Analysis Overview
SHA256
1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bc
Threat Level: Shows suspicious behavior
The file 1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\IntelprocKH\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKH\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYE\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKH\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe
"C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\IntelprocKH\aoptiec.exe
C:\IntelprocKH\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 29c37a565e55da97aec2b704a85322e0 |
| SHA1 | 1221fdc3512a44d64f07200c554105b07a7b74ca |
| SHA256 | a65b9c2dcad84299922421fca3c24918223ac41781194945705dc2861bf328cd |
| SHA512 | 1434316b1451b8ef79af120ca5ef4af86997695c813423f6263ed11011f5c6e8571515b83b67c383f1e2537d53cd87618cfa16d9d4ccf1d6be6e1e0eca0e5b6c |
C:\IntelprocKH\aoptiec.exe
| MD5 | 28748ae30171bb94cccead551caff232 |
| SHA1 | 5ef4d13873dc1bfb957f409fa3837d72dd522f6c |
| SHA256 | 2bfe6f20a5088574ef88bf70d761c877101c719f3268171395701346fceaae38 |
| SHA512 | 9fe747ec889d51f5316ea1daea87b6b08902d37b1a64b61fc75d9d89dce1be990f9284503dbb4d576729a70142efa3d332856d4244faf2a6898046eeeef02229 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bffed90626217ecad5173985a6668ae2 |
| SHA1 | 15e6ec87d01f16af0b63d9e5413ae733f6e9952a |
| SHA256 | afb103e355cf52a0c17fbdb1dd099ffcd4b26b04ec6a4a0349ad174ed8d6ef0a |
| SHA512 | cba61b67729ad65612f148ffcd25af5e6100fc9b9420e37b7e6b35d2e8d6e65e8b6f5615b2cf21cf0d71a6bcfe833958c9a6e41cd91ad56038a19f53865b5e55 |
C:\MintYE\optidevec.exe
| MD5 | d54a12b4001097383df023803e3d44ed |
| SHA1 | 55d5befa2b8acc558dac1383fee278b7dba9d6ca |
| SHA256 | f5da2b879ce6afe68309c6e93a77400bc5158635ab7ad737fa6c0569e3355bd7 |
| SHA512 | 1a60b2f834d5c421d56e73f6d305f970d2446ce671d24b5167beba9987d09cffaee3168a874d99353f7cd658b6f736b260bf75d8f3dac542c9e7c310949de5a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3511660ea2a61fd842e16fcd576d3fa3 |
| SHA1 | bb8317493b68862834c5a474b189e23ca2ddf227 |
| SHA256 | 90464f88fc9524f81fce53709b264cb73e35d792fa75061a9dcf5a199ed89ec7 |
| SHA512 | 57dbe9506743dc7bac2a0b117d4bf00d4a35bb93aa00f9b3c86195c6ad6af909fa1e3fd56d1fb8cbf12ef315b4ba709b23c324e4fa0b2b46ff776ca034558a74 |
C:\MintYE\optidevec.exe
| MD5 | 2ec8c12a117bc7f8e18d5b2dd96a04d0 |
| SHA1 | 8f7158959267a4a6a65320d90d0b499f52f27178 |
| SHA256 | c4073d574680538e537ea8ccbd733f4d4f2a8bc2a1f1e59db97c0e56859fa270 |
| SHA512 | 3dac9b012b3a5d3596221c71648d8b1380d70341b471c4fd7055f9ca91fc8369cd29410313d09b04b2e72adcebede3e244e19c42adbd04987f8b11f96f0230db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:25
Reported
2024-11-10 01:27
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Intelproc88\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc88\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintYY\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc88\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe
"C:\Users\Admin\AppData\Local\Temp\1f2604629c962cb199851f39fee00cd2411509f3c3c622a7dada59bd48b4d1bcN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Intelproc88\xbodsys.exe
C:\Intelproc88\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | b6bc737d05b83133976d6cf28dc88688 |
| SHA1 | 480fe1e5a4ccd9bac087b8dbf788624404d0e496 |
| SHA256 | 5d5bb74322cff88340f8b6ea7901f5ef614d3fdba7b5f4f3fa2e89463f6e6dcd |
| SHA512 | cd4c7d1c45bc538864c78583f8df29e71cc35faa121f2c9a8855b6e11b78479265da91e0db5a450d6a61cf1394b05f63fc53728aae2fbbac0d6bf492a2c294fd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 46f0c2be79698101122ea9a87379b158 |
| SHA1 | 9387db34837c97cf07303c902bdafc9069de0596 |
| SHA256 | b9d8cff9f4d5e987abd82c70a2d408f63891808da6a5405050681cef2984eda0 |
| SHA512 | 33bf32faf679af142bf55718615a84b604adef784ef24e7533c04af30ccb52a3306b443e6e41daeba28b2ce4c62d43071999bc4c74fcb8bced963cf8b009524e |
C:\Intelproc88\xbodsys.exe
| MD5 | 7f721cfd8b0a6d621c5fa6d8059da09c |
| SHA1 | 7d7730907bdc0ad5a1e88a0b706eb7400b24661e |
| SHA256 | 059d160ea44b37176723c1a8b88a1758e79ad15609156c3dfce6be2516178c60 |
| SHA512 | 0d0d86c6836d5e2671c26a9879f2f0a0515d77f5d2166ba3cda054d33b6b0dd5dd8e41b7a84e8f44fdd12a2b7671f887b9ccad415f15cbd87b43538a2cd6d0c7 |
C:\MintYY\bodxec.exe
| MD5 | 03b14ca63ef0606c76389f45d414a11d |
| SHA1 | 5aa795f416025f934d40889729f8f63d3d980a0c |
| SHA256 | db5bdf5fa6a26786af93f381a5a5f384927954b653f23a1a0c0297419734d6ca |
| SHA512 | 38a1fc11d9f7b9431de4fd06ccaf15d6241fd4df758cca17ac9cb53710d058852fd85ac0873e70d092ca1e70db7304ad65a6884cbdf21c9caaace216fda76940 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 45af6150d5f2c59fa0492dd983f2b737 |
| SHA1 | 9695438ca85954449fd04370404e6582fab3a749 |
| SHA256 | 4cea8142f48db4c56ba272c95246557d6a6a771867bcb20dbdf6994ea4a40faa |
| SHA512 | 15c24685aedd9d77410dab8a3b0e831ad746a196dec26a81b140e1fe7e2c65da9c69262e308e28ba06b8358f49ae492ef80779570c45deb25b7586d2dfa2e414 |
C:\MintYY\bodxec.exe
| MD5 | d6f3d8f05e23eaf5bc1f893a191816ca |
| SHA1 | de27a1bd9b1b22876970534afb558aeb4ac8c45e |
| SHA256 | 1e9fbad46fc1b4b6845b48997447f75b759847557e2458cdbc5d4d8c8a0157a5 |
| SHA512 | 0d6336798c1283441db326f48041fa05c5901d46ae52aa39147509cfed3e1f6b02a8547876db6819a983ca7afa34185a4877e4c0313b1ce9ae0730a507695d7b |