Analysis Overview
SHA256
9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388
Threat Level: Shows suspicious behavior
The file 9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:52
Reported
2024-11-09 22:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc9F\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc9F\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM9\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc9F\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe
"C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Intelproc9F\xoptiloc.exe
C:\Intelproc9F\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 7ae829e6655c2ef2d3bd4d191a5f2020 |
| SHA1 | a4e98fdf2a29af0c433e816ef579ab78fd06c2cb |
| SHA256 | 5b9d8d5cfbfc43189b4e5e49f55a71021c49020c8346973bd4f14444667cd0ac |
| SHA512 | e03c42dbd862a68e465859f58ec7930e180650619c8e33ab9c4910d23f98488e2f578570bf2c57ff1ebf2f2bf5e6593bb80051e887cf39551ef4ed5d383cdc8c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5a235b1ce7c4a16cec52f19208de6d88 |
| SHA1 | 94efe6c349baf8b2d1d702879fa14e97610cee68 |
| SHA256 | c644445d221638ec74d5a1ede7db563a9adca1bfe4d87b3ecf1bd847766ea2b3 |
| SHA512 | f2f199754cd6e5c5febe1a824438754f5ebae9e1fb8644af5a591c6771e468c7318b9d5bbf7065803a9317d97b6d4e36639496b2fa98a4a63f54923755444f0c |
C:\Intelproc9F\xoptiloc.exe
| MD5 | 8666e0650271db869d00d4f754250864 |
| SHA1 | dce5bd3acdff723e59d260b5e009e3e740b17b95 |
| SHA256 | 3785a02b68500a5f77e902d3662e235dc07926140b953fd9a8ca03072d6349c4 |
| SHA512 | 77c8affade62f14ef15e60e0c19fed777426c8ce3e74090b3e1d6fa368c86dadf5f7ee651bc5fab38cbc9d055f70f296a6d578bd63e35fbfecbebccc69f9970e |
C:\MintM9\optidevloc.exe
| MD5 | 1ab96df8c0b5a5d9a4739af0fbd070ab |
| SHA1 | cb30b44a9be1f06f2f8ad93033fb326ff8ba57bf |
| SHA256 | dd13f73e2e6cb6e1dc594f57837e90b08a65b629d3fdc12623fda43f995d98aa |
| SHA512 | 8ded260a253d1d70c1e1b356194c107f3a55c0713d4181c37e339f0a87a42686e3b906c9a4e8a03888efa5c74ed06f4014651b0f10b544d4d76b481273422dac |
C:\Intelproc9F\xoptiloc.exe
| MD5 | 911b52f5f147373c7c7f74d2b81aed17 |
| SHA1 | 27761c457b70a95e4a6c7878e0939c347c08aa0a |
| SHA256 | 859293cbabfb595d7592997bc0e1162197d1776e55e806c6885599293d0bae21 |
| SHA512 | f3d7f9d99eabaaf87b2a72c8868fb6df66d4f59306f6c295e3b374bb8273c3d8b457339388e545308c3f745a539fb3b05b98ee528ecaf68435309b81bfe38dc8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7d0bd7757bec7efed33e2a816d29d92e |
| SHA1 | 0054b2d422f01a17ab8ab35287cdb158f5da86bf |
| SHA256 | e436b35f006638cfd4332cd4b9c7e3ffbc1bdc3a0700a553aa72223d2cdce3ba |
| SHA512 | 92d0a727bc491ff1544923ccbb3f32a2d95e73d7c1a2a6e54913f0c1c50c6e4b08cf95313abca2cd011383e5efc2492a77e6aa14df0679c1e04158b566742264 |
C:\MintM9\optidevloc.exe
| MD5 | 0b5514d5f071f797a1e6a35a39a8d13f |
| SHA1 | c29984317bfca692d3bbe67d9d5076177d4953e9 |
