Analysis Overview
SHA256
595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550
Threat Level: Shows suspicious behavior
The file 595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:16
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrv9J\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9J\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6P\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv9J\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe
"C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrv9J\devdobloc.exe
C:\SysDrv9J\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 676a9da3e628df7ef37297546397f36c |
| SHA1 | 9a4277f22a950acb1a6472a9149d465dc700fff9 |
| SHA256 | 4df0aa091f8733ee74c8658fe8656ca8c290f6afe57fa6277119607d841bc535 |
| SHA512 | 431b52263d65f9cfbbf383681759eb28362f518b11688a53c19a5597a7b156049551eb82950ef3949ca698f1d9a2b616a16f019faf902907cbe0fabddca9dad5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4ef96f952be270ca00fd44f48dd0ab3f |
| SHA1 | 5c3dc1ab4ab02bf1d95fa07d197f82243d8fedd4 |
| SHA256 | 2c78bfd3a71423d5f80bccd94775472e5c53741524be2bc00145d3a240ea1017 |
| SHA512 | b0dcf07a7a469ed43c09d43c7cdf1b1d80601faa102f5d877dca56e00e5527bf7a23e053fe0d767544db41f93f4a01d1fc3731693507dc7d1a6f59e6c0d06050 |
C:\SysDrv9J\devdobloc.exe
| MD5 | 3b85c7d1d87bd61bc355d564e7d28a11 |
| SHA1 | 069dea6339d9156e51bbe949df23a11cf85b459d |
| SHA256 | e673e7fe7d2982ec7973d85dc62708363e7c959a34761583e1ac733bbb01000f |
| SHA512 | b848c0acb6ebac2681b917bc893f4e80ded401be7b1a0d8449754ba1c79f7a5649802a79c8b5c6b4d1393700f02a2686759146d5556566ca0fd3126091826f12 |
C:\SysDrv9J\devdobloc.exe
| MD5 | 5a14429f6f9332a9cb17ae8ee89f899e |
| SHA1 | 17cb832c683a84d19aab6aed186b19b01e5e1727 |
| SHA256 | 95bcb5d6fb87379401c078fc1c287034f020d1214b1e2a48f5763691213e323f |
| SHA512 | 1a2602cff8558457d3a1fbe5ece55af9178880f32f28fd482186132e3b6f1d6dfd847ac4a5b51ef8c409b0b28a0512be86dcc0f9b0cf1fd869f3ae7833564d9b |
C:\Vid6P\optiasys.exe
| MD5 | 49a61cb719df93e50060a9a1f7fd2d14 |
| SHA1 | e5657b05b2574f6043ba62c14964f56447dd6358 |
| SHA256 | 27054f80461734dd09c27185eb74641448c1d544d8eb55eacec793612c0977af |
| SHA512 | 36649cb784bd6558d3b2fe70bd69666b4eb312199da54218abdf0857504770f1a693da9420f8d89506cb85d7c5d97c67178cba4a97182c2d5158074f2b071a68 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6cc69532a102f2c8342dae3bfd9ee562 |
| SHA1 | 54d340de218524864c907f29eb5936d7e7f9cd5c |
| SHA256 | 81514a65e80470e37a95d9b167418848c97a884e1a84c93a78083a857da43cfd |
| SHA512 | be205228c2db32efbd7fbdaa49e533b497913a1d5d0b048e9ca6712eb8a65079cd9d49a9eb8a7312515ff93de6912eee4a149d420ce3fd8412c20ba9c7d0e55d |
C:\Vid6P\optiasys.exe
| MD5 | efe6ddf93ef9c1ab381cd11e65df79fc |
| SHA1 | ca26625c07cb87f3761a181e92d76c22bffba378 |
| SHA256 | d264d8062e689be0dc29433caee9e72a90098e97d05517f8a9af5bf0b11669e9 |
