Analysis Overview
SHA256
a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d
Threat Level: Shows suspicious behavior
The file a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:27
Reported
2024-11-10 01:29
Platform
win7-20241023-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeQ8\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ8\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOC\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeQ8\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe
"C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeQ8\xoptiloc.exe
C:\AdobeQ8\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | e747ea170ad569fd392b744500ea32ca |
| SHA1 | c7ffb8dd673d744bf43b6aac4289b116aaf1d568 |
| SHA256 | 26118b34099af12189b57b1c5a2ddeba09afdf4e57c4bb9cf2ef8f8b2aab1174 |
| SHA512 | a97b237ce0848e0f9f645921b570b8f30fbbd3748936d85da016e9b994084df8355839a01fdbafcf3aa7beb41ba1e878fa034f9fce19a3e42b0c09fa22c7b00f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1d7a833a7ee28c87bac19095457c9814 |
| SHA1 | aebdf99d64940101632878c99aede0d1819fc37f |
| SHA256 | 512952ed898033f167498c9da09188e5a11a03b6026f599a2e772a9d51dcd065 |
| SHA512 | 714d52c087657df99035bde8f54cbed8f4e16aefa84d897207d18f50a07dfb89b48d3a27812103b1ce70915a9015b94efc09086a8b206158db570088a6d56a49 |
C:\AdobeQ8\xoptiloc.exe
| MD5 | 091ce6baaf2d0916f9dfa1461237e421 |
| SHA1 | 5902212ceeb2154045b0a0da553e70d84839836b |
| SHA256 | 62d82aa88273576dc8bc487628badc080e5707046f846d8d591f81d64b06476e |
| SHA512 | ce78e389b4871826f4ffc3f9d7319e0544025e916a576000b55e8cc09db59464fd1819ff9a6b3243546dfabdc5b47e99c70c6c95d09481db9e6d6a2621320e05 |
C:\MintOC\dobasys.exe
| MD5 | 141ec5cbad77a389d1535761127df668 |
| SHA1 | 644ef496f1484f798ed524126d578498a18873b6 |
| SHA256 | 760495e8cab0f426af2b8ae5d2bc2392c5a27600c695f7eb2e21aa4745942ba6 |
| SHA512 | 5fc86382d1d6ce03ce7cf56252de181b3094fa703cc4009015756bb6b4b080437e88950cb92eb1738666453c16a8c67a83c0e096e120aaa6f4992fd6a0d28ddd |
\AdobeQ8\xoptiloc.exe
| MD5 | 181ebcd52ddd5c1ba2308e8d557b217c |
| SHA1 | e1aaa30ae73990eef866650c6db3122b4cee68ca |
| SHA256 | e36439c01bccf73ba39685fc2f1742cacf6abbccb01cdc2cca9d75df2d48c3a7 |
| SHA512 | f7d3c6e2a772ddb342ed88f40a522e449216c32b6b516af1dcd349412a5f226cd1ad4e2906136fdadd247b683acd9f4c1cbd06c74eb008ad457d0d56623e3f3e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c7c7b75a00f6f13e99991930e5853f34 |
| SHA1 | c32f57f4e0beef73460e292039afcf9479258706 |
| SHA256 | dfd0670b78feb695a94bfa1d1be6efc3dcc2d06f54704349706113c075a2b0ff |
| SHA512 | d2bc7e11f6e275da0b8d110ab2c063e96749c9270c52d84502e1402b687ceef3570c0786df6d0387f0bda3199f928c8e09ce7a2ad5c2bf2fc27d5b5cfa7f46ba |
C:\MintOC\dobasys.exe
| MD5 | d841abf49829d9e87592cbd49b379999 |
| SHA1 | e2ee943a9b905fe75f9d4e1d284d749080897658 |
| SHA256 | 8839db96a1695c254ccf301e11660f3a73a158f590164ef4e19cd390fce0092d |
| SHA512 | 81983248c8a03b8cd50456235933cc5bd4c5d39fbf3e5c16a3e3fe6f098fcc894823e352ac3f8cfcd6db5bf1ed2b851de4ac0744a503b5cb6e498910d72669ca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:27
Reported
2024-11-10 01:29
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\SysDrv4P\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8P\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv4P\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv4P\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe
"C:\Users\Admin\AppData\Local\Temp\a84e2a9401911877fe73f99301e8dc0e21cc27cfedbf4baa97523931e0ea276d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\SysDrv4P\adobloc.exe
C:\SysDrv4P\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 483acdf5e0704b3eca502769b0f55d0f |
| SHA1 | e061f9506397f8634dd70610b74f3c4670bea4f2 |
| SHA256 | a4dfdde7f57b24b983e47fc2beb7012bdcf0834992620e6bfdecbc9dd06ea68b |
| SHA512 | 7de92cf8e4865ce7b28c44d933a4c50a2d58b0ed1a02dc0c3b590ca493cd3171c619b5aa37536d721807537262882c8794ab31a1cb0f73b4ea7c8b0a94c3c19a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4d76f01366edb09f9a69b63d072fdd13 |
| SHA1 | 554eae849a6cad1d77f40e8da64e68e622a05dbd |
| SHA256 | 7cd2876037be32ce75e21b797d30223be5de9440a78b164e1fff368fe199af91 |
| SHA512 | dabd9a399097bb072f0df0e4242cde014e297d628cb767e1fda6e97a883e955aa3c55f9e6d115117ee2917f240da4dd50b872e87098d5f7da32a07f62e484828 |
C:\SysDrv4P\adobloc.exe
| MD5 | ac7b09f21c3b2531c0461f4f2a34c06e |
| SHA1 | 82274e126ed83ce4bd8bff7d50e82ea8582ec969 |
| SHA256 | e761503227d95567e181589bbd46f25e781e5f72247e5ff2dbb530f9d9caf7d9 |
| SHA512 | 321a012aea18fcb1b5e7903c886b65689ad96c5dda109e0a5679ff9bf157865382c331d9f487890356c5d1514c241e8f9b270a6fdb8c3055e4dd3c0366c5cf23 |
C:\LabZ8P\dobdevec.exe
| MD5 | 8bf869f3213a0bbde69afe3eb39b77fc |
| SHA1 | c1434a2edf85de0d2e7985b349946b598c03e3a8 |
| SHA256 | 35714eb730f144be9ac5e55b0b7686f9ff5b532f022b67ff2ebdfcda13830f10 |
| SHA512 | 149cd757b88a204fe347577a969a4590336f80205605150c5ef59ac1ea63b3e098753cee41479ed276a2fd191caa65283157ddcb2fdf6d58b01b2671fa065527 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 92480703f4fdf9d47c155002d33a49e6 |
| SHA1 | 87a1a71962fb943707531a56ae9c2453780e1236 |
| SHA256 | 9208000e2a85ea13bf85f58ccd8417b3b7bb91e797cfc11c2946dc95f044bccc |
| SHA512 | ae7df25526743011ca9887280eee1085719ea733dae253ce83b28e8a09cc13e4d63c9d3301c8a968f2b3246d988602154e3587cd27a82744557bb0820d927783 |
C:\LabZ8P\dobdevec.exe
| MD5 | c95f812959f00b51d3e524078b0f5274 |
| SHA1 | a497cfdda89ec7adc1916c623ef51778b15f20be |
| SHA256 | b801c1fe10a0289dfe6ac84c5bdcd979974333e2f658a0a5bad204e56608cb65 |
| SHA512 | 2be033e5c36bbea0181068d31f5b959f4d256760d60424d809908c4f0c866f81b435e596ed5283f76f1e369b7a09602767701c19d0954eb86bfe563bd782006c |