Analysis Overview
SHA256
b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819
Threat Level: Shows suspicious behavior
The file b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 13:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 13:20
Reported
2024-11-08 13:22
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\UserDotS2\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotS2\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZCK\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotS2\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
"C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\UserDotS2\aoptisys.exe
C:\UserDotS2\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 2ac8e43590485a36716e49d4c4651ff6 |
| SHA1 | 4095ce96df0d354eb5f1b8b3a05efca51d4638ea |
| SHA256 | 92ad5fe26c63beaa617a1e0699b73262fc211489fe78c3a6ee741f271dfeb157 |
| SHA512 | 483a8a46be83f88d5583246e2372b21ccf3e05558390a627eb707e733b5cc0138a8da3fba7e72287b8ca02092302a109c5f478527ca9516ca45994771207f363 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 99f0e38a9ba663f08c046af73ec1d323 |
| SHA1 | 3fbda91016ba560724817d5fb11f31278da0b8cf |
| SHA256 | 68484f194a6d826d456618d092979868ea8d367236db14a7850c3b0940ee2155 |
| SHA512 | f480e48bb39bd9dc737a5add4b9c03a317876f916501d5b33ef00a57f2d7408a035edd44cfab6dd6621c2df7161b38cff5b7e38a4b374182c7cce0bf979799b0 |
C:\UserDotS2\aoptisys.exe
| MD5 | 277ab40f6a0a57b5778d029c62245a16 |
| SHA1 | f2bf1f7bc7ea5f40e75e994d6ff4de74ee66bc64 |
| SHA256 | c04fd4911cf4b12ede5aafc68fa5b1a21ec157efa1d0fe76f4f96b35d6e1f839 |
| SHA512 | 821ff967347e0f72577acb35962dba9276812d9d88ba1a94ca9a44b5b885117ad9dfc87345497ec11406834d447728c7a33d87f904d381280eb9b767d76f11c8 |
C:\LabZCK\optidevec.exe
| MD5 | 58e0706c5493e7a7c1be38c71c6b4b0e |
| SHA1 | f970475028898a2e1fd60baa95c6b29c220f084e |
| SHA256 | 5e7868f0e25369b69bb46ba4911b5b66693623f20c91abbebab8be989cada78b |
| SHA512 | 9851229895548255979d856af061c101d46a3089d2003b0b108fe81976a93f4f5d17d338ac8d44473789c44dfd06145e2d2be9bfd06b68b01efa77378e5b4506 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f0728a56b58f64740d9d5a6e5f28c895 |
| SHA1 | a484874507f906831a298f8e8413e90844c86876 |
| SHA256 | fa521746458605e64e6acca7a55913f81fe38708d2f4b1d92c8d89910e8f36db |
| SHA512 | 2336e7079dd1eaa70479291c156f1f976ed584082fc0bf3ab11f0b16106662dfd2945d76677d3ee3d9fece8c5615d485a5ba0a39d300b22ab63cab66c2dff1b8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 13:20
Reported
2024-11-08 13:22
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\FilesFG\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFG\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxDV\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesFG\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe
"C:\Users\Admin\AppData\Local\Temp\b0968abd2162f9d0292e4f7b603191f1285d368811d41111f72b5dd0d1cf1819N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\FilesFG\abodloc.exe
C:\FilesFG\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 4ba566656ea4d88d52d6f6ec1a0a5601 |
| SHA1 | c25dabb36e6e6286310e7dfc36b8bebe1be5244d |
| SHA256 | 394c2fe2d9f3b07cbc09aaf7c310ad00533d4aaa520a1d6b2c975eb5ec7944e5 |
| SHA512 | a21a73afef5d1bdd4298ac363a6b0078fddb6a5fd693e4c56e7202bf3deb34b6ae35548df3f52208c4552d01fd101f8ba5441a845aa8d20e1d873b56d0ea2a94 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a7e920bf053284688a40c5372d88ebf8 |
| SHA1 | 1cf959b0fcc219c0d8353649331831ec4c9dae72 |
| SHA256 | 04176b280c237dea6e71e474216c9a2e348ff2179013196f8d6de93a339f5c3b |
| SHA512 | 27c22f47ae5a99efb1f615c60e82e90654a258ba5736901c0d58fbb7ba3fab518f67dfecb2203371c52b96016d61bdc13b5eba1281f5f17fe447c814ad7d1f58 |
C:\FilesFG\abodloc.exe
| MD5 | 86e66331e4d6799ef044201296b62a59 |
| SHA1 | 76dfd87ead34479f20bcec5ba5d5c49d2acc289d |
| SHA256 | f0f208d73f7a52e28b39befe6cfe439c07b33de8046c8fb0c8bf7ac6a84c9434 |
| SHA512 | 38cc99f7c65938553e056a5ed948d95d93587dbc117e93febac0403488d5c0125e27ca0eea2b0531e7bfc3f310e9743e3e2e8e8f9fffef8badae8f5a3128e74b |
C:\FilesFG\abodloc.exe
| MD5 | 27d143c6ee09938461566edc9aa7d644 |
| SHA1 | f339e6b46ceda13e0a3fcba1969b2bfebd98b436 |
| SHA256 | 303cbd7071b7030391b4b17a3f36bb2444d130f63f77c66ab7e0237715cebf00 |
| SHA512 | 84a3b772a0e15caedf49087fa14291b1f486b5f1f8315fae56d0a44d117ec644f1fed8f8a48211f5e918a974d7547aef695b1726ba3e3daa6f2030a7b152f461 |
C:\GalaxDV\boddevec.exe
| MD5 | 8d3e64c612223e70ac34a874351156b4 |
| SHA1 | 776ecc61f0105cebc5d790e659279a4486cae56a |
| SHA256 | 90e07e4fc6fa92c7fa9f019cfa2c25d2ec0c8c399fc13767a5de2b8c6b55d1ce |
| SHA512 | 3bff4e7c0eda209fa7b45de50ea372601de4546d1d98b29022a4a48c2b3425cac1a003dad5440ad24a172630dfb82d80885be5d2c9f8a4c3a1f201153dbf6692 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fbe9710dc5d4395e9aea618dc8376dfe |
| SHA1 | ab4d58823bed9b772b8b904f6e8a8444714f2c84 |
| SHA256 | 19f9e37729294333629129a81a2041d96cbfae545f24a79b676bf40225d9ca4f |
| SHA512 | 3ddbaf2a7a4bbfa5e23839c0145276f48f03476b4deece89c6df05eb5c8b20b3028620380bd5727f7f774dd0deb047cdff5c0432e870158f8dd5fb92cfc63c2d |
C:\GalaxDV\boddevec.exe
| MD5 | 853ac5a991b0a0e346f931b07e1075df |
| SHA1 | 489622fd3fab99ba6d54db8e1c6dbcac019317c4 |
| SHA256 | 38bd181a1d2fe274dd0a32a89244786fa5f68a0380fe285244ee93cffdf1d0f9 |
| SHA512 | e15cd6f3f5c12f3cbb97494bddf1ecb2bd63ebe0afbd71808a225b4c514bd2ed1ef61280a68a0131ac0376fb9dcef3bb968718e60a8bf68105bf564434758333 |