Analysis Overview
SHA256
64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987
Threat Level: Shows suspicious behavior
The file 64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:06
Reported
2024-11-11 23:08
Platform
win7-20240708-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\IntelprocH4\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH4\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax53\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocH4\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
"C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\IntelprocH4\aoptiec.exe
C:\IntelprocH4\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 3fd06005381c363f2d49c1d0e4b13ca7 |
| SHA1 | d28e3890eb2f475abd3357c5ace7106b11ecbdeb |
| SHA256 | 595b3232a346298938521d066330453a4795c4d0c9a0a9382aac2c44cbf02fdb |
| SHA512 | b80a879672899e9f5f0c9a6a95c8c3bf36a267ff501d4010517886a73d25385cc5686f70a6de32eab729b4bc487d61ff0b2fde8c1367f2f5294e9d4cb7f444dd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c0d5a9b3cccd7f1df7d9e44cb0fac432 |
| SHA1 | ead410751c4fd1b5cf9684b8021cf7ed9cb0ccf5 |
| SHA256 | 2969a387ef31091fabe461ea28a1779acdb93c747fa4cbe5f8d5ea6df1a823b1 |
| SHA512 | 045fbeadeb37c72a2d35dba58312134e73989c701bdfba20ad7bc978d3ba1418fc8af9ad09adeb1f4d3263952a45f4ebd08a0ac189d447e67223f701faddb28a |
C:\IntelprocH4\aoptiec.exe
| MD5 | 9388e57ebbb164d5da77d8feb692e28a |
| SHA1 | b42da051aea4b078bc43d7da99fd80d71913921b |
| SHA256 | 55916fe98ea4c5992f2107885b71299bdb2a3b2deb4dd643272e8eeb036ad801 |
| SHA512 | 3968aaff78df58acb63d77ea4f77e4c8849eac43e0deb8bf2e6ca5c2d14d91d559edaa135ad13afb487838fdb82f8a16020d95bac4ccf941d79a3c8620efe400 |
C:\Galax53\optialoc.exe
| MD5 | 881b44e9c4c7d641a48b98741755d22a |
| SHA1 | 9209a66b4240ba99c65144e8b2c49b20a524dc96 |
| SHA256 | eee65d8ac29c18cb321742a0a302c0eb9e5895599eaea69ba1fec23bfafb492d |
| SHA512 | 60ac77096914af561c4e706c78ee7b811abd8b82093142ed71ed549d25f3620ae7aa4f99e1294f9a1aaef5771c5f736ca0ed9b7ca893674b6831ae1f02d56095 |
C:\IntelprocH4\aoptiec.exe
| MD5 | 85571bda80171ae3c4a346580e4a2055 |
| SHA1 | eea0e5934a756363cdf560e456cccd7434569d9b |
| SHA256 | 02680acc39a51c9ffe2de44210c55ea86acd065d7b82b90ae0ade57f776361cd |
| SHA512 | 443d5fd94b9feb6633705a63e27852887230136bc8a507f43fe3635b12bc5b65273c2b539b404ced846e037e8a87f2a3d17c83aa4ee796214fb4130f6a8287e0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 82283367fc8a0db4a423581ff57e59e3 |
| SHA1 | 0fb673c8049b0ed065d9b130968ddf8d9051d140 |
| SHA256 | 56442c4b71cf38d16ba15dcc7fbc184bc2e9fb179dec5d6d2e57210d1e6ea0e4 |
| SHA512 | e60c71fe7b34671f3ec16992e9916837de8de87b0cf45a7e08e8bca4a0929be8d3722a7185bc442a968a2a037215ba0335133386df0641485bbaf6265ef7748d |
C:\Galax53\optialoc.exe
| MD5 | c84c2b623d2bcc3904ec141ac0690abb |
| SHA1 | cabf8a3a013522ccead3bd1790ce5a2a2ebb2422 |
