Analysis Overview
SHA256
1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8
Threat Level: Shows suspicious behavior
The file 1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:29
Reported
2024-11-11 23:31
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\AdobeN9\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeN9\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJU\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeN9\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
"C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\AdobeN9\xoptiec.exe
C:\AdobeN9\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 532ac040b275abde224d88f3bb7ff26c |
| SHA1 | fc38822d46eda8465c6f39925d3d7f754f2ae439 |
| SHA256 | 33078cd2dfc696cb6fb1fa2338fccd0e1a77956af9c0441bbaf656bceb755b61 |
| SHA512 | 55d9fc9c87c859df09015806bbb17356a7f34a4ce3f64fe6773e55cd5b16cfd4611abee2d32ce3b9e3425e4065ca8823a8dba6552067495945660ed326ed7e36 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ddb5ba669bc632dfa7b5f827f4954be4 |
| SHA1 | 1bb887f34b93e16d98f5c6431b3ec09b7852e734 |
| SHA256 | 7bfd413e0e77f2c42e96a3ab3cdb421c65dfe09878c91fe2099ad2437e4bbd14 |
| SHA512 | cd32c7659aa4cc69dbe3ec3a6bf342135dfe3f99eb0081ab26a365c693a2d2cde3f57f158d5b2a3675ac6a6b0c359387e20c3d0686eb911f5c90541b552797d6 |
C:\AdobeN9\xoptiec.exe
| MD5 | 586b21e16f10308e2d00eab380060642 |
| SHA1 | 9449a83b92afd855941105a172af7485c49979be |
| SHA256 | 179a56de98cd38d7732bf826e0a18694033bedda128d2e222d71c8a03bef04a4 |
| SHA512 | 12c7c23132aecb99a84683a2cc3ab77f7832e50d8ec0a72afdc4a0ad0fdb97d9fff8ed74dac3822ef367644c6909a377da3c42d3d893e25a09cce1beb7dafcbf |
C:\LabZJU\bodxloc.exe
| MD5 | 98dc1fa6ac7da671a48622b1e22cd088 |
| SHA1 | 249a163cfe1f2a275e83b69dddf617baba1700c6 |
| SHA256 | 8020869dfd8e5877605b2001fc96ed3fd8425c0b0e3b2b27d1f825959e063867 |
| SHA512 | d10f08bbf52080fd9dd15aca625d8a2e9bfd027c98067040107b4033c9d0869ad4606abc003abf3490cd329bd6fcca7d237a3d176c3bbc368f447eb30ce37d1e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f3e8a5bb6de7e40db15f1cd4ca14aefb |
| SHA1 | b25ffbf3e98cd27ad1be8ab538b57d11c88c30dd |
| SHA256 | 1e714c197adc2855e9948aeaea596a461fda671ce56172bdcf1751762371438e |
| SHA512 | 4495f51b476b8fda8ef3de89483da498ea47e37177b99132593e8cc277dba3242d71cf0c55666fed331176e6872b0e723d36cf55c075dddea6839921756a1f1f |
C:\LabZJU\bodxloc.exe
| MD5 | 8b1bb25e11fc64b413df49a0d245bee1 |
| SHA1 | 40abde953c5b013c6f511a922156cca4a6b74cca |
| SHA256 | 6c034872c13dfda6055e3d77d0322dfb35673c80649a37ece4c9819a56189ee1 |
| SHA512 | ac0dee0901fa161bd46af2fbe54ec468c830c1e881d303f3f3e48f43d7b7bfc2e6a86d239ec150239f0df40ff9e2cb56d4748c71a86ce429a5877787927bb3df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:29
Reported
2024-11-11 23:31
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvWM\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWM\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidYJ\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvWM\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe
"C:\Users\Admin\AppData\Local\Temp\1b6410fbe85d72482609743a34d6b3447cffa1afc49f13921b06b3f303db10c8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvWM\aoptiloc.exe
C:\SysDrvWM\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 87bb1ec6f8a29fc371bf13b3d91f0a95 |
| SHA1 | 6e8c3f1456421a72c52efb2bdd0be56618f0824c |
| SHA256 | 169aa23a61496fbc8a43186c445909bdc64d726ad45ec25f54eec90aa804eff0 |
| SHA512 | 6e7986c69994d9d2a491d3235b8e7c0e03427fd34f4b2359e89b2ab516c4768a470f83af38ad7166de98afd094fe6890c6e080b7a179cb4980a95d6dc8e363b9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9626b64b3f90693ab73e843524d293e8 |
| SHA1 | 5c3b51f73de4c72391841e397825553b97757a43 |
| SHA256 | cf839f5672963a418d9f4be3b847a4bd1604dd9ea972d70bff9baedfb5b1e890 |
| SHA512 | 5cb194905702118e5a831d13a154688383aba2e6abb2e16934b31473dbc733b53a292d9340cd7992def587d12e4e72883be16d8c4e3213840226c9e3df6ebde1 |
C:\SysDrvWM\aoptiloc.exe
| MD5 | b837ba0f90aff5fa648c83912a9998d9 |
| SHA1 | a2db36d51b24a28b8ecc67ccfcfaabfc60244ece |
| SHA256 | bd313dc420f5bebf3624f48bcd1b91baeba5bf41b2eeed0011ec20226a411331 |
| SHA512 | fa1f7b6e3caec7698366ee9ab57fd08ea192926cd712ebfde8739f84a2d0a3f72db284527e340f07d350977df8c81e47e77362ee2e58b8fad0aa6ea8affec1eb |
C:\VidYJ\optidevloc.exe
| MD5 | 60eb3d7edbdaa8fe80ec277048aa279b |
| SHA1 | b318c0ad98a3fd0c5ecf0a586cf4adfbf2ecdc99 |
| SHA256 | 2b5e8f234cfc6d0aa9b99806662be61af42a7dc6a2f201490dbbf304a6515775 |
| SHA512 | 1ffcf669cdb430e096b3daf8355634b570eca8cdf910eb56750366459cabd28dc285db05455cee6ddb5d50fe2f6b52648f5cb81d0b5f390c7c0cc56ff0603b59 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cd094fd4ee254073bb4148725ffb1229 |
| SHA1 | c91f76dd5c6f1432c552667c85e3fbf0f0667abb |
| SHA256 | 970c7698d3eede8c2799eea41a186663b8a799107647afb3c31549ead7b2a735 |
| SHA512 | 8740bb174085c872e3d622601490700c32831cb27bd3c261e121e0469bdc0042b6d71e78aac5481a0ec86e3f4315b78d8bb91139e2d295bd377d44f5a032218c |
C:\VidYJ\optidevloc.exe
| MD5 | 37796c341a61a2d0082260c8cbe3c4fd |
| SHA1 | 008d12b7ebbf1ab9b89f8cfa3fc485ecd8cc8b0f |
| SHA256 | 515d806bea2abc3a2dd54fd8145c9ff0dd0fe756c55175300e8daf8c0733c208 |
| SHA512 | 4f0a110288befc8304b62db4a7dc009fb3604b4470e3ab6bea21c322d967232043984df302c6e2025117478853fb957b5625fbe046b50adb15e5fba42851a33d |