Analysis Overview
SHA256
db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3af
Threat Level: Shows suspicious behavior
The file db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:20
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvR8\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvR8\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ26\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvR8\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe
"C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvR8\aoptisys.exe
C:\SysDrvR8\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | c993ec4e2391aacd54d3a67924be88ae |
| SHA1 | a1df1dfaf5120ac34d2567729b36d27163cc566a |
| SHA256 | b2aa3ff71e8a87a54fcfbdcdfd370cee48e41a8ab55a976cf8634dd1a570a9f5 |
| SHA512 | b028b7c49f5c62be3a7c890c74a94d5bcfaba20b3440057d691b1654d967255a9ba3620f00c1bb72db88005230bc52dd18452c97732e88ccc53a1472b5e9e207 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0603c88f2271022b7bbbb93151d9807c |
| SHA1 | 3c4e8edb470b74f1f8454ee5b66557064373f9a9 |
| SHA256 | c5b764b4a512fa22b4616c7dd6548d8bed1a535f5415f269c6c5a1d93338795d |
| SHA512 | 88a7c66ec13965c2970b4003902ce35bb6f1640f4872a37c31456c2136093d8ba5e1074b3f6472b084eac0de3ade0e7aba49d2164583bafae2c00e095fda6ad4 |
C:\SysDrvR8\aoptisys.exe
| MD5 | bd291d2ca5e27cb50a17889db85ce3f8 |
| SHA1 | 114642ba730fe123cef6401f102de3f9ffa65faf |
| SHA256 | 45df21c6dec7235b340035c9b1a8c295539ef5b7140668e769a70fc794eca98d |
| SHA512 | 606e189c91c95019a40b1d57425568bd05ce82811746b53cd618802428d1b788a72fbaa8f3deb35ec1b1ede7d321f18886642ea9d945d60562d2e6a938d42216 |
C:\LabZ26\boddevloc.exe
| MD5 | 845746dedc36f9b9203d4802b9c13f95 |
| SHA1 | 4d63bed1ab0ac49718637c13c6190379fd0b264c |
| SHA256 | 7a6a9b62b6060400265d65eb2a84596de03012416020373929e57e9c73263c47 |
| SHA512 | 80df19edc7b01e2c3e6eafddb91d93340e038f3017da7b55aa5a87c3f8b0d61e7a3e75037ebbc4c8bf75ac79ccf841ed0238608b7bbbeb539025f6c5dd484778 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 766a384d79ea4cdaa04a6ac6f7a45e0e |
| SHA1 | 2ec293a3106658be45fa4825808f5857f38978f8 |
| SHA256 | 0271101121fa9cc3ff4732eba8f02c058fc74514ef1d0aa85ae389039f3b7b22 |
| SHA512 | d378b0d6292c654f200b4da2f8610aa849af476bdaaccee36575d7ab8847ace27195dd7cdb5e3ce2ffd9b5e39da087b2f2867b0fb706fa035e54b6443369de4d |
C:\LabZ26\boddevloc.exe
| MD5 | 662408282427a05ec8aad94e10c9215b |
| SHA1 | 70b142a20b56f1888fe9b0b6a33f770a9b0be228 |
| SHA256 | d4074be026fc3f50a0f455ff8cbf3c6b7f7f4f4ed94b5d81869fdad3b276dade |
| SHA512 | 04b565dc3bca08f680aaadd91b0c69d5a4b96ab66b8fd3a58298980a208fdb1440e74bbfda3e4304cce0c8ca2b2879b072f2c0539ed177083a629b54727e5ac8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:18
Reported
2024-11-10 01:20
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocWN\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWN\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidTK\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocWN\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe
"C:\Users\Admin\AppData\Local\Temp\db4090f89cf97827ffdef3d2385981607d693bee0d298e60a725caa2cd2ba3afN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocWN\devbodloc.exe
C:\IntelprocWN\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 1c10bf005fe99fe04bb91bf5f55e7fbb |
| SHA1 | dca8f165d67ae033fff50fe762b6a3997dd9e392 |
| SHA256 | e12f7349a96c8d6b13723ff7b1bd83124282212fb428541bd523dcecb1ae2d1e |
| SHA512 | fbea7fc51ea867e51732198836f4bedc9a8a42a648f2d91f8b292a816167dd5917c4c34587cce185bc6e56e37715363e9acc27a1f220ae7917652186e9e36e18 |
C:\IntelprocWN\devbodloc.exe
| MD5 | eefec8839469d76fc9408c8b9f28ced8 |
| SHA1 | d2bbab0e72510d83c5335ad7eeb20665d4d72554 |
| SHA256 | 5f27f032d91301295464a8a262ffa2c5a683011e719744f9f7361093ea800be6 |
| SHA512 | 2cd77089d186d87dfe804d85331e21a99d6aff0b850bb3c362d22c4c817fb361557ad49cb85ee297a2fdfbc912a56b562f99945c203bf2b56b52cbe13e514095 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e37779b282aa91c3514fd8a5137dfb5 |
| SHA1 | d8e33dfcb4c97bf24448a3d150ba1ce23542a4a5 |
| SHA256 | 7358353bb7b93694ac1aea77b2e88e00f0f751c453b5a85fe9d11068c8a068a9 |
| SHA512 | 20e4d546a113b3910a7d3ae107cc30fa0e38c7967a47c70281c5a3a728726a9aa7adc6a44071496628632cd7dfdf7b57b995cd17e6128dd788bc6a992bd2f251 |
C:\VidTK\optixec.exe
| MD5 | 91ee63ccbc22fd53eaa9828820f020e5 |
| SHA1 | 0557cbb8bd8e6882edbc0a0d94c5cfd18115f8c7 |
| SHA256 | 7627e0a4b8962b18604ea21ae03eb4a88cb530447827756293dec08524743644 |
| SHA512 | 62053f43c8e9a07f23cb07308949a19096c2aa4c7a66518f18f01a9aa793316eb061664044a2f628a66512136286ca3eb0ee3a3e8ace1274bad7dd3e395dd2e8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f117555255a37102e8fe5d715c8a2ffa |
| SHA1 | b56bb55da495eb238fd56103eeac59a17f5e8639 |
| SHA256 | d9ffbcbab00f909cd92546c7f5e728038f393287bf88f2f02f22f62e7dc4aa5e |
| SHA512 | 133d30216518272c43a48f1132d0bb5bc3c52e95a6a0b2bbe1e7de8ea219c20135d27998fa9f5820a5e1f54c7282e9da25f7ee579c0c506ffeed0082aa583184 |
C:\VidTK\optixec.exe
| MD5 | 10e6df3619bbbd1a2464d5000a56fbb5 |
| SHA1 | 9080f324c059847c04fbc434d62d8ab2e06140a9 |
| SHA256 | e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559 |
| SHA512 | 9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff |