Analysis Overview
SHA256
2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33
Threat Level: Shows suspicious behavior
The file 2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:52
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\FilesRL\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesRL\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBX0\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesRL\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe
"C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\FilesRL\xoptisys.exe
C:\FilesRL\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | c708d4662f02185c974a3fa222c854d9 |
| SHA1 | 3c50b9d28c3a70d3e563de2431f187e9a7116347 |
| SHA256 | edf47e19ecc8d956ad08ac7aad28f10354451a315453dc8fd5678f0756cdd93f |
| SHA512 | f32538dc4945d4ba8738c32aff0ca0365c0e1bc9326ff64fed84c3abdd115c49f25b6b37e6da3b09acf4a9177c1f8b596ca220c70865bb13c0d94166d9c3e6ad |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 869d535d9463aa74f3eb8d3805b4d17a |
| SHA1 | 45ba735079ba2f31c3079c4464ece8085a0ad1db |
| SHA256 | 17fbb12698db9e5c3e89f0d15342ecab2b0997d6dcbbcef6d0816af9a9041a00 |
| SHA512 | 3d396225f0c57a56a24d568581b2de6ef531020f176a00ac758fb58f6d286b77b8e85a861fa58fe7f819fd0e4fd49b61c9089e45c19b70cf8b4f1e0094f580a8 |
C:\FilesRL\xoptisys.exe
| MD5 | 296e222193391cffb454042c3950b9ca |
| SHA1 | c2863b262e95bcd04c8650f0c9c894d6009cd453 |
| SHA256 | 8ef4ad4c8df4948e72de18d1bb620ad01057307cbd0509714a4393cf5c049979 |
| SHA512 | fc186cc1485d6e03fe9e1e75bc553990ca85d70810faa55c25e8099ff1992d4541791fabc12319c394f56d855bbf22b0548b3ea49b729efbc1e35b341f4435fc |
C:\KaVBX0\optidevloc.exe
| MD5 | b17aef72d758dd6a818196f1ff3cb2ca |
| SHA1 | 0a1f9647cc2bc03bf1d42f9fa48174c878048bab |
| SHA256 | 8eca73c065c64df79e485cd5c2f82eb31c81463a46e4574c77706d0d6a80d692 |
| SHA512 | 8fc8247f74bd471865fe4a3bd2bd700d39ea1f90a1c047bc9d428a1a15056e65099b81afe74160b96d4be695f3652dbb9bae232cce21239e04e69cb4f9520ab6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f82256e5ab9ccab43fac5d648a29bd11 |
| SHA1 | 8611084965f96bb45dd7deb023656bd2f89ab923 |
| SHA256 | 313e89c3fe83db4bf80f6005e43e24ffe6c11e294e497871bc297944a34017dd |
| SHA512 | eda1da6900d9d35bc2755a8dd3491b104cf56d45a64398d02752bed08f4e090844d82ede499ba171ff16829986eea88d8532ef4560d3a08991da9702567130cd |
C:\KaVBX0\optidevloc.exe
| MD5 | b541c183c04a046b8dc0bf314f3fa62e |
| SHA1 | ae45d5a6995deb8d94d5e57fdc7aae7e1292cff3 |
| SHA256 | b0ef43b62543a6c37f04a0c3a615ad2cd9f7b2cd693dd32dcc117fc84da328de |
| SHA512 | 1ccab64593b25714111c442f5016313157e9e2499424abd5eea60f67e745112509a23cae68b784bf86150186a3da74776b1fcbf2a3f02c7b0ff5f382bac006b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:50
Reported
2024-11-09 22:52
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\FilesU7\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesU7\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid93\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesU7\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe
"C:\Users\Admin\AppData\Local\Temp\2fa132ca0feac328958601b5e48d1c348feceedf65c979819b77b0eb99f58a33N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\FilesU7\abodloc.exe
C:\FilesU7\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | b230e5451b4c1085bb836106aa1e632b |
| SHA1 | 37411c97248f20cab6efb4e86df49d7b93a6fc68 |
| SHA256 | 0f1e5c990eba6e9e4920d252a07ef86b06392987dcd152b524c8cb864728861b |
| SHA512 | e1977d3d557bbcc63a6bba17a41838c18906ba4d487d8bc3fa2fc8fb933e1b664b4d57f79136891bc44000f648177db974db535e9e334e426eea14620550b404 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9116fadff9e149b4c5bb57e6ef80921b |
| SHA1 | 0ef06b37eee04cd2d5b3c6bdfa1807cd40cffec2 |
| SHA256 | 75060bdd1c1c090a16512c65dd7f5dd8d2ce6fd1c039d19bd8bb132c145c5b80 |
| SHA512 | 224068abf90091a5cb3e4089e5ff6abea8ee051f467d5ae1ef42b6b2708f53662f0a326817bc951c977f5078ad12871024a21fd4bb8f68b94aa10712c84c3cd5 |
C:\FilesU7\abodloc.exe
| MD5 | 435b46ae2ce7562a45470c0f9057a31d |
| SHA1 | baed7c2fe6d75395871838bc7ecf1dd3ad1a0bad |
| SHA256 | 468f4f5857684c370149327ac4e588a57393584b2b5d8daca1eca730c8e4f008 |
| SHA512 | e0662cb93b7712c6a27b046f763ba9dafe99752535c38114aa0c842693450bdb14d90b240457498dcb5d8e8f49fdab81d45b949528dbe7d0e8abf8b5e5b9d0f2 |
C:\Vid93\dobxec.exe
| MD5 | 3c8348ed534929729d7bb037a4a77d66 |
| SHA1 | 8c25e08342045ccf8a8e5713015ef8455ecf97f0 |
| SHA256 | da4aa6e1cc20d31728ce361ba213acecdd40401f07ede8a1b4c75891625054c5 |
| SHA512 | a592d521096740e87e4a8a0ba1be4eb56dc5cff014b519164fa1204369711a3434ef0848b92fda4875d19126048400e757a799e92f3473481ca9d00f33bbaf76 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 09b021e7770e83cb9d07559679d0ea7d |
| SHA1 | 3bcdc56f05c68f57e7287ed7747271df1de0add0 |
| SHA256 | a27f3ebeee644db9c6b420ce964b2381a8ff0bda88ed43812aabc0bdd9f750be |
| SHA512 | 93ba3b95b610b078e249538dc1c1f5375535ed8d30728fb7230aacc91e677f6823cabbc9b5bbeae7350901323bdb6ef8b55d100c4772adcf18276559ec32930c |
C:\Vid93\dobxec.exe
| MD5 | ca893e91ed677c63cc4e993b0f487932 |
| SHA1 | cadc22144077f6c681f542bd3603d91bf332408e |
| SHA256 | ed2a11bb7f99f16351a9364522d32a7e7cc2b457536073e08185d2f4ae747727 |
| SHA512 | e961c5fb852e6e2034fec7d927009bc423ea12c2792b8690e88712220cf30a59eba1a76d5bbd1e5d11686fff941f052a7f9c5cc941404e967bb0cf4ee92fa636 |