Analysis Overview
SHA256
6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcf
Threat Level: Shows suspicious behavior
The file 6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:37
Reported
2024-11-08 14:39
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\AdobeVA\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVA\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNQ\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeVA\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
"C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\AdobeVA\abodec.exe
C:\AdobeVA\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 52187aa753bc94cdebd9a56a2ddab035 |
| SHA1 | be195be9df5a0af742166b0d4ccba2accbc7a17f |
| SHA256 | d0ebf86797d41f0ca23cfffd9587288ea30916790fc485970a1fde028b5ecdf9 |
| SHA512 | 27820671ee21e8fa046de0e21e58917a50e095e97c401eeb71acd6f394fc7255027d9aa0a9f0401ba7c6d9c68aef1248a66a8cb9fd8e226127fc0d5bc412c248 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 80d6138e564e7fd2c4a1661211e29cc3 |
| SHA1 | 06214a0c1477cc025be2d6124517fe887e674c65 |
| SHA256 | 69dea7a9b85de633ed3ddbf9dd32db02c6a2d4c3ab45a8d72fb4111197c8a977 |
| SHA512 | 2fd9c46642dd4fc2de01e5c5cb8bc8a2427d1bee387d1919698a6fb53602faae2e31e64825d7e8702063b4bb363f009364ca258cea11d8e851bef7c1bde025bc |
C:\AdobeVA\abodec.exe
| MD5 | 2e2ad8c4872ad10cd2f913a6664c465f |
| SHA1 | 7661ea0fe45a5fff7ec2eca624e471651bef2bbd |
| SHA256 | c3bb104b485f1d060b46a744627926857c85450032ef4da95f802b8373cd1950 |
| SHA512 | a12a9f1421a15e23d2f470a7578bda07bbd4a3522252c9bf957cbf27bb9ab7ef0af06169b9095ed820f4c97238740a453291f41aaa39e74b5ca17b1f2237b416 |
C:\VidNQ\optixec.exe
| MD5 | 3f741ff25655ad6e1a7642dd208cf5f4 |
| SHA1 | 4e0c7488787b0066dbb806d5b7417dc39b70c5b5 |
| SHA256 | 56c91d8a748fc8617b8dcc8ba55bfb93b8d132ebd8c64c3ff20329cd6c1131cf |
| SHA512 | 06a108f5ec4e958c36c48b9d7c7a182841538462a36009dc8484b49847431e0183e696f0831e122ae7d3b982d12a7d65f7d24ec5cea990f52f6711eb8b7f3d53 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a2293175928f191234dc68156f7274ed |
| SHA1 | 652ba82b0ae3916c9101d35e6ccf63311ad028a3 |
| SHA256 | 808b5bd08e529475cd0ae08db191f9dc01483000bc6a0ab84eef90cd29827747 |
| SHA512 | 80a9910a8f25157a1b09d265baf2f8b7d5673c8e6aa92820761a0829ca70c7ba0a315edfaa484111269d728d1928bd666a385c91506ef7c8dc0957c4ab4c6278 |
C:\VidNQ\optixec.exe
| MD5 | 2b23ec558225c41f12d928026a556b97 |
| SHA1 | e9678b27b3f0a940fe3de221374212f4c0b2d953 |
| SHA256 | 27a7e0c8f5760ea6bec2cb242d4106017d86c41686a8b1a5825da4123407d1dc |
| SHA512 | 59d7c703d4242bf8b8325004e794c252bb199252218d0b66b3feea1d27105e9bf9856cea46c9aa6a688e013aea7b11a9398047414b2bb86ab37a80d536719868 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:37
Reported
2024-11-08 14:39
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesJK\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJK\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFC\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesJK\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe
"C:\Users\Admin\AppData\Local\Temp\6615c9b9b2ee7f92d5bda6f12fd00b5f64a2060214ef14fbe63a52df06cf5fcfN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesJK\aoptisys.exe
C:\FilesJK\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 6bd97453b8f01b407d10ee27b809713a |
| SHA1 | cc9b082c70ab6b64c41e268e64f20804ab6be956 |
| SHA256 | 11a4e07939b45d5213d71e97a0941158c6cafd29545a59ed440afb049b25075b |
| SHA512 | f3f173f3782abad6b4dd6b7710d2a1733381fa6acb6116945490f7dcaa40827f02625516522f9cb3ffac95fb80f857a98a0ef5145f98363249dad92ad19de424 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2aa7292ec670a6719bec8d3539d0ffad |
| SHA1 | db823ff68c64319649bf6a4c43b5bb0ff7875377 |
| SHA256 | 7665a3fb892a124945306b5d3793969a05b338abf791f2abc1f8a8be3d63418b |
| SHA512 | 1450c49d8a52cc936527970684366c0282f45962de9490becf5cc71dc64d8ac202f568d5b794932d40320df3113b885c6ac9973b1500bd40e7509ca50a221ed1 |
C:\FilesJK\aoptisys.exe
| MD5 | efdd696809cff5f1998fb2da6a5e0367 |
| SHA1 | cf9bed143449a178e9d198745980d21354d45b71 |
| SHA256 | df813ec01242b01d6aa58e0ae8de42121f1b627549a45d0e6c0b1cf878905e50 |
| SHA512 | 07534cc1ca182ef1148e5568b279b3ce79241a5be43ec093afca8f2f5ebffa544a63dc385feee87b35a638dced1038a3197b88392fe5306b722e3c2aaefd4498 |
C:\MintFC\optiasys.exe
| MD5 | 25ed69447718f994757a3866a9c3edda |
| SHA1 | 4b1175c5544497499c33a417e6c177d6b7a5136a |
| SHA256 | 338aabf49558a39e40f710d630cab50a4fe83ed2e74321adca0976e1950c2ed1 |
| SHA512 | 1f6db4174e891f74c345d965f1c9e2b1258e0050cb487f669911a27521f65a63e1e5bb94075469dcf7252d5577b5951a2a09bc375f5a51c5f2b2873f4f5c9f4a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 01250e943aaeb48ce550403231b5dee5 |
| SHA1 | e948767914800c15ab14d223910fbf24a46083aa |
| SHA256 | 4d4d368f9b7c2c7f4687faa15f00369cfec83748bcdfcac56e1b830262b28200 |
| SHA512 | c785f4c9f9c2c5d490d225170c27413e3a2ba7c30c791c56d4df5f968918ec0b312124729c7ebfe8b2e102d3866155538ea87a96eb77d8be03cb345a14fa2120 |
C:\MintFC\optiasys.exe
| MD5 | 5ffab038d17d47771c031d3b701e0cc5 |
| SHA1 | 74d331d26e5210e7e523c750b0080e1641bb61f5 |
| SHA256 | 1b2bb8b0c13c9e1418b1e48501e2a62606e0e890934e027d746c196943068982 |
| SHA512 | fad3e0cee5656b4fb350050395b6d8039f870087a145394dfc2eab77587a10e53b2e421be937a90a9a80244cbd3096e07f785a35d7df3b5efb0e258ca75678ec |