Analysis Overview
SHA256
86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb
Threat Level: Shows suspicious behavior
The file 86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:49
Reported
2024-11-12 16:51
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\Files8Z\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8Z\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintC9\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files8Z\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
"C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\Files8Z\xdobloc.exe
C:\Files8Z\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | d7a644a01bc21f13107ee315f1ee3bda |
| SHA1 | 4d7df8e3ad142452dffc98bff7660f252cf240f1 |
| SHA256 | aa31f98fc7a85bd668f1885057f3f08c73bf477a3098d5c1f47b49297ef12919 |
| SHA512 | 176dabbdfde1d8a882556ae77eddb7f34f16fb4bf1becbd881fa5b36495bef41ec4456624da7b1132459f3f501d2bf768a75395b9eaaccb528c031c03206e534 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b8e33e6c879b5d5e92febb8f6b00128c |
| SHA1 | d0d5b44d4c446fc55a3660993e75d8d15988e9e6 |
| SHA256 | 7ee4b308759446432708dc2b6d8dd13190003b06e0af11be14e34bf21012f4fa |
| SHA512 | 25969c911c6643e4d084bc1a4fea1173bfcc61516deaa8a8b8da7fb0c7c207733247564a72faa4fd80b3148046f811ac1101e5b4a50ee7e937d1489e25a6cb91 |
C:\Files8Z\xdobloc.exe
| MD5 | 7d43f4c6ac17e6110a375ef10c19bd89 |
| SHA1 | b66145642347a0fc80455f8ff7789fed9f1aa6ab |
| SHA256 | 28512acc40ec707b9e9453045ab30129f4750c5d883e4f5b55f92226c0053a96 |
| SHA512 | debc314d71c2e079fe7788b180a925d3df6b918103238724de9887eddd2804b48c323687b4d04be77ab160e79ff7ee28fd6ca99ee808b6641b43c8781289c7dc |
C:\MintC9\optiaec.exe
| MD5 | 39386a7259143491034061a35ab7cfbe |
| SHA1 | df2df547dd2b47d9e46bd4c833e4c1a5b72fe0d1 |
| SHA256 | f829b2bc92a312a7cb8fcec19aa816c8a38bc8a3cadfebe3a807684bedbe8ae0 |
| SHA512 | 16154378b6dafe607b388c83f9a7da67a9934843d104f71819eee1bfd71637158c91d784a74ef1c0b1bf16d58e0e6dfd2a8d4993be461c5326fff2da6a89c2e8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8cbbde3144487b33c6e81d0067979c61 |
| SHA1 | 24a48171f476e10127f4835c94b63a0857474c0c |
| SHA256 | bd38c5cdfc7ff6e9ba897064e81a7d53d4d5cf845806e4caefddb98f20dfbe10 |
| SHA512 | c0d89e9c17ea0be91b721b8c8cceddf749ab09b8f963459a473684c9dcf57fb664701e6ab3ff7e1e1ecc9a7d077efa5f1643838b614f8d61bd9e5ef614e51875 |
C:\MintC9\optiaec.exe
| MD5 | 7d3def12ea0ddab1ac50ad99f8e6e185 |
| SHA1 | 9f5ff8bf65e143ebd9d428c34b83e0cec27582b6 |
| SHA256 | f113e2e1c9f4b0bb24469c5d7f097f68caf96e3570c23c8b61145936452ee1f4 |
| SHA512 | 91f8afadf7a0d6d4b08b36b9a556725e73584a8412ca6abe9ffccb6232bada5bdbbb8b4c44ca73c9f54c28665ed9452845156fce6c906159cdadf45e4aba7b10 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:49
Reported
2024-11-12 16:51
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocV4\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocV4\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint8G\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocV4\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe
"C:\Users\Admin\AppData\Local\Temp\86f106ca759260a84b5dc425be732e394eaea5562310ddcccac5e051563b3bbb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocV4\devbodec.exe
C:\IntelprocV4\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 125371f96e293ef35095b7bef90c5b2d |
| SHA1 | b68e748bec205987866cdc89ab7a3da76e20472e |
| SHA256 | ac813cceba324868ca6bdcfc024fb9879f2711a4ad5943e37a5aea1a154c9e11 |
| SHA512 | e7f5592f66e4555d02614eb72d2c13a30d1cbb06987ac29025bc6593f5ceb7d43f34f46c7601d4adf2434e31f89b8631e69ec7c0006dd0dc318809c2d618029f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad2ede0ebd937429894e0be5e400a5b6 |
| SHA1 | 4de246059890aac867acad1a5eac2735f700132e |
| SHA256 | 5f4e90886b4d6b2280664a439237a3ae7243992ebc28ef04e86c5a7a051190bc |
| SHA512 | db6ad3649a0c57e0fe8e19ce97f781dbdc2b9e35c81ea1d2d74884d292604d927d4a3ff71425fac33bb3608a39b5a4749904922b7dfc99194825345f4beb9540 |
C:\IntelprocV4\devbodec.exe
| MD5 | a8c0d9b0afaced6b6a99c551eae606df |
| SHA1 | c6abb7d2bb5e2ba5d79189a31ccd23a95554fcf0 |
| SHA256 | ddaba5ed3ceaa8f67d880df09a24a7f20bc3e2f0c4ee671e2095047db66e8658 |
| SHA512 | d5182b924384821ccac870df1af096e33daa8fbb2f2f27f80df79feb0ca296db49ffda922b372c5f3f0507d93dd51e751215aa9be586bbfb6260eb6bdb3c166b |
C:\Mint8G\bodaec.exe
| MD5 | 785f2dbb9ac193e1c4c4b63386620e19 |
| SHA1 | d23a39a57d941246c8bd7f908ba968803a6dcbd3 |
| SHA256 | 65bb97a6d65db66e967eb2987dc8e4e987ab4e44b9c97ec8bccfec7b6a14594c |
| SHA512 | f8a0f00ad20f7ef995d279b9bda18e228d755080f0c34a61dd3537a3030ae93bcdf0afd314bf9a51c8f54c215bd4973059eb53b6331c21c0ad4c4406e1d8f487 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1cc6cce685476a635c25db87adeb39da |
| SHA1 | 09c4b6edd9bb73ff78c9c9ac4e7c8080da67f391 |
| SHA256 | 40ae28ba98c6cfeee0147ac96359bb77042955e28a8076b517518fad379ef394 |
| SHA512 | 88a61b6cd5e83369969a59e0d3c3991ef7b7b71e86f85ab8556f86cbe17da645806aaead054401b3497ad7cf772c2536d09d433fd622ac4df8f5eb34fc1ff576 |
C:\Mint8G\bodaec.exe
| MD5 | 83a75670dc0fd400e5bbc6596c96a9b4 |
| SHA1 | 731ec1c78065dd6faaee7b72e12f28876358b2f8 |
| SHA256 | 2ea6c243ea06882e1769d079aaf52a2bb448e5906b0251a5d14b458a156b3cc8 |
| SHA512 | 30a4915d565e03f804f75519bad17188bc4040c95ba81f3c31f56758f5eac43bbb49e0afc53429515fd839b48c8a5503a0aa7440a559f82b64c4b61bfde2387e |