| SHA256 | 436b4c7313dcbae554a30ff4d72fb06502b33e7ddf0ff8a4f3d1d2a6418b69d8 |
| SHA512 | 01cdc18d890af3ca96bbf31f4efdae8ef85ede7d68139ab5e0a8694d2623c2f482d91b1ad99cdb966efad16a003788ccafbc543e4684fc5ba77398ecc7171c0d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:06
Reported
2024-11-11 23:08
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\AdobeOV\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNT\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeOV\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeOV\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe
"C:\Users\Admin\AppData\Local\Temp\64f2915abe0b12773236b6aa6a334999fefed148f130fd512d2e741954b6e987.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\AdobeOV\devoptiloc.exe
C:\AdobeOV\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | fd02a0f11a69c3fba92319687544af7d |
| SHA1 | c51a088fa1629a43cfe7dc4215f2549246e87c4a |
| SHA256 | 4b86defd01edc7cad4943700ba3e8348122d657386b4d7249829c0cc8ae19736 |
| SHA512 | 03f1b9b81d1ae4c97098fa7a814f4458818a3e819b81a67a5c874de462e3fa2704e058e2b1b85bb17d7f19f0365601acbcbb1b0646d6d745bdad34eb0a0366cd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1167583ca639dd4c6e0333842c38ad98 |
| SHA1 | ccba52582f7e663356f937ce4c09d6ba6231f203 |
| SHA256 | 75e5f9393e25d171d2d9cac28e174306dca6c3933d4b2a8037152809f4d5fdd3 |
| SHA512 | c9f2d29305bf401512aeb654b625c643f0c45a4cb1d619b165f7261c45009f66742b0aca507d61ce51736b45da6dfb50a84e2da2b952888af12a50cd5b5f5233 |
C:\AdobeOV\devoptiloc.exe
| MD5 | 95777fab782070dc2ec47679d47b9ab6 |
| SHA1 | 46ba610e563bdba0884ed6d2584dc063c77749f4 |
| SHA256 | 3b938c41e168814fcc50328417f6ba1715bcf90ad841b98cd9413f580a6e5c3e |
| SHA512 | 0220b704d6b6c4936139cfddd380fb19bb868ea0859201a43af7533ef050a70b367aec02366429c495ef14e7ca2a8d8c3a70754d3413616e92fdfbbb0f75e125 |
C:\VidNT\bodasys.exe
| MD5 | 98ed1a7a12bfac78414316f2691a9295 |
| SHA1 | b30aa7ea83e002a72c77a4fee3fb536afef6099a |
| SHA256 | 11e6e8fcc7031f183bc625f28ad4fbee951799b845c2a5d205e2afc087e53a0e |
| SHA512 | 398c9fe10f21ddf36d651122eb241cae7c8e18e0eab5c325659a912a4176a5eeb6cd8f176a39e12314fec6ab6d6b4e3ea523e05322b9caef62d86b1512f5d4a3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 26e8d030a3324784a338e25db6b7bac6 |
| SHA1 | 62685c1c13e5cc1822b7c3fb4ec71fee0aa7b7e9 |
| SHA256 | 53184f4d0e20fc3053d996d5ddac5f6d0fb25f878b3a24b4ff2601443613c1ce |
| SHA512 | 8e13ff4e5a21e92f9b6141407034270c5703dca0ffc1c1b3cac0e80ca2aff98774f27621cc1e96254a25cb3bd5fe13127318d0fc2ecbfe05ad8d01cfcbaab9ec |
C:\VidNT\bodasys.exe
| MD5 | f3611b180f53e7b766446f16c0eb47e8 |
| SHA1 | b0a5575b4fca6d2ca1ebf68f998124b33189a5e8 |
| SHA256 | da3c4283fe87c6da829e4d3b09eadb3c7290c393ca69be154a4623b54548802f |
| SHA512 | 80c0937e80f63fa08bcb017f6504125ff30072a3ed9a2185ea5271bf5c0c20edbe958b500cc16a99d3c0072a1a1468864aa5250c977a0ad30c63af750b7b5ca1 |