Analysis Overview
SHA256
f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849
Threat Level: Shows suspicious behavior
The file f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:47
Reported
2024-11-12 16:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvJD\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvJD\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZYW\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvJD\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
"C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvJD\devoptiec.exe
C:\SysDrvJD\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | a90e470773db538a48d8a338f9693ac8 |
| SHA1 | f2db74c05fbd5c95341a39e497898307a9c3a043 |
| SHA256 | ecc8774c86a2c1ec5203a64e3f70b5cf6efb0e38545d89813bf0acc2d1b11b62 |
| SHA512 | 9ba1a8d7771f57b6a3f5c97a393a9c6dfa4df1b55dc57e20546da470e70f9fa64a3d3d713ad9c1fa607d4a2138f686a904888efea97c2b87e5c1619135d86936 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d12265c102375248ac6b62191cbb0241 |
| SHA1 | f466121851b8793bfbbfa8c55bd333a3455205aa |
| SHA256 | d935e96d1a8fcf9059cd048f6417bb4ac039bdf9c25a356f53b3df5f04924810 |
| SHA512 | c7b2a2628d69035ff452df48426309960ddeaef697d05be2a0fe4aaa394a9e7f81e9d5db607934f103c18b0c39ac575acdb97b856c7275babe779e31dec52856 |
C:\SysDrvJD\devoptiec.exe
| MD5 | 2448ab68a39982b67b9fcfb935c79474 |
| SHA1 | b1e93f5d370947873de198347300fb792afe138a |
| SHA256 | 155cc7d84511c05be1e4632784423010964197fa91ac362e2f5516a1eeef8aef |
| SHA512 | 3a1163e36c546edba580b86077cd57cf7f659ffc4f49f3a8492d08a3324d0c48b5bb56c92058666ca5f3eeb8eb8e2b7b56fa1433bc698afe468ca8e9a7400cd8 |
C:\LabZYW\optidevsys.exe
| MD5 | afa485fb86af065f28d15e908c65911b |
| SHA1 | 73c6f8bdd2100494955cb20320c23bd0f0a048e6 |
| SHA256 | a11e79e8e1a689168629b29bd74c41486bf9567464fea088f10375baa2876d8b |
| SHA512 | 1afaca24948cf322ae537aa83a0da414d583e0dd8f31ddc47aed0f819d6fb70ac27a573eaf73c9059a485cb3571248564885cd7a06a517a0b5d5472a922947e1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 31d541541abdfa4a1aec637938c6ccaa |
| SHA1 | e1e92db932721c8050588a147687f27853cf6de9 |
| SHA256 | 5b1d91c6b3e00af54e50756f7cdf86ec6e7555e2187b908f463b86df1d1dde09 |
| SHA512 | 048064be3b85d57b671c4e187838d063a16e2b86ac9cd36e6519d77a93a954424c690ebcb4d955c745380e54a11fb7696624c9268cb9c9a78d870259ae6205df |
C:\LabZYW\optidevsys.exe
| MD5 | 716ec118e0d538f609e54e3b4a95f4d8 |
| SHA1 | 084f317a641f27ba104d0c1b65914a03637f4ce0 |
| SHA256 | c536105a15a6bbd6c6ae75fdd1d9d0c8c7183aacd0c9229bae5f1a14e3f7463b |
| SHA512 | 090266549b1ca9f54b5b939e3bf037ebe417d49feeeecbbdeb462b5ad59caa41b24e65ef4f1117967603cd298057fc28d7812d9baa0977f44a24c4a33b65960f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:47
Reported
2024-11-12 16:49
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\FilesR3\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR3\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0G\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesR3\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe
"C:\Users\Admin\AppData\Local\Temp\f3129acab32f795285ab2a54dfc00e70c73b26d971ee79f056222d00c4aa2849N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\FilesR3\xoptiloc.exe
C:\FilesR3\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | c4dd7d9e2e77c86aec44393027e7763d |
| SHA1 | 7be85b2e0f339a67383416212fd45ffcfa665261 |
| SHA256 | f17121a42c1eaf885ee05f2555f6645279a88a0413951f63f169ab147f3b134f |
| SHA512 | 26a5309b5751ef1a3a40f9bc7d18c039aa7652b33eda87ac77eb509ce424041d34eba6330754f6a4b807c38a740833d55a664f395017b7b4c04d9c60a6e1eb0f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c23d1d86c248b156c55e54b4a49c6542 |
| SHA1 | 2d451ba9173c1f14512a11a8394f5f6e51227b7e |
| SHA256 | e81a48de77590d17a5947d010ecc8c620f5fad1f67cd108c4b6ee70a9e1dfba3 |
| SHA512 | ac29886624b6603dd91035533a4e89c71cb5d53f8f9c1401556c8deb6e4c9bb4320678d2e7011013c1fc312a8bcc177cbd01d287f79ba2c8019f85f32388baf6 |
C:\FilesR3\xoptiloc.exe
| MD5 | 135c06a43ae043b4e36009861464369f |
| SHA1 | 663adcce5f6a5a66145d37c43e956618b433f6cd |
| SHA256 | 320bd759a59028a8100c5c7c875d96c53f7ab7d1e30cfc96ce4b867db3b68c3c |
| SHA512 | c91f57095775fd6f033bf0d1fc3ddadbe800932f8451d9fdf7bd25dd45afc3e2512a6002e1136155b3fb17c838a031c85fcc687a6044b274f9062281c5fc9422 |
C:\Vid0G\dobdevec.exe
| MD5 | 04dd6b3f7b6c3bb0bd5e301ef99258e8 |
| SHA1 | a979f93350a1697ce58e3a8c7dd322ba6c5f67bb |
| SHA256 | 8f3fcb958a21bf06df579b6714c939b8b8d52899d760e7cd51e10754f978f0bf |
| SHA512 | 7ef6a88713f331209578ed0ae1e61b66e18804f943fee739128c75d59baeb0610c58c5b83900e0e6c5cfd1bf2bb54822adcac705a0fb6687713ff229347e52e4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4a5b362dd82ef873942d5aee8c5caea6 |
| SHA1 | e7dbf040b93fab5916aeec0ee4c64b40d72958b9 |
| SHA256 | 925dd931721c6c457303638389d2ac7baac9d8ae8ac137fbd38c7259200c490d |
| SHA512 | 4dfee0637832e32ef8dd87f81f401d580781fc382c03cbfb1b47745138648564cf869ce5db2238f9fbfdf3ccba9201e3b3150064971fff65aafe3a0b83a31c79 |
C:\Vid0G\dobdevec.exe
| MD5 | 7ca3ef0b2b4dbe90dfa44a677309618b |
| SHA1 | ac8272618538c1d47ccb5683d60a0f510480dfc5 |
| SHA256 | 20097c9e7c1537a2009c39c3a18f2bae4ad0126f48d3c4680d2a5cdf32e347b6 |
| SHA512 | 145c1ef7af33025d22f95aae631a8474e56639b1ea4626f6fee68667e8ef648684dfc010561063e9b1d4c760b72474e258baafcedce99cb9c1a2e4ab7a8b69bf |