Analysis Overview
SHA256
76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159
Threat Level: Shows suspicious behavior
The file 76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:57
Reported
2024-11-09 22:00
Platform
win7-20240729-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesD5\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD5\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBYP\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesD5\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
"C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesD5\adobsys.exe
C:\FilesD5\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 626b8830c21b1a476b996879594cdfb9 |
| SHA1 | 5ffe7aef476d586f2a8e44b0fcc60ff42f14b52f |
| SHA256 | 75a033111227befe323896190ba490361304560d7c715b43e613c30fcfc067f1 |
| SHA512 | 7955e888b82534ec2985bd471e489b3da5e271e66ba84410cd76793614d5f559399a19dd997bc128f42fa75555d28772291dcff0399847f7071fec2246c7e3bb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c33bf4695536a332d8bb0e7ea482119 |
| SHA1 | 36b113f97d99e26f2d361507651b97d63accc71a |
| SHA256 | eb41648383cd298c5bd15a2f2946a530362f37833adb93c7adfe2bc1924f3a0a |
| SHA512 | fcc6d638c3b51d14254fa5be9ce39a3a14ab853c27be10f28a1c3f6a5989dbc551f10d72c76d80be04702bbc1d2bf21184af3c7cf35f9dd2210d166fbed64ddb |
C:\FilesD5\adobsys.exe
| MD5 | 60bb9675ac0dd36387be153b3eb502c6 |
| SHA1 | 375df1d4f237f7bf6d13fe97963003f39f0b758e |
| SHA256 | 1ccb27cf9fdccd60dbd37dc35bc768eb4b97665cd9783dd9ed0934a0608c995b |
| SHA512 | 12c2fa37d5ab11b35e590bd3f5693ede6e306ec9518bf9b6215a68ea5d2df47e990242fe9e749b961575e27af7ea63653678d1f9eceb3c889f4e84a00f0f66b9 |
C:\KaVBYP\bodaloc.exe
| MD5 | bd9c23f29393cf7db89f5fc9f63b9c9c |
| SHA1 | d11ec3c3cd3080b806298c727638c3c72e7e002e |
| SHA256 | 887579393c0badeaecb753afd0480ae55e987686775d3d13707c102a873f4920 |
| SHA512 | 8a1a358d5f1842e32b31796bba954fc425dd518f1de1a2c0cb4cf5a64985aea31c5a14d3f0a2e6cebd973ef441470bfa6e064b0654c51216994f2ce5d9d20443 |
\FilesD5\adobsys.exe
| MD5 | 2331ccc8dad5973f8ea5e3b44358c46d |
| SHA1 | 20566f438979f22ef751e8156130b8fa5f58352a |
| SHA256 | 908626a5180125ba283028646e87a41b7c4d65c14a1ca3eb383f87551e3e9128 |
| SHA512 | 38411b0a23e558225bfcd8edeae601e803a7ae1ee05b2384fcd5426b049b8e22c570c66a05b5ab587659d477a93385849c4d3b51c790c627e5599c97521d84c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ced71dac7850c0b494e9fa05d8b53e25 |
| SHA1 | f1923f06f133b691e099f8481ed891b1d215968c |
| SHA256 | 3bc94a4872afcaa36f3304e1fafc4859d94be65639a21791c51d2eca0b915e89 |
| SHA512 | 50e799b22ca6cbf97a723afb1a3f3a9622f20b35e3f5d2a9cec453d760480321b8dcdbeee6f9e4f165bbd87c204d71970e9ef1d776348135d06d3ddc7d37bbe1 |
C:\KaVBYP\bodaloc.exe
| MD5 | 74ed8e02892e5dc25b8e4e3440a4caa8 |
| SHA1 | c95a257bed3343fe4ec8d6fba752a902a80debdb |
| SHA256 | 409823c6a46e08c8c7f48e5fb99333e36b14d168688c1d4857a753f9c447bc61 |
| SHA512 | 9a0e9f4304e7b390ba918570d20e4ddb9f4b411a3f8536243e378386c8a25cb327c7549365bfa796dce30a4780293f05a6c42daa0535ea006d879e31179ca983 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:57