| SHA256 | f2b9f69fad0232f20ab476d04cf48e20c4a0d320855882fede447a66a8102968 |
| SHA512 | a6b5ef3e2cb4b23903cc5d10dad951b6f6bbf95fd99a42af3652edbc85d0b6721e195e174e6cb352466d39f1406403fbdfa9f2a1baa7b6e1d4fd01687d6891c7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:52
Reported
2024-11-09 22:54
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\IntelprocSN\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidME\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSN\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocSN\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe
"C:\Users\Admin\AppData\Local\Temp\9ab400b0886618ed61e2cdb7f737dbc1d9b39f14e2690379a33eff3d06120388N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\IntelprocSN\xoptiec.exe
C:\IntelprocSN\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | c9c723173bd4c85f01c8ec7e7095cea2 |
| SHA1 | 92f968dda400c2f210c8e015c13332871f3d23b5 |
| SHA256 | 1fdf2eb77d59aa39d63d0f95f8598d5d6f4cbd22ea230516b5c13b8741b34e50 |
| SHA512 | d63392e51ae9038bf9d95dc07ba14c941ae320fe8ce409a1864200523281e42b72145489bb5e4a0a97d0915033ad035ecbf139363ffaaccb30691e832160f623 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | afc5fdc2db8b0277f79e3a350471cbe5 |
| SHA1 | b66790c9d6f4763f2d8092b0d98e5a1f338f4211 |
| SHA256 | eb67b8e61d79c6ce07a228da1aee11d0727b59979dec41f247122411a25c0723 |
| SHA512 | b152bd648723ae0c60603c85940dd8cc1cfdcc03a1409ea94ab311a31ff6e6e7520596d4ddf13b52df9d41962979ee5c9e4397d084e4de29c7ccac324be0ca4a |
C:\IntelprocSN\xoptiec.exe
| MD5 | 32b0b49b28e1e2b495fe0787a8a54f1f |
| SHA1 | 5d9a46b192fbff3ede5e2e4d183af31145ed4f45 |
| SHA256 | 33931c64d3f91042ab123fec4cee5c9a93a5d6a161763cdda1af3e0a0a494699 |
| SHA512 | b79e20ab8deaad0a721b795b830895e116a4e1e888c8653181f433e5fbc516131a023c70fc41d12256681c7daa31bccc89c86db6aa230e8fe2d347f424f54031 |
C:\VidME\dobdevsys.exe
| MD5 | 6ef2855cb6dad3662f9c8d81a60c3e79 |
| SHA1 | 6f8be603795fb1a2d74f7aa0e3426fcd9a47eb71 |
| SHA256 | 3a9a8f649d4cff74a9ad4d8270910f5607ef6c580a7bee69059eb03020c9827a |
| SHA512 | ab182be87016bbedeafb728e3861ed678d71ddf36ea8f6e2811de63aabe39acb7ae777709067fc8e4b000aee7b24b60acb9099736f91829b26daee17f9aa26fd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3be986c77d08d5e2edb1b82f29690f48 |
| SHA1 | a5048e1db342ea9dae958b84dae428d2c2a1fc7a |
| SHA256 | 78e40d83f8ebbaec4d24e67df46a2f2aeeb9eedd9b5040ea5a37dcd1d827f6ea |
| SHA512 | 168ab6aec4332b4b6b7027cebb1736b9cc6327e3b6bfa5b35562dec122cca6b95d6b2b15ed9a5cc8ed44915db74d274e233e12fb04e1b5db6d866bab559b2f03 |
C:\VidME\dobdevsys.exe
| MD5 | 59f841b16074c5d3abd733e2a112c134 |
| SHA1 | 7eab784d189162b7890b22f0de2e5e1a0a28786c |
| SHA256 | a79cfdbaf3d36638c20cd6869f27893a8974989559e86ec0840d52ae9f5e71e3 |
| SHA512 | 490012e7d6637a2373156a9c6d7b14413cac26774cc70b667502aae7dea709cc32eb20e5f073259d86851c1006d78cd55477c0045b379bc4d93f77bb978b9dad |