Analysis Overview
SHA256
b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fd
Threat Level: Shows suspicious behavior
The file b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:30
Reported
2024-11-09 22:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\Adobe04\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe04\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO9\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe04\aoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe
"C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\Adobe04\aoptiec.exe
C:\Adobe04\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 73185fc7917745b86eb569a25a535314 |
| SHA1 | d59c2c67726215a30a588705cae84b8bf0af7695 |
| SHA256 | d37a2e5388c83f005ca8a10602413e760cdde1b7a6b5ba846fbe8306b31f4f20 |
| SHA512 | f72ace9b9d9aab636dbb9f9e1569d8fb21e11ea57c18031a55cdd039f371796f8bfd4406b188807e644d402bdb0d376f51b8ac79dcf89b830a7c620f74433137 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e9e3d4dc3a708f1909da4588024ffef6 |
| SHA1 | a8acf2907bc53afc583bb42c11e03ddabee64371 |
| SHA256 | 31ef17b96e073294d04f91ec67ed4aa783b7e789a238f509cbb799cafc451a71 |
| SHA512 | 9ce5e86fc863b9dc1b7c54e8640705a3b05925a08c6ef09a3c566b978c4e411467471f3955275b07dca7de18bb533dc038cdb7ed2d62add2f81199744d670099 |
C:\Adobe04\aoptiec.exe
| MD5 | e4eb81b033478f7253099f048b0c521c |
| SHA1 | 69cb81f4e3e148a485509ef4ecfcca057921de2c |
| SHA256 | d533c36b8c7fd748689caa2f40c3f23735a9787e111f6f0a08fc694b65491be6 |
| SHA512 | 58ccc0312c5f6b26eb1d99703e085113fdd52eb6e831c7cd47cd6777b16a1db476f7ed4fa70332b05eafad9b6c615365658338cc9c74017c5ecd5efa5a0f07aa |
C:\LabZO9\optixloc.exe
| MD5 | 7e5f216f9b5f8c8976541b38b7698674 |
| SHA1 | 22b34dfc38b06c839d1b9c6a9e8f848df36af6c5 |
| SHA256 | b9a5dbce2476cab80ff06f092b93bce8b16e59f5dfa7bfb3fbdcb1e869a6419c |
| SHA512 | 265adc8d55ec29a162de5bf946dd47a42ad708709e9556227672982b9dd4739b337dcdd09da0f18be9048fc1c4d3013fbe674cf5f9e66ccad22474ad45e1de98 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0e4334b797dc505e13b21e450f147e92 |
| SHA1 | ed958e66b179185e11ee2aa04f0efcd4b9e62a5e |
| SHA256 | 8e9ca0c4cc2211ec74850630cd257fe2de1f2f0b195404776492d262a0f54795 |
| SHA512 | 5d385e7df50dcb27a7dfcd9de70c2d0924d47debfa48f755ff5ce6d5063daaf393d7c9bbc21491aeeb753da35d3abd148d4d7710de7069a4873c6eb6bf4c8172 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:30
Reported
2024-11-09 22:32
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\AdobeI4\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeI4\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBSR\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeI4\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe
"C:\Users\Admin\AppData\Local\Temp\b97dee63925d1dcf8966f6d452e92fab8c5581d5f1f971c72f2ab78c5b53e9fdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\AdobeI4\xdobec.exe
C:\AdobeI4\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | cc1dfc159daa4fdc1542c79ea4d226d1 |
| SHA1 | 2385eb703452f85fa58eb71ea1acf640c6066aed |
| SHA256 | fc524be3b7920771808da6c634c8e2b2a67f144b35b8415cfcea46b83599a2bf |
| SHA512 | a23d8598d0e90d6b82295cf7b59313fb60511935050bc7ff7d1be0714e4def645ce8b6d285a08cf1ac2725bb0567ebd0c5869ab8c8e9e7c1ad4028553e5170bf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 30e2b2266a40899a28f126a00f9907d4 |
| SHA1 | 22098bb632617ddf2e5def2ea89e59ed93152e86 |
| SHA256 | c968a64fcab1e93f25a05664b76501e3e954ce430b72f86d86014d45f44b1777 |
| SHA512 | 88584843b9fbf1093ed2042e1f82a8c754e747974eb693f0e6a512db4fd827c536f596c89f74e43fe08c897036198256a0f991a576a9d9ec0cfe72c2b0dc5eb5 |
C:\AdobeI4\xdobec.exe
| MD5 | f3cf989ebaf60c4d3e4045cf20855577 |
| SHA1 | f747d7d63f8c28ab2a61fee35f0b08a0d8a78f05 |
| SHA256 | 70af283805c627f4009a2c2751793d57220483f3841f8d4ee91cfe7a91323aa3 |
| SHA512 | 019121a3eb80659a617f425602ffbe1fa1253ff2434415e2218cc78fb7ec2238deb9b2120bcecd1baef61797d3387cb242be90c3ff04d569db3808b8d62060b2 |
C:\KaVBSR\optiasys.exe
| MD5 | 6037e1b73c9c282206f71b6c1b6d38e8 |
| SHA1 | e629c60c48a90d734535f1e4a4a664bddeb8268c |
| SHA256 | 14d2aa69bf75ac8afeb648b70bb96cd88e27c7623b9dff3b55174dde2921914b |
| SHA512 | 080aa1b200f81ee9d869ff395084d6f680e0566c80c485df726b64ab1f26f6a0a93da35e064a9a014332f88971ef7886c00cb9c93269a5251140575af5eefe43 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9086c4c209da8501541e470d031df4f1 |
| SHA1 | dac37097ceec93fa7ccc87fed94f993c76672dc7 |
| SHA256 | f3a44fadbb1421b153006b1d55a35b62b813df222f26b03b6450929a3d849ba5 |
| SHA512 | 5d88bb15c7f85ec8abc083f3b9f14c0c65b2b2e451efd25c4c35d0729c8650d98234fa25bef646afa1c9ae6750df4f140e5e7cbcd6726d8398778ff0a3f89dc9 |