Analysis Overview
SHA256
71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76
Threat Level: Shows suspicious behavior
The file 71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:38
Reported
2024-11-11 23:40
Platform
win7-20240903-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe4B\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4B\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQF\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe4B\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
"C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe4B\devoptisys.exe
C:\Adobe4B\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 18fc7c1916a9ee63df9a8fc5de41da6a |
| SHA1 | 4a4e4341d73e6bfd51e3b22e0ce8b1c552682c05 |
| SHA256 | be3e37ef27f0da6150f11c098eec6d6bed7f8e0a99362d09cd714519c4b221f6 |
| SHA512 | c90216a1715ea0cb9ae75661cc62ea31e25a249712d0daec2d2f70b500ba51727ff1162f201ea6708882fdcd27485cbaa025ef00fee8fd5e5403787e1931858f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a59372e5223fef88832a9f2e239e9918 |
| SHA1 | ebdfdfd57153aa68c236a69819fc7003835ff093 |
| SHA256 | 05e03bf3f3072ad2c0ebd7b32b2cd1baf905f50becef61f10ac8ffab92200352 |
| SHA512 | 9f695fbfb619a3312b9590327fe926c7674ebba3efab1bb2c7f2b5cb2a894e4ff976568fd5b52cfeb6a2b3f0e6ad01c3a7b9ca47f29d109d33fa7a777adcd49b |
C:\Adobe4B\devoptisys.exe
| MD5 | 2cbcc659805b4bd4e167c5642dd3890c |
| SHA1 | bca80e25e485488a8e7b0c30f433bd68492c7ca6 |
| SHA256 | 2f1a2e9e0cca8c62adcd4c4540b5c6cbb4c002b95cd8fbaa29caacd8a1ad65e6 |
| SHA512 | ed8f7d33d3292a3428d111d579e52271ed0fe3bfea91b4500dc616d8df8ff8d4c9ce6152ba7be9970e3b8b9af40c5b83298bf62bfee63405fdb288a1bcf67147 |
C:\GalaxQF\optidevloc.exe
| MD5 | 2efad654c784e155f9d74c0d729a595e |
| SHA1 | 48ed7760ee8e3a708d5a4a7a1ebc6ecf134653e8 |
| SHA256 | 296ce4a021773c1935e79b94b411ef7245e0bbf11ee323f82cc9de6e96beb08e |
| SHA512 | 169a2bad5011031bffd7011ff3681ba11323c2c93e4d0924d4529f2e6bcd70dd4e7724491c882fd416e77d10d83c8d3bbdf6109f8b3bd168a280caed3c993f03 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 422eca694fe480ab695db9bc9aa0e206 |
| SHA1 | 8d551359f5a9b355f67524754463c155531a3ca5 |
| SHA256 | b8ccebadaeae7789abd667117e20c054724d087a330c0d4d719546b1aa5b01df |
| SHA512 | fa5e91dbc0f297773a2863d2de470919978ae0e25292a363c4164924d77177a85d609675c54acc62adc822a06db33ef201f7c69d476b1a053f20a51955f04ccb |
C:\GalaxQF\optidevloc.exe
| MD5 | 384801dcbc39a50ca4365294b2804fbc |
| SHA1 | c8573917ff92ea5c0ed974b05a6d8ab5e8c8a957 |
| SHA256 | b0260705ef6b760718751071a41b19c2535daf4279b663008d141739ac21990d |
| SHA512 | 7a173656c3884cd85e3ce2da0811fb42c549531af6d70fd4b328076c3e08c4b6caa7d7ac19e882c139418c56b1c07d35367c3ad0686bd1831f419152670bdbd4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:38
Reported
2024-11-11 23:40
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\IntelprocW2\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW2\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBE3\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocW2\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe
"C:\Users\Admin\AppData\Local\Temp\71bb1965072e51d19184280884155c6eb0fa2f3c58e8c04732677f1633128c76.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\IntelprocW2\xoptiec.exe
C:\IntelprocW2\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 06e3e6fd614d5926484e07f2f4a323d3 |
| SHA1 | dbc17212bed2c2f5b9d2321091b9921b98742b34 |
| SHA256 | 2b494f7a1335169768abfd311e3729ae7d9235ba66f31cb2238f1150c136ab84 |
| SHA512 | b660efc0f87524a378218b7a60b4a89e589b124cede2fe1df16bc3ee5b188856f9e06695e4eb14265b8520ba45956c5df1d2dad5348eafeb6bd267037abee3b5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aee34f829e3a69bccd1132cab5efa56c |
| SHA1 | 8ef42fa41625a4600e856053a07b83c98545a8f6 |
| SHA256 | d2c85259c7718c3593401a9780fdf5c9bb443b19eecf9d0e0607bf92705eb223 |
| SHA512 | 349e629531c4bcb393c3195963d142e1a9131f01316d10d5e50bcec96707bba9c810f47b6e1059066f321368e298529d71335294e296e1254bbb2b8c7ae26375 |
C:\IntelprocW2\xoptiec.exe
| MD5 | f4e89a8c5dafd38705cf1003d467ceac |
| SHA1 | 488e5e729369980da30f6fb4f9b7abf8d62f9e67 |
| SHA256 | 13f2c31e0c3f3a3214824360bb8e0afefa5d52aaef30ca959cd5cfc174ea311d |
| SHA512 | 050152a36fee7fdef1b6b6d17915b41abb817fd4477dad0f4662603370a03bdc4863aa2b55a8580f32e7008f3fa63cb4ec54fe94049758aaee7fd3a1a6b11cf3 |
C:\KaVBE3\dobasys.exe
| MD5 | ef5e2c0a10a0c476399752793307c66d |
| SHA1 | ca0ec1078bc1cdc291089a6e3da8956ae39575b0 |
| SHA256 | a406994fc3942ae3c0e08cefc8ed56487ef52092d68cc1d6906058630c91fb4a |
| SHA512 | d024de1f0de4779bdbcc760240beb617d171b6c0c26ab571855df697530ac741253ee01b1a78ce55b057f1a6be8f0dbcbcc5b9d0b3c50a17c43575a229cb025b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 36e2047d39ca005d49da809e2d9f4d25 |
| SHA1 | 2ad600cdf442f48ab02493b2aaae463246665a48 |
| SHA256 | 60f9f321509afdfe5e73acfa4e6dd1af33b775c7d2f7df147feb84a14a150183 |
| SHA512 | 98d95ffee14a7ea3dd0d35d53025b52fd657787880e70bfc41ce28d2b8fb796f043b4657f264a1787af57c36a5b50d0fbb8ad58372a7546fbe1d766dd5a1560d |
C:\KaVBE3\dobasys.exe
| MD5 | 88bc026ea133367d667040a0e1a65653 |
| SHA1 | 42957668ee60a878f2d637bda35c5512c30557f0 |
| SHA256 | 290cdc3fd3458f95b3361950db53f54b3c2b8ee25738eadfb4040eec0c825d10 |
| SHA512 | aa765a31319604edba9c1c533037066ff86459f380471ab78306687f48e851ffa8caaaf84e43aed96c3dbb4c1a9a7e500bac0c8b87cdedfcb4b564df1dce2ade |