Analysis Overview
SHA256
68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1
Threat Level: Shows suspicious behavior
The file 68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:14
Reported
2024-11-11 23:16
Platform
win7-20241010-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvJD\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJD\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYW\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvJD\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
"C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvJD\devoptiec.exe
C:\SysDrvJD\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | fb3d65697a8d6cc5727db61216a68e0a |
| SHA1 | 33f08e9beb9bf649791ad3855cab3a8ec666f6c4 |
| SHA256 | 2c1d13d4128a5a885bc56c0244dd5a35d7ac8fae5c989220479d9363b42020ac |
| SHA512 | 34ec32b39e38211968792a5fb1589bf4cf28f91fa74d4115bebabd50db912465b0f939e1306400862161a223c54f38b7c3f2eb41d05293cb3ab75c6088960b5f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d12265c102375248ac6b62191cbb0241 |
| SHA1 | f466121851b8793bfbbfa8c55bd333a3455205aa |
| SHA256 | d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810 |
| SHA512 | c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856 |
C:\SysDrvJD\devoptiec.exe
| MD5 | 7f89e0fc1e84c37efd302325c296db89 |
| SHA1 | 091ed6de4019de3a15fae3159f8fe722780ddb9b |
| SHA256 | 510e901625bf5313d3f0c63105c92476b9025dadfd2e4fbcd2be7f474ec79620 |
| SHA512 | 4ca075e2e8daf5a76fca3c7077ba0415478e1401b275170a59cb6a92d9652e9ac8693ebbe7433748b476e9fb08c1e6599b0428a2f6db3baf83c9f8a959b714dc |
C:\LabZYW\optidevsys.exe
| MD5 | 231b20d6efb7218932be184ba48833db |
| SHA1 | 6b622d5a5a7adc73b4f29a48257b40f9bacb702f |
| SHA256 | 778f9e00eb9b1818023e4757ac4a79685bbae9306b9f66d0023f9d09e0bc6c0d |
| SHA512 | a2efd29edff1144d33cdfbc07f5dad712ed71cb35f1531546a67584b4ee7c6b2050770b20aa47cdcf42d0ca0f44492bac65ddb1f7ea92621baad8c7845a92461 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 31d541541abdfa4a1aec637938c6ccaa |
| SHA1 | e1e92db932721c8050588a147687f27853cf6de9 |
| SHA256 | 5b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09 |
| SHA512 | 048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df |
C:\LabZYW\optidevsys.exe
| MD5 | 230117e6da79e7edd2de85eb787bb7a9 |
| SHA1 | 0ee4ebf3d8bc60e1bd732209e6d7cccb6acade94 |
| SHA256 | 14fe7495c54e230aaff0ed5cd4e7c2073edfd8bf06db01e4d6575be944cf3e5a |
| SHA512 | 1717b153cb31bb9f751eaf2e46dd245781339cdceb6e7d77432789181f96d6b8b7107c5a6ec5a2e62ead7115a1a0e278581c3632bb5531bc36cc0f757565313c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:14
Reported
2024-11-11 23:16
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDotSN\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSN\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint57\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotSN\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe
"C:\Users\Admin\AppData\Local\Temp\68372bdee58a42fe785f41ffd690a8b476ebe6ea92b4aa02d39abdc439011ba1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDotSN\xbodloc.exe
C:\UserDotSN\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | bbf77e00c4dd7f647f66c7b54b0c32e9 |
| SHA1 | 03065422d67adaa9e1eabcf60e2dd3163bb2d9f1 |
| SHA256 | 34f271953be5d57042931b292b069b6483907e141d5b4edb01c19f8968adbc65 |
| SHA512 | e6b288de36111b085b8f9d37cd75188cc739325683468cea35f4c0019ebc414f563f6a2d154b51c4f9c47e67d88ed0f5f7c165bc33d704159e8ce3e18ba0df88 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6aca7155222b526ff79b7c3d945eca02 |
| SHA1 | 3f32d5821ccb482669053ebcc71aebaf01a790b4 |
| SHA256 | e278a6c1da1f3ae86ba343f5128771a760ed18b7fbf0fc35c1d2fbef29633c3b |
| SHA512 | 51add21cce3b3336e33ad6c5741760104420bce1b5abaaad92a5881fa52b4495495e4c909420d3092b5abce61ebde1d6586cdc7e144532d9a2732974696648f4 |
C:\UserDotSN\xbodloc.exe
| MD5 | 84bff849362b58596c334643a7dea5c3 |
| SHA1 | a1cbb517a83f7657b1a0a0b0cf912ecb501fa42c |
| SHA256 | 1367645ed02073b8d5c33a7223baf1daa69a8f5d9321da6f494ed38926f5e226 |
| SHA512 | d64aa0ea98771322b735cb6e1a31709c4bfcd21bf8f7153c161d661512631acc638fb85a2f8142a389d42ffe882a15bdd5529db7e48029f25d14eb080c31c4ff |
C:\Mint57\bodxec.exe
| MD5 | 05d1aef499a939a45d386a8773bff2a5 |
| SHA1 | ad23ecd183b65f96f85a66aa60f835efe4dabb75 |
| SHA256 | 197d6eea47694e002dcdf2f43e71cd5ab6c52a23efc75bdb466ed23c58bfdcb9 |
| SHA512 | c21f6eceb5aae3a9d484a2f2979edcd2093dc57bfebbd6befd62cdce27c8ff83f6c2e1b25aabbf1c7da1e55481cf5f5a48fa4d9e67ecbdc61827dec2d247e4c7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d03626188dbfa5b30c4095b58bd0585f |
| SHA1 | b66fe4235651fa049bd8e7362f4a4564a4cafadd |
| SHA256 | dfed6466bb8caed4b0048584d7869ef3471dd085aae220d7b02d4cd2e8336dc8 |
| SHA512 | 8ee78de66f36c43a9f576a583adeab6af788fbbb544834ce97f177d3d4ac94eddae6f7e9b047f8b214267916683fabcbbfe5e8eda9c1ee112f927ffaf8c15e90 |
C:\Mint57\bodxec.exe
| MD5 | 947104c8b41fca399fa03468bcedfd4e |
| SHA1 | 2dfce5587a6efcb59bbdbcc9543810310ca8c956 |
| SHA256 | a51539572e51ee889fdd617ea4ffc38f91b7687a281a7c253a6079012de17502 |
| SHA512 | 9206f32e1f28202f56f8d3de0c75ca5cd7d391c7a49a31c51df82390001627974f0f059eb83f57c0df8d909b8355d29e7858f8484f765195f4f0e1a5f3c2710e |