Reported
2024-11-09 22:00
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\FilesR5\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR5\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB72\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesR5\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe
"C:\Users\Admin\AppData\Local\Temp\76b75cbcc81a6404900dc385eff5ce1b4a65d456b27b01f0576cd659ad9b7159N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\FilesR5\xoptiloc.exe
C:\FilesR5\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.208.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 85d56ca0b5a2fc951904c75bb6420928 |
| SHA1 | 3998bc026c97be2a6f2830509f22eb98b0870bb6 |
| SHA256 | eb7d793ea8f4ebfd519b42695fb46c0b87da082096826ffea985c7a6ebeb5231 |
| SHA512 | b78268ac49e3370c55e303023a852a68c01f86fe82a3f0490841f9c3292daa7e0a1688a514df1c93ff36373a7a779a062bebb3532355f4eecd1096a2b7578d67 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8fcf61887f95317f5f385e6548416914 |
| SHA1 | 4086faca05a98f36a823ad96cc99609a12e16b39 |
| SHA256 | 336736246a09aae14323890ba2f735cb0d3b5223c0c91c158962c0213e767d39 |
| SHA512 | 9a04a21df070ce135c84f95d0c3c9acaf238bc2fb674a697f085aac486ea63921a4f6ffa1ed72852d8ed84ce89c2b98b3fa5ddf8842acb996ab2d5f82bf86f51 |
C:\FilesR5\xoptiloc.exe
| MD5 | 35d5f2180b8da2eaecad0679e66dc251 |
| SHA1 | 3e782e20becd6567750bacb04faafd148aadac06 |
| SHA256 | 2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700 |
| SHA512 | 15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493 |
C:\FilesR5\xoptiloc.exe
| MD5 | 9c5127b80ffc4681af6cd52ae3cfea70 |
| SHA1 | 13369406941748676ecb6c233acc08c4084e66d4 |
| SHA256 | 4cb301ba46f70b8cd859bf9118e6eb2c4a3f5fe4d0657ac8f738b76a33b8914f |
| SHA512 | 9bdd45774942199736271c51d9fb7c68e23f97e04a5756a078d9b693a9d21d3077ef2c2d0cbbb64e9bb0d06b1a8bfde54f27679209605172cd535a76c467c0bd |
C:\KaVB72\optixsys.exe
| MD5 | d85e65be840f3c8b6782a17b4a1233da |
| SHA1 | cac7a76612ae2f117fb223bb0d4d4bc884c8ff70 |
| SHA256 | f91074aa73055d937131cd82e9dcddc2d73edad10dc7fb411a052796170da15a |
| SHA512 | 7fe63753bb9159beb5ce68af253fc79ada6086f200bc9aa2e581f6e1be1cf525a63c1b58631179db8150c412dd9e0b9795c91f0e6e403ffa0f43377de4c2f733 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3ec83e7a86458c2b8286ad73d6ba320 |
| SHA1 | 1151412658c4343aa03f28f0993ae1f5bab39ed5 |
| SHA256 | a57ea10a954a8ae26e03d2a56994dfdfa6916f28ef497aa128719492cbe7ac10 |
| SHA512 | 8bbb92afc0e9439ddc62b18a52f69f65448447786807a43575b4b4b73701714022263fee625e6991a07ec0e6eb9927108f19883550f3e1c1f21be5e5bc8d2350 |
C:\KaVB72\optixsys.exe
| MD5 | cce4659630c5abb080d96d051fd284b3 |
| SHA1 | 28c85aecdb8d1822556887ea00a6761320181794 |
| SHA256 | 9dfc89de9c0bdcd29229e3e138a8213cbeb32ee34cfe05bc19233bf7ac5e390c |
| SHA512 | ee1364d821ef33c819b252e66755715f2e936ed9a8234a9cd478fc235f607408732d45f57efd2bc077a30725fd913c1211e3080ae49c416036c4fa55386bef8a |