Analysis Overview
SHA256
aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9
Threat Level: Shows suspicious behavior
The file aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:14
Reported
2024-11-11 23:16
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\FilesMK\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSV\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMK\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesMK\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
"C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\FilesMK\xbodsys.exe
C:\FilesMK\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | fc3d28b7936b6c80e07524daf2ae003b |
| SHA1 | 063a9c94a13a5e3998423adfd0e2c95a91d69b07 |
| SHA256 | 7936f85ae4ca82c2e14ea1a3336e21753b96f7ca40735d0eba243663ee75cf17 |
| SHA512 | 6d0bf0d98001c99b9ae2110f04f98eefc4f44c0276620ccf1e9ea2eec00a8df82b11130f708ebaa9f1a2bfaec88ea7411e1c53eb887967d48c383fea859e5b8d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0eb9431ed772b86c20561c89774441b5 |
| SHA1 | 38596249ca2337806894ebbcbeb07154ab92528c |
| SHA256 | 3e63d02d245288a0dfa7ba0d5daa8fb5b1fac032f4f4f2ef7e390f88938062ef |
| SHA512 | 6684f5fb1ddb8f1fb50de6f24b3acad943aac76e39b6cd58ec8ed77b3ea7dd443380b85cb30dceb0fd4802aec6d07eb5972b377e50c1e35186eaaf41b6b26067 |
C:\FilesMK\xbodsys.exe
| MD5 | 998f819f2a22ec804835ffeec5fd497b |
| SHA1 | bed64f8acb4a0a4718231a49d4d5ae533622d460 |
| SHA256 | 39e2b277b57e192e4844e72e1d510082254cbfda03f10784c8e405849af44e0c |
| SHA512 | 81f1813778f8f81695d0d65ae1aef2889e375b87ce5eeaf463b6f9262489edee9369b1581410ce897ca43e8cf4a9aa8d3e8fee56c24d8350590d7b7e8da6040a |
C:\VidSV\optidevsys.exe
| MD5 | 6f3ebac4b21315a1e865dd0b207f232c |
| SHA1 | e2c3b154765994e12fcd5c11fb0c64c905814927 |
| SHA256 | 70d3a6ec4f20b2e35f31d22f016d5ad41a130777c19a6639f26861b6c793add8 |
| SHA512 | 94e4ea1ef8ac1bde5797cbb05caaa00e3bd2b086de4ed762f26028d354c51d74bfb2d0a22aa6e7b914b01e29ec8780cfa6a41b82c0282b59943461188fa178ab |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 89788810f7b8b627802692b6dd6eea4b |
| SHA1 | 497b7d725f6c83f934ecc9204a66b22ae472194c |
| SHA256 | b5480bfa43f47b6a92e846355150361b7bd749ba440dd3a2be8f0bb81b14430c |
| SHA512 | 09c4e7a9b0a9f5969d10f7d1cb903b687d7690003170a6f894f4ca73f33590808836c6cb3bc0c4b5bcc70d3685725ead518b38f8e95e272c45b541c3d3ba57f3 |
C:\VidSV\optidevsys.exe
| MD5 | aa2d7ae2f430dbb9470d5967b1c15235 |
| SHA1 | e344ff5796c6b6018953ee569262d0007d13b11d |
| SHA256 | 9fe91b79faccd3894deb107697375decf1309f89298268a64a2da96717735f49 |
| SHA512 | 72e62be0ebb17cf52540d6f66d808291ab392bb708bc6d6f89e62799d367ff011ee3cc4b68b0e296a37b5ee00932a431839f4f2f5b01064aede990690052b980 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:14
Reported
2024-11-11 23:16
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotL3\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotL3\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHY\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotL3\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe
"C:\Users\Admin\AppData\Local\Temp\aa79d2b087a987313c1a732588f31a1dbb4fb7c45fcc120d451e519a4eb3bda9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotL3\xoptisys.exe
C:\UserDotL3\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | fe8cb7b75de0a32186b5a430e7017303 |
| SHA1 | 1bb3c85e73d82698f69b28be0437377db1a819c1 |
| SHA256 | 52dc3766725fab89ae68d0c80906f297491dbf1f131f6f08537b4fc57ec50d31 |
| SHA512 | f4f59b8e0cc5c9efdecadfcaa498359d0d44e2cebd50dcae814afce4f18bca68556de04ff819d2577137dafbce710c02e9e972a27e3615de133f2294a8f3b884 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b1b6d37877b97fabd382d4793edf0ee2 |
| SHA1 | bfc4d89f43864bf4b898106e57979971abd00f05 |
| SHA256 | a06d52963bb534940aec8c4751eb7021dc143dfc1f2a348b14d58644224601a7 |
| SHA512 | 70415f17461a5c65488aefc5c0a1e9089c05695309dd1c62b77bc9fe3099680886d9817d78b9bd3346d81655319321bc541d7fe916e4110bd8c820c6de5bad51 |
C:\UserDotL3\xoptisys.exe
| MD5 | 0f096bde926842f74e4216a606ed54a3 |
| SHA1 | 454c2318195e7b5b78897b16806aa5f230bb185e |
| SHA256 | afe422d3bb46cd851b457adf36c246b8e22dd4c60ab13cca58515e163a9a0e17 |
| SHA512 | 0ad3fa54a5af275c255125d9e5731328e039f0b7d42dcd7749791e0a8e124c71ebd3b26bb03ed2906ac30de6dcb0b17dbd628e9a946ea534078a46cb2655ac6e |
C:\UserDotL3\xoptisys.exe
| MD5 | cdea3c5d45bce16674bf4612a65b93f4 |
| SHA1 | 8308b5a774838a9236da1326b70b14a5f8c91e4c |
| SHA256 | b9cf282994ce2487d62dd8704dd0e62eb4f3c73bda08e5f8dfddd3efd8003459 |
| SHA512 | 34d20b73b5122e491743cac479a1c919609335440d54da7bfd5ae50aeb9c451cc3b561c8693147df989b6e0090de18295b575deab1e07cdb7b6d58c9ac804098 |
C:\VidHY\bodaloc.exe
| MD5 | a11f76255b9ca6234bfd6aa66474643d |
| SHA1 | e3cc3fe2e8e1a624e3288e828320a33d91a8d733 |
| SHA256 | 2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6 |
| SHA512 | 5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 83a03821b1431c679a0d1fb12e7cb832 |
| SHA1 | b3226fc224cd3de7274b7539bd87adab3f5d8e76 |
| SHA256 | bd86b3e1eccaf4e8fb6aece2e62074047d9eef3cc5797d599010306ab166c9da |
| SHA512 | f184f2837723118fae860db654c2d513582d76ca06119123b28774cf03dcb3141dd8f4dd79fea3c86b944015c85c84fab41968d85182ebcb8382fa779fe4ca18 |
C:\VidHY\bodaloc.exe
| MD5 | 2b4e66069f32fc3110e81b0b727864fc |
| SHA1 | 5c628552b1f7f727c9704f4143c0699ef2b7e865 |
| SHA256 | b1bcfaca5d2691c39b6271cc9b9bb3ee9f4c9db629d94ebf57d99087367068bb |
| SHA512 | 994232945960d3a584de18240abec2fcdb9125a3a9c6726f1d7327cadfd27c7bceefa0d5b98f2b5614fe6f01bf3496e62637e1e05e04009625bb5e1b796287b7 |