Analysis Overview
SHA256
68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87
Threat Level: Shows suspicious behavior
The file 68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:57
Reported
2024-11-09 23:00
Platform
win7-20240729-en
Max time kernel
120s
Max time network
21s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe8X\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8X\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintDE\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe8X\devoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
"C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe8X\devoptiec.exe
C:\Adobe8X\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | bbc67fac15ad3fe8417c1012aea5d499 |
| SHA1 | ffeab05931398705662dd79bd5590db0bfdde46b |
| SHA256 | 3f3f431e9a74b9dd5538cfe19a99294d8029d08f734940f71f79f1bbe8393463 |
| SHA512 | fc11fd215c8adff4e6a14842ce3ca0956b1eebdb586e848c07ada8abcb667a7dccf51f011a9e44a7a2cb74de1df53f2b9a024921412fe048db6695c403243807 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0446e30f3bbd128f37304029fddd94c8 |
| SHA1 | 620211050e2b98bc793101bced86e87ba9a46b45 |
| SHA256 | de1351073e671b0b362264744b5b3333764bf76f57fb80a4efc20b3841758d90 |
| SHA512 | bfa51e2491426af2f5f1d4ec6e942fcbf564193dce7074b0ba8f95c7e4b5117147663f799b69901b4d687707660b10cd5bbf9559dec89ffe485398d303001d64 |
C:\Adobe8X\devoptiec.exe
| MD5 | 51c42b71dbdd102b6c071bded352ce35 |
| SHA1 | ca2bbfff6c1936cba038e9f60d858809cfd1f95a |
| SHA256 | 0a18e8701445285d9cb63c2af91eea4159abc2a81973f9f671a2c30b4f07b4d7 |
| SHA512 | 7158a400f47516993acf59c3d8379a3750c050b11c806441fcd2647f07d537d053b8f9e7fd5d395267ef7adfc9cb462dec6554b88db746184508f7b37a705aba |
C:\MintDE\optiasys.exe
| MD5 | 837d4375d5debe21b2c3d756a97d396f |
| SHA1 | 632cafb8c9abbdf93f3ba04eaeba18537ab35d01 |
| SHA256 | 532d5ac419654637f6aa51bf8721585c7a3d3643d6e13c9a857fd0b50abb0200 |
| SHA512 | ca9aa2e5d2f4b64b654449c379c74dcc82376c4078ac17eea21abe017781ef260df0fd81906b033cf192e9945a12960cc6ead3a0481195ec1cbe2096e669d8c0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1d8756993991439787dac2fb85d6bccc |
| SHA1 | 86a2779f17acd9c84dfee492fc2b8d23b900f8de |
| SHA256 | 06261ad48b9b6d5bf37f85d9af2fcffec306d9582cf98bb5168678e82526852d |
| SHA512 | aac2ae7dc3819b2013de5e9362f30aa15d1b979aafe806a1faf0b714b1b16255a00bccac2b68915ef5bccce5bebaf77f0ef3d2524ba7b448916624a2bf17996c |
C:\MintDE\optiasys.exe
| MD5 | 33b389447d92d1d6bec3b0d88267fc38 |
| SHA1 | 136c5272702f019838d1e3ece0a088c73e5f0c30 |
| SHA256 | f6ba336ee80d621061e4055bd48c36089dd5bcac3a01c98f0856c09232af5280 |
| SHA512 | d37aa3d9152be5d420e46e26345ac7aca03aca84843ca0b9692ad41acf39829dd9c81857d06c1bbabf7ee892077e2c7ebcdf327329acb306f707f7bdf36de399 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:57
Reported
