Analysis Overview
SHA256
599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47af
Threat Level: Shows suspicious behavior
The file 599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:18
Reported
2024-11-09 21:20
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\IntelprocBN\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocBN\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6U\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocBN\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
"C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\IntelprocBN\adobsys.exe
C:\IntelprocBN\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 12124c663d28acd34197072e6e2eb0b2 |
| SHA1 | 6f240f794acb888adbb588bebd6971349e6aedcd |
| SHA256 | 36ace00ec8c210cf280a9ff80a56383bffdf7a816d09ca1b482191551fa7f8dd |
| SHA512 | 4c70632b38c27e9f852906abb644146eef93da4e7a8b01597f321d127a9e53dac0d2fcb6816078d746c62e96e3495e7483bb0aa96bb4124b776483c2dc1a84db |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ef3c6c0a4b1a8298e050d7e9838412d0 |
| SHA1 | 5422de6a3f7a7edbccba03deffd62d2652eac39f |
| SHA256 | 14be82aef4f3fc3033ab6ac02dbf7c0bb68e211e99829cdde15a4d040c0be14b |
| SHA512 | 39202397343aaa412dc05763305830e2767d9b60a72dc3d899c4141947567fff60cfdf9fd1526a2f5241a3c9a0db558006cb6ade0a11835cc01f6e522eadfc16 |
C:\IntelprocBN\adobsys.exe
| MD5 | 181f83a25ac338cff30fabe819f4365c |
| SHA1 | bae04098deb4a60366f053fe2a3fcb491415471b |
| SHA256 | 5ff70e549556b681068bb416cf3f35b4e1d4c6b26a91ba46965f60aa453ab314 |
| SHA512 | 8a43c4333b475d1efe9ff499b7d9fb84788f8a1c0d60507f3df7cfdf4aa2880d56ca2d9092af154279220aab22f0e4bc41f236fe37685443c32414c490bdc472 |
C:\KaVB6U\optiasys.exe
| MD5 | 10423e1e915265a1a52b32f82e1fdcc6 |
| SHA1 | 62f28b1e825738f1725083536559e5189111f86e |
| SHA256 | 095510c32197172938698b5375e7b294caa4ab7ef157825ccb359e9ad0c7cd5d |
| SHA512 | 7234a2bfe0d4e2636c9d8a4faf8ee0caa94bb9f32e54e5759fa8d3e1fdbf557d48ae93115a7e03da56bd9aa4b56cb4a01f98306c53d10a6de45d91b940220dc9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dd2af84d82a63d3664b0f150de86d646 |
| SHA1 | 8c633a373bcd2774c8d5a9d2b2a4ab7fc24cf564 |
| SHA256 | 59352b91c386b781a5b3674faad5312ba7eb8f8ea6072a569e0d8ee8e6c14d0b |
| SHA512 | 99637e87286c54b9a9acdd96aee10e87d62b35f87f9453c6cccb7738fd225d26d13a1063c59c347ab1ff474a1949697086da6ad7b3bc8fa593bf9fd318b4c061 |
C:\KaVB6U\optiasys.exe
| MD5 | e7ab8feffd1a944e9635f1e0d3d4b19e |
| SHA1 | 04aadef208dd9aacd5185c3a0f51fb8ae24cd4c0 |
| SHA256 | d3a577ad10686ff911aa14c51a5c45d39c69f815ff5efcb4169914ed20f4b831 |
| SHA512 | d886a129b63681f701d1f1f5c56d355a29627faa78b8533be568dec855fd535efdb7d981ee18b3f3a40e0d670ecfff4598a339766ef9f319eb6bdbaf7478267e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:18
Reported
2024-11-09 21:20
