd0b94d23ec69c89a27a7f01a8bce61853a009577b8bb5fb3edd1d0 |
| SHA512 | de807ae60b22e9dac1161dff74fba02963be1ba65d0fb7939039bbac13de7f8e9a2956d3e3cb917664f2c4bda53d8697634fe27f87a1870e7ce7b03c2ed51c4b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:19
Reported
2024-11-08 12:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Intelproc2Z\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc2Z\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxJE\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc2Z\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe
"C:\Users\Admin\AppData\Local\Temp\e243d2b57c05e1299aaebadc9b994774e4ae3391a3d2fcc1833abb9a02ee44a0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Intelproc2Z\aoptiec.exe
C:\Intelproc2Z\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 88e648aef0a644247b041f89c2754374 |
| SHA1 | 6a66a05254da8f26f970f02fa9cc28e801bd6db6 |
| SHA256 | e5bea9350a45d925fc052ce242ec99b3618ab9ccd94837e14479ad3e5b5150f3 |
| SHA512 | 98e8f11a0587769528e3c7c19b189abf1df791a0129a5370b0d7e02f907f923e7b4a93955386407a94206b01abebfed98cde50a5ba5cf22327c06f6ce06883a8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fb18e10677757cfec726dcd50fca0b7b |
| SHA1 | 57db6dbbb8b301cfcbb3dabde00cdbd712c9cfdc |
| SHA256 | f40cf2863cf84089b7f24c9f051357b0b2422919681ceabf9c5144852f8f324e |
| SHA512 | 20cb48379c46c5a0b100879d086aa4848d9be56e77edd5cfb9cee5d47f5ca02760b0ef8e581e838a295ffea4f066efee5c31bbccafe6de1ad5b881cd216440f2 |
C:\Intelproc2Z\aoptiec.exe
| MD5 | 9aa3749c11ef5ec937dfa42eece2095c |
| SHA1 | 9b1994a1868c38074d6ce93308636a92010cce57 |
| SHA256 | 9b074c3060987b06582871d411d590880c5e4ece1d85e4e1d6f09ecf518f5437 |
| SHA512 | 104c388cb75eae34c2b97cccfb52bc8df9e56564bb416f337f0e10937e8f6ed95887bab228c49afa36d36103c20bc9c6d50fc4ab1e982bd7dda3e3695de22ba2 |
C:\Intelproc2Z\aoptiec.exe
| MD5 | d9b82342813ad0fa46f6f70e98003171 |
| SHA1 | c38a784af0304782a69472e721f6bdf29f317d05 |
| SHA256 | 73fa832e8b81b53f87f817177b7277b7a01416595e516b5525c633b12fc50331 |
| SHA512 | 0a77f2d644d2ed3c6295fe4d8e75e2f1f5f4b02baab6c155299fc5250da62bc09c1519169c61da1c9b21f82fadf15b0d188e1e75c3e9cd71eeacbe29fea668b9 |
C:\GalaxJE\optidevloc.exe
| MD5 | 7619384106c3bab7e821ffae7a2f3ab9 |
| SHA1 | 82b6462943e3100fd1ad800cc93f6464f2f8490f |
| SHA256 | aa4a7c091a2d71b5189620b2c6e05496a83eb5444ff0bc7bf76606b642ba2d27 |
| SHA512 | add612e18b4f53f08111f6c89ca39057bea443cdf824d21f17719ac0ee8d802ecbcb0aaffffe912e465cb72a7300e855ed85ce77b4928691830a0e606630e001 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c28b5f716c8ad869d911f033d89401a6 |
| SHA1 | 8755a032304e551a0651be3bb0bdaa3aaac668d6 |
| SHA256 | 0ef690e404fc0ec2f8ebedb493449fe7995c2d5cc1facf9284a0a6188fb301e6 |
| SHA512 | 82ac0db07a3f12558a1b4bd3166daf0fbd9d227c37758b3af25c00283d2cd4e77c66df1e91d38287d53a8084fb4546fadc3f1e9411aeaf909867710743e27b6f |
C:\GalaxJE\optidevloc.exe
| MD5 | 31f4895eae836e59010d28eeffd0cf81 |
| SHA1 | 6d9ff9510bc9e16b1dd7b0ed5cb61969c7b4392e |
| SHA256 | a2a4a2a7e3a06918ab15539efed68ffb0eae64c57e326183dc396fd4c7458ee3 |
| SHA512 | 6eb1e8f4e3c520b752c973044f126b76119f3150df4aaae5c433cac1832b2dc63febf90b67f6c4752a3188d53413c90cded52332f44d6412ec1a3ff34da6d221 |