Analysis Overview
SHA256
1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5
Threat Level: Shows suspicious behavior
The file 1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:21
Reported
2024-11-09 22:23
Platform
win7-20241010-en
Max time kernel
120s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocQT\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQT\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJR\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocQT\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
"C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocQT\xbodec.exe
C:\IntelprocQT\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | e2216571e4d8a5f3ea67ff6b8a036500 |
| SHA1 | b0dfd209a5ff195604c1128a8d347db03df0bc38 |
| SHA256 | 6d19b44043f2090a5807d54b85933526627f69f9f484e643cd61b4e1fe6e7db0 |
| SHA512 | 38c98c9c88eae0f3503dbeac4b76cffb8b545e682d832d7d9852aa17fa5409c90dd1ccea672396039312bca2d4817752b68f2ccb9ca5be02a4791763bbd02654 |
C:\IntelprocQT\xbodec.exe
| MD5 | 787fd77929ecd6aee5e511846f7d25e2 |
| SHA1 | d5c8feb39388d2138a4fbfae8db9f7296af04718 |
| SHA256 | d88cf49b4f07e0f6fdbf7a2ea28e0465d66d2dbdf8fab2aa0e55d8c7a81b33e9 |
| SHA512 | db55ae5cf272bd300990d1420c841b13ae0f674a46f9977d05500f8146a81a8efd1084d8b37f74e8708bf93cbf84e03b150cc462a0a0fd25e0164d037cc52656 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8fbc6c1597d0f5cd920052140d645828 |
| SHA1 | f4cfeb8e0efb4b6f8fdfcf1cb6c4970e07913957 |
| SHA256 | 14d020e619e584d1bab6e60bcf5919db042aac10d5d0ddf6a236ce7c567c417c |
| SHA512 | 234b8542c36753b4ec0df7767645aa26293af5e7d5cec912a809a5813363a731c0825df7d6d6c8b3e36e302ddac8cc9e3c5f13a97ddfe690082dcef117920f6b |
C:\VidJR\optiaec.exe
| MD5 | b62d361dafd2772de46f9d0918904452 |
| SHA1 | ac268597381c72e77122f73bbc3cf852b211bfcd |
| SHA256 | 615b87f540423956654a181f2a16946f148ed616d550fcf2cc0f910f8436ba82 |
| SHA512 | b17d0efd10a734d87fba0e54545e718cd8e00fb21017d4329402a173c1a364d99afe49320b7efc090a6d6e6ef1c544702b4c100640a6ac0ad5ca8f2be03c137a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 342f11c5c94508550d9b98d5c30b37df |
| SHA1 | e1fb75c54a2e1618abbef165862227c4ff725076 |
| SHA256 | 9b5a489dafca978ffa66d406583a5b0fd1f959355ddef72c32b14391192ce452 |
| SHA512 | 09cd1f9fcf9667efb3cdde652a3210865229728a0a87e8a7ba191bac40850c110cc6dee48b4603f8f0263648ce0c21c5710099de299ace71940c24f0ab1ab474 |
C:\VidJR\optiaec.exe
| MD5 | e45450e5e0153e5edc922afa35f0fcba |
| SHA1 | eeff9d1a952a05d474bf11ef1b84d1efd3427659 |
| SHA256 | 4c27fc84455fead86203700483076323925e4bebd813507a00c95ec87a8ad161 |
| SHA512 | 5bdb6c1f23bbb932d4d4b12aeef800a3d37e68467188446dd9cb096b4150430686c59081dc7122264b6cc34510b1efb1d3e8597c46d7f10aef9ad3a9a766a476 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:21
Reported
2024-11-09 22:23
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvIV\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIV\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUH\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvIV\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe
"C:\Users\Admin\AppData\Local\Temp\1f36fe03a96b96804b3308ef3b60121a6946d72fb1237afa6c82daff244bd0a5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvIV\xoptiec.exe
C:\SysDrvIV\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | d8f350b6e1d0ddb925eae1f1cbdf2638 |
| SHA1 | 0ccbc63f59985057148880fde6ae816e66783d2c |
| SHA256 | 60d0d9feb2f8a67df553290ef4133b4f8fd59a50b7359da6d1f877d4cc74bf30 |
| SHA512 | 4fe1f1002b90cbd1d01d05fe5b861e8e9afecd354b965ec6a284c0bc00ee97ec7763edef7252530dc09b5292d6e4a2c468207468422f78ef5834375afeb750f4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 78a755c61e0e4297fa96469957786ebd |
| SHA1 | 8232fe360fafac6d65c15dfd45d3dcd8ae73d61f |
| SHA256 | 4ecbf53288e0030b561bd198a1ffd9792a78d98b3a7ebbc8735c886e0b160aa9 |
| SHA512 | df12137cfc2d8598aa5b10e2682d74a58a343a6c11519e77401b1a52a5922f48362936a28e9cb499a57b6e87e2d3b8f90b8cfceb18390a1e215c46a4f656cd66 |
C:\SysDrvIV\xoptiec.exe
| MD5 | 8762303ce8d2820a87f7806033f35e88 |
| SHA1 | 644b80d35355c5d5194350227af5c9dd7f58046e |
| SHA256 | 4af80cff0f0a2ab002109cf5f9bb471b56005cc4bbe5711637393140c3110949 |
| SHA512 | c95e68a906916b5a3c4e23fe051bb5f76df996331bf984bec6899b8ef0959768b39ad0dd1af3bea4a2ea86f7310fab48b37fafa94c677dad48499e87dde95437 |
C:\VidUH\optidevsys.exe
| MD5 | 3a92eccd280e39fe567fa698d725ca02 |
| SHA1 | d78dfac53b2f4bdef4d9551afa0353319f3bb32a |
| SHA256 | 6b53e657128cc42afddcc37e46e8d1062111936879ea774e53d2977a5e33f2ee |
| SHA512 | 2eaf2f371bfa9a37985ecb9860f73283001f3b142cd0f625c93b4b7f5c01349df76cbf05fe6e686af85a7aee5a378ea797e10d3857cc963f9893137b8c61aa1c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dec77a8640e8d3ac29660579bbd9ea95 |
| SHA1 | 576c433dabad22a9d487ef7b229e821e565cd37e |
| SHA256 | 3d8fed3b7794c541a36980afe1f69077b4e18a94c1a61a420dafc9ffc28f34ff |
| SHA512 | d197d60054f498af0823730ee78a3cef0cc183ec22bcba8ba7d1d1669d7a028d4406dd5f89b8add3030ece28744d6cd6f9afc96bdb8ca2392af93ee4569d935e |
C:\VidUH\optidevsys.exe
| MD5 | f51b22ac08b5ae3f57b0bcdc395bebcf |
| SHA1 | 4b2dff6447209122b41e5099aeece11ea4065c3a |
| SHA256 | c628fd2a4500bef7f3ded78694f21d81b56edc539c5ebd510ea712831ed003c4 |
| SHA512 | 8d772915de8772e4846382340460490d2dcdfd420adfef0402ba7ee40ea825702e9980418afb4905487c5d4e0c75be0ef78635cab967e8516eed24ec55df1500 |