Analysis Overview
SHA256
52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6
Threat Level: Shows suspicious behavior
The file 52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:18
Reported
2024-11-09 22:20
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\FilesXB\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXB\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidX9\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesXB\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
"C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\FilesXB\xbodsys.exe
C:\FilesXB\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | c19be8c156afbf4237aa28eaaf7dae58 |
| SHA1 | 4ed79f0a39481954b7d45d2e6c3cc215e51ef3c5 |
| SHA256 | 98ff78b705845404afcdc623e1e747c9c454674c145ede1f12e8bb2f551aa760 |
| SHA512 | ecbc0671b33ebb76a98b9bd291f8298a4861c4479837c9476d5935c605a785d347a313b97c4b7954c3b8c373325a94ff0117065b47d2a6127c6d4325ab0abb6e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e077d49bc1494b02eaeee565b9a47e76 |
| SHA1 | 88167be303025f191f470c68adea3bb1d440072a |
| SHA256 | ebbd83abc86975250845e582f61a2baa3c349fa5c0d926f636778b9cdce53287 |
| SHA512 | 0a2c9177b180b5086e3d4cd6c209bea8957611912a4bd86054df3c2082e8f942fd9a675a426dcce957b32f9f70100923e2a59bfaa05f1f4e1ec7c7649fbce965 |
C:\FilesXB\xbodsys.exe
| MD5 | 9043a689c43841a881ffa666aa9b94a5 |
| SHA1 | d8b5e84975f8ad886833e0e968c6ac32c370b384 |
| SHA256 | 2110f0b4333f9ed98b3de4d8eb20bb4dd078324f8ddc6fdc04cfc7410290ecab |
| SHA512 | 010074c7f25ba25b566f2cdb1234d2190cd8e71f1d9782bcfab6d3d2c876acbcbcf4d6abccad595d570a019422b5bbdefb56e7655c035425f36ed69ee72cab07 |
C:\VidX9\optiasys.exe
| MD5 | 86dcdc7c746dd936df1bebaa92f80541 |
| SHA1 | 80b12cea304b75359e21a307c6510f1e67536957 |
| SHA256 | 5a38b6eed759f906fe1e7a927e3400fcf197d7cf18432bfc7ac3b1f886128d39 |
| SHA512 | 70758e8a811e0c3aa68a2c19144296bdb2413077105a659d292f2be58b15e66e88406aab7562ab694dd527d8d1584b420e3e0e4d22be11d92ebb720c18488807 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e149b68aadb1e7a8d4a5d93616054a19 |
| SHA1 | ceed2c9a42b05299d5ecc9a0ea091bab205ab162 |
| SHA256 | e77b093adbe728c37e8aada7749ed13ac9dda29de16f059a5a717f2dc9b71387 |
| SHA512 | a8d72f9e0356dd5fa44b0c0fc66ff4a871d06708f646ceaa4e9a823f279fd550a0f149475fde99f1e43ff6e7a9f2e2cad6e80de2012aafad85ad17c3994133fe |
C:\VidX9\optiasys.exe
| MD5 | c289535fd4b1ea2fee12772be483d1e9 |
| SHA1 | 2f7bc4e741fda1cfc86daf038ae329809090851d |
| SHA256 | dd23f41a30f70d70b9f26aedff398e4736bfef453c91fbaa8fc893c3c0594637 |
| SHA512 | c15ca827ae31f678da3f7aafae9e093f807554da090ae63d1f026821966e2b8bcbc9ddc56e6a3a634fa94ff779000db75179ae1cc49aeeab8bacc054d6399c63 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:18
Reported
2024-11-09 22:20
Platform
win7-20240903-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\SysDrv7X\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7X\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBVL\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv7X\xbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe
"C:\Users\Admin\AppData\Local\Temp\52ade0d6afcb10538de62a486e4e9fb278ed674ec959c0719c36aee669df48e6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\SysDrv7X\xbodec.exe
C:\SysDrv7X\xbodec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 59021fefc1a3e73d833d01577fa952d9 |
| SHA1 | e3b56a75b12a4d25df5b3b02ec37b090d02e4b9e |
| SHA256 | 269137a31047339e3865b6d590b3bbee8fb67542da72c44f3b684117421e69fa |
| SHA512 | 8e75c0c2cb05f1be22e64fbd3c5beafb1b515a25689ee29aca4d144ecb1bb63e340c37dc78ad88f7f1f10529a777fd7cdde015b0b61ee7e0e26bcc1c1d1ee6c8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 948991eb8dfcde882cab218dde7acabf |
| SHA1 | ff54905953ae2e9be8ebc2052ed65170337428dd |
| SHA256 | 97997111eac51d9afd10f3157c30b3d21e1a6340255f0e019bfe49a2956146b3 |
| SHA512 | 23e54abfda9ea674dd285246e9aa62cd9dd639566c1e077958fb2784ec1e4e20c8f48daea7b773050360d120e0aac2caee0a3b74329275a493b45378b758794e |
C:\SysDrv7X\xbodec.exe
| MD5 | b4e99ce52575ba4ad35a9579c64adf14 |
| SHA1 | 8665f083abb589dd1da394682d1fe66d4f35ab76 |
| SHA256 | ad645c9e261ceb046ad69650f3a095062cdf9f2f66a3686dece9d9ab4748b929 |
| SHA512 | 3a3e3edbd50e238004626f125a9076898c8637f21b3db003bb43fac311492e83a21acf20f7aab800bcd6c7259065900fc64923b9821a7fc7a2ab8cfd0f128e84 |
C:\KaVBVL\dobaloc.exe
| MD5 | e82a9c11845448ba16fe674915e98347 |
| SHA1 | 302af2806fdd0e7b5c42c24248b27e39c09ef641 |
| SHA256 | 2a2d7dc1589e186a41c13d3792a0d342a2aa03792ae4fd35cbc13dbf2b0d73d3 |
| SHA512 | 928ce0de970d9f9cb0f6ae934cdfcc11939968d29ce2a02bcd5347b3f668034c62bcb10cb1c59410dc30cb9fdb5febb0e22ecb147a6c9d20afaee27c25bfc159 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 06fcd77964dcc51454540f7e3a14909e |
| SHA1 | 736e367ed900b2ccd6774320cc6281c4435d4bae |
| SHA256 | d483d411b2b1b6877e91b9baaeb0689a45d3cb425d275f19d321e3bb9cba091e |
| SHA512 | 6e7706a05ca19a679934998fb543460d8b6dabc5d5d3576ed91a5ce21fad20040d12b6c327c634a69176c0dfb4e08d7a9b545a20525ed0404780fe89b6c48a10 |
C:\KaVBVL\dobaloc.exe
| MD5 | 373f961ab3d25066725789da227a8fff |
| SHA1 | 48b241457cf4adfcd7a9483034d872c4b596e114 |
| SHA256 | 16d2cc264fb3f54be681b16469f177273b23ac2afd6eb8358d057bca653b78c6 |
| SHA512 | 1492c4985bc5000003eccea3419df8da990b187372c61f2c03996ffb4d5d46fa54f764875a58a4b2c35b935c2589207f861bb731dc9937be44c6284d84b4ea97 |