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\FilesK5\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK5\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW7\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesK5\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe
"C:\Users\Admin\AppData\Local\Temp\599a196db08c16531eb49911e2f329292bf87dcfa2cad254cb2e46a6c20f47afN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\FilesK5\xoptiec.exe
C:\FilesK5\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 71de68e0dd8b9954275ef5127fd3eb29 |
| SHA1 | 1b07488676efd48f6df64d37746a79c1b71de6b8 |
| SHA256 | 104bd7ba998333774dbc42ce37c2ed99711cb1f9bcf5e39909f762ae9c16b179 |
| SHA512 | b7de44e87aab87e1a0d2465836972da4783e275c1c7299d505dca93f9c117a495ee706e15fdb3ca15fda9064aa4ff92d7921754012d9dd1fbf29b7789184453d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a96e9fc442e505bcc2aa89346f892f69 |
| SHA1 | 38e564d8d5574b2023f6624ea300519e75d8e37c |
| SHA256 | 6ec52caf8872b79974f52a6e3cc4fa954c2b69ab7d3465a77c3b236da23119fc |
| SHA512 | 6223214883efd27ebba73769e10410849b941d87fe38832a97d32a0a330dc32bf529dd765f1b0f20609981877655ac6baa16399e5781d15e1cc1a1b638199bd4 |
C:\FilesK5\xoptiec.exe
| MD5 | e758b9f9d8ef17192e5cc7dd769b0ac0 |
| SHA1 | 94db66604d2fc993a988adf2718500fd9d14b3fb |
| SHA256 | 47fd684fe89acfbb5f9f026c4d834a600b6865c24adfba89ede1353ec88d06ee |
| SHA512 | 4c0c0ea9d4387f755014c160390c1a388987e9b72abbdaa06af1b586171231b038ba06b33c853d7c57d0532b490933ff8df0230e63e8ff03c73d54391b33363a |
C:\FilesK5\xoptiec.exe
| MD5 | 669f4098400ac239304dc1415a2089c9 |
| SHA1 | 11aea35c62892aeb9f55e92b20b75982f679bfa6 |
| SHA256 | 4cc3fe013a9cee5af8a1964b16436d31cf1d915df9120bfdc6e9913ef1e6637e |
| SHA512 | 1d11b6d0de18ab066adf911f70efcf9a117b48f297aba67919100865e7ecb15b944f144a03646119e42b7f1c94968605e8c28274d58447ed384e7be5a69f223c |
C:\GalaxW7\dobdevloc.exe
| MD5 | 77b6da6137115a901eee3d3bb78e98f7 |
| SHA1 | 72b608be11a78700ed726f4eae711d7dddc78d42 |
| SHA256 | 9c9398d90d04b7382dd42255f9a77639095cf16069811987139c0b528d435317 |
| SHA512 | 4e3155c872e23c00fb249909172813dce5d8a1eb87ed7f2f8b19ac0f3847f6a413363a07146e795450065243d510869a8ba2c6d0a80826df4becbbc7184299f9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ade1294290373f7ccc21047fe19bd81f |
| SHA1 | 0b6e49aa89cbed2bf64c6bc6af1261fe5680efe5 |
| SHA256 | 64ad49cb61702173485975b2adc78f8f25d782ad930c6b71be16342d23ec378a |
| SHA512 | 4d4b4ec67c6ab677723b1d8bcd80c57c0cbc5b604269eaff7a2f7831b9ef93ddc6e47c0f01a2912916ff19b4051b22690f1ce5b9cee3e1eb8a4fe21053525334 |
C:\GalaxW7\dobdevloc.exe
| MD5 | 75acf949635f436882d1009cbaca9270 |
| SHA1 | dbf5960d912dd9069425f2efdb6e6aa45627c773 |
| SHA256 | ddd4e9523097a9bc451379797f2b19c3faf1b2075b5204453d0f44d2dd71d5c6 |
| SHA512 | 1b6c31a07c3f2bbb4fd22d775950c514879d3b8efab1dd4b1332a324863a0d3da2fbc43290bc98e40c886876e1c336379586c68abd2744e06cb764ece9e08116 |