2024-11-09 22:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\AdobeHT\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeHT\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW9\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeHT\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe
"C:\Users\Admin\AppData\Local\Temp\68a415c59145775d0e3f794df87ed9f662b48ddfcd7dc605086235e79775fe87N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\AdobeHT\devoptiec.exe
C:\AdobeHT\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | f07147311af481dcdd76a564227f6184 |
| SHA1 | 32d3d2e74c9de51e984c8ff3c35845671daf2921 |
| SHA256 | 8e9ad0a0ab8b3590fbee792a445150afd75fce6f6d27dcd8cb96780abfbbbd48 |
| SHA512 | b5b709e8447e9ec49059df1b2d8ad3016b1ad42a408c5f9bff886e65cb57d4f47b217105a4f7577ca835c24612ae3f6bd7f59cc308ca168fbe5e1a40dddfda04 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4708898b9ddb9a3949b84fb74c7c371b |
| SHA1 | a6e72ef74c0ba3019bc08f0377a59f681be9121e |
| SHA256 | a4815983fc9678799916820365c07b83f0f8c0439c62c21be2e6e49794cf83f8 |
| SHA512 | 9d2d8fce9fca22f21dbd6bbec6045b9942f6b859323a5701af237fd67fbb5b60871b77f4c1396a5d1fbc16f2436f932c047c5e0a2a9c9a01d49ddfb5d18fb9ce |
C:\AdobeHT\devoptiec.exe
| MD5 | 5ccecb4bfda35edbebd7081505566219 |
| SHA1 | eef3c415f356aa1b5112034a5fc8599f086d2700 |
| SHA256 | 31eaa458538895949e4eebedbcd3a78720febf3554f61e73b3e10b408831454a |
| SHA512 | 9f947969db1c9de3e267dbefe253be876d0fa7e4b02bb46edbf103059b45c74e030ae671b5d7294c1c9ffc68cea03d59a3307862dff77903965ef0041d5ca95a |
C:\AdobeHT\devoptiec.exe
| MD5 | 56d51b3567dc903a7052a24f2e68be5b |
| SHA1 | d01e7083e0f41fd7bc3c3da2d644626812922db3 |
| SHA256 | cc5af927c0248e9f368e6c26f66666c9eff5c32b6128fba6b38110ceb0d461eb |
| SHA512 | 40f26921b1adef3f852de4bfb699c16a3d6e2cd16135141532cb8c0997e624a45f65c27484d9307ac6c26616582b87bc43cf3fcb92094287ca70656f31370e39 |
C:\KaVBW9\bodxec.exe
| MD5 | c925546af61c25da7a7cbe9eb39aaf37 |
| SHA1 | 6d0d651a58d5782634b9d92ad7b4dbc162db67e8 |
| SHA256 | 92ee2a0298fa16ed68633b5aaa01a9a0f2676c7a63ea5ca88cced7db1bda3ec0 |
| SHA512 | be62d0cb988f155f75c8b94039423d4d76b3c8af51c6a842e2a1b3984a784e9bc7f8391e83c8a078c7ed81477120ad1516f0dbd14cceff1e2ef8cb30df79009b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b39bd4f2a1188c5e35356ed0edb734f6 |
| SHA1 | 0dfba04ba7770ca590870f12f37d6ae9774608e4 |
| SHA256 | 33d708e808ce4840df600ccae3ecc2c4233d909ffa5be5c72e1eec88fa0ec7b1 |
| SHA512 | fa0e33b6b2d84e5fc308077c46c59a57123e104cda8335fca970755f64ea375803bb471edf9b760113f754f26d7d9201d1b02102201805a83ab99669d273b8e3 |
C:\KaVBW9\bodxec.exe
| MD5 | bf04fa63bb070dd2845042a04154d8a5 |
| SHA1 | 3e199415a13f2ec61be39ab9ebb7850128187d9c |
| SHA256 | 3fe58b002e3811a783bc9a694b1d3d35cb18e27f7bd5398f2c803dfe9585aa5b |
| SHA512 | 18d5b0bce56c1b66cf437e27aaecdf00800356bfa9bf5716be626ca9d436d8e4d9f99cf6066e08d5f4d7b91caebf27dcae4cb46a3c86e051d75f56bdd844a991 |