| SHA512 | 9cc6e3328f92641a59cc8caa08d85ad57daf343d81b0194b70b0c795d0ec88350607c7137f9c4ea245cd251a23f9159fa5cbfc2aa0d798b77cc63c8981f04ba6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:14
Reported
2024-11-10 01:16
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocJQ\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJQ\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxVX\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocJQ\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe
"C:\Users\Admin\AppData\Local\Temp\595bf5726e74f537f4bc87c53fcd27e34eb901ccfced1c9dd4baf1949470c550N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocJQ\xoptisys.exe
C:\IntelprocJQ\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 193eea43aaf1bcdecaa4401c2c621203 |
| SHA1 | 7123bb4173b8217b9741d0e4f7a5d55117283c73 |
| SHA256 | c953f4f52477080af5b98c6daab6687ad240d19de5a3cc66d14873fe6774f83f |
| SHA512 | 3b19ffd2b72c03c5cd3e6a68ed89dcf70bedeec12eccf036b21ebf72304ecafc6788469fc9fc9af75c95b8d9fdd59e2b5495a9029e472b6a5e25b995fbf673e2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d525108202ce982ba5ea97abe16fdcbe |
| SHA1 | b9847cd8e6512ca2d3d1b21e00cba33f316ff5d6 |
| SHA256 | ab6611473f3d1ccc44d4bb6465b0998f315bfffb9778ed481a72e94a36ed3473 |
| SHA512 | f4293ab2dd325b6a5a11ee921001a15170738febbf56ae7572b43d6d9480cc3f556477732a4f40a17db33ac34c5cf9fb34b6a6ba2bf6826ac1e739a8c6008106 |
C:\IntelprocJQ\xoptisys.exe
| MD5 | 19c41762a5587df5806ca20e08ff4777 |
| SHA1 | 9585d6ceb1beede888d7fbd14aee518fd60cef89 |
| SHA256 | 83ef22d1856e37923ebbee5228f8b0471f36bb507cd0380284701b73267e55b6 |
| SHA512 | 14298c598c9b01840d0f6d3490026b3c14a3c94cbbe6606afdac4ade47f98d1cba87bbe79c5bbd7f56bb2133fbcd0336bc58bf7f71c3ac0cf33303684d04722b |
C:\GalaxVX\optiasys.exe
| MD5 | 39725a9263bf972f3003b9eebaf3e95b |
| SHA1 | 69ba165f37663bdbd048b022c3be345ddf91cf90 |
| SHA256 | eb5d0e283d9548a9a4c76dbdbcb3dc5a6c454f97c1a653a40e5b2378ead9a223 |
| SHA512 | d83ba7f963c4dfa124b535d0dc2c776a2d5109ee971f50577d40b2baa7a58b779f5f84d2d0ebaab8fe1f24a20861e2afc920adaa92099926638c247062904fe1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 013ff852ee117ee4b855c6019b400e1d |
| SHA1 | 676026d223e3635b8b9acbf304c7ebcdbf039be8 |
| SHA256 | 8a5fce468db46743c57b7039ea4db06a2ea18b3752bbbfa17ed48935905257ec |
| SHA512 | 8edf2063194c0119adfb772d884810f1e7b1e09bdafc235636f0b32f4f44b57702ba2a02db12365779edc02f02ba27bb5d62c14e32a8b8abcdf60c1482c67761 |
C:\GalaxVX\optiasys.exe
| MD5 | 9e1a42c50a00e8df390d92e7b61fdff9 |
| SHA1 | 6c9341d8481de37320a31f4388721143011c37d9 |
| SHA256 | e59fd9f02f0154ddf51160745374d1e7e9ecb4bed2aacd88314d38fde3f44c42 |
| SHA512 | 7a057748f36145ea318b1444e9659901ebaeb74e4e77d408f19e62c4605eb56909999ede21c8c1b622e620c772a90f0afb9226fe30d017c4300ab59e4ed9dc72 |