Analysis Overview
SHA256
47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9
Threat Level: Shows suspicious behavior
The file 47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:56
Reported
2024-11-12 16:58
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\UserDot24\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot24\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBL\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot24\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
"C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\UserDot24\xoptiec.exe
C:\UserDot24\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 11189ace6c82c66ec43067b290ebcc91 |
| SHA1 | 265a67983bc74d2376439b542f6cc09ba6e863ec |
| SHA256 | a62afb8f2226704de890f81f8883925127eb94127698567f5b62edc4acc4fd16 |
| SHA512 | 287e23b395ab3fbbe9c2155555aebcf3991b1dc61a3d51f32c9714b046cb4f1c5a4bee12888a725392074168870b70dc9e3884eff967980a71b3ea6df45e3887 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ae5582f55c658dad990f20bcd1b70586 |
| SHA1 | 810650e264e46ff512480621f7717a13d5c41c8b |
| SHA256 | 4a922ec2e0557fd73d0b834ad3c2738dd401dde7a6a4bed545201e2d4bb3d28c |
| SHA512 | 12b32893e536e7c472bef9ab1f28363e397c3903338ab266f422588e20c599613ff3a92140bfa466a5d8843237f97c5dbf962ef104d95cab8b8ef975da8b486a |
C:\LabZBL\bodxsys.exe
| MD5 | 8b1dc8d3e16b12f0b4c8bfdb62218b42 |
| SHA1 | bce372dd19dad6e28b0834e997ab07daac76335a |
| SHA256 | 797ea14ae1de21253a7699252a077be858d54e1f612bfff85718942d4da179f5 |
| SHA512 | 00c5c08f04863bc02b3d3c81c87190852390d21bef5d3cfb2d07105fc77c8cd3c5ce95178157c2fd69d7bf6c2c0f676973c840529e2b5abd7f5e6eea710afa03 |
C:\UserDot24\xoptiec.exe
| MD5 | 402db5b943826ace50bc64bce2019240 |
| SHA1 | 907c267e332daf406e858be23f223bb07ee5c080 |
| SHA256 | b70b9a851e3109843f13e07f80431e83126c11dc601c59c593ab5a9a65988e05 |
| SHA512 | 2c951f006eeeff33eb61523f4909c964780b14dcb320c5a64a84cd1082ec81246bfdc1bda6734c7be977be6ba200165e5e7f45a1c2c7749bac563a531c426d2d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a1d8f1705f5ff3095bf58ad50c3b5a44 |
| SHA1 | 51a5074c2f36d12df8fd1b62490f0395edde2001 |
| SHA256 | 7b94e3d217fef1dad153316cc5085dc694a57ff1320b1d9d156df7d9686b6eac |
| SHA512 | eae642e1632dadaebe60d2807899ded91d5362806770b411db25191f2532a2967da85a008b6db2cd378d37eb8d844863cc985d0c0d20216e42fc2b263114f40b |
C:\LabZBL\bodxsys.exe
| MD5 | f876acfe3e051e1249c885876e6077f0 |
| SHA1 | fe9e244fac08e71cd6b65495f6879ef8c4463e31 |
| SHA256 | df648d5bac1a602ab14c24522f4299169aaea196a92f9dcd3a957ed74a2fe0d2 |
| SHA512 | faaa5eca2cc3ac77e34c64971f8e756c83e667a5e019e339e55bffe71438c39ca7790017ed17787daff4375098af09e4fc7baec09fdec318d1b212bf51a4bf95 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:56
Reported
2024-11-12 16:59
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrvY1\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY1\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOA\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvY1\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe
"C:\Users\Admin\AppData\Local\Temp\47c9ad2f086e6105008dccd836031eae462144195f99a350811bf3ef74a96cc9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrvY1\aoptiec.exe
C:\SysDrvY1\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 787027c502952ec3bc6a4c5ae12c35bf |
| SHA1 | 216b9bae0618963fce6c80d9972a2ac7156e6904 |
| SHA256 | b08d5d845a90d2ebd57d82f1025c8a768ada151cfb0a139e44d148acaf9f63ca |
| SHA512 | eaa130204b6a583282e380ebdb474c1e134043a987e39a562ff375eeb3b36596efe4c240f27d9c49a1cd4b43dd35db5947c0b47dbcb2355464c3eb3b0213c42e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 395aed0919abbcedad21936d19aacc03 |
| SHA1 | 77d75bdf52c71dba2c6c5bb4cefff4a8e1995915 |
| SHA256 | a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30 |
| SHA512 | f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af |
C:\SysDrvY1\aoptiec.exe
| MD5 | 8e566bdacfaca0d5180e72f2d342116b |
| SHA1 | 73ecfde21bcd48c5f09f675bfe90bc9edc27f096 |
| SHA256 | b87bd6ad81a1df1bf17d5fe5f38e4daa09043118ece64ca2d69056dedba432cf |
| SHA512 | 87e592a2f89a55d8841159328311fe12639fcdfefeb86dbbcc8ca4ebc83572273d0b85e328d1f2ef680b3896a1d81c38a251616eb25d30b257342e6b2fd58bc8 |
C:\MintOA\optiaec.exe
| MD5 | 5139b167ad5088bb5e3cb3f439674ade |
| SHA1 | f6929b7f22e30f06b3e4175e265e5d355d5d7e8a |
| SHA256 | 95f84b75e91ebc70e17a2183993fd1c1f0607e1c1f2095432283ced08338b05d |
| SHA512 | 3f566c19f63a417f8e29104ad4f9e08acc4f706160c049eabde3a7274be328615d3ec266040e90c9bee8e28a498a05c430907c81eb2d44e018a3cbff1d1a4383 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d259cd59da211a5963f7c7745cb9033e |
| SHA1 | 7fdb1c2fa136356e711bff75cf69608592c28474 |
| SHA256 | fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0 |
| SHA512 | f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51 |
C:\MintOA\optiaec.exe
| MD5 | 0faa932f20913d8928260caef94fc639 |
| SHA1 | f4cc67c7419c8921a1e665f2b6d92d507ca19697 |
| SHA256 | e592f26f65c1e901ebe5bd382341676b0eae527e02747db8d663be757d195f44 |
| SHA512 | ed1420359449c1f52c048b3b9b8f8d37a9f95345a7dccce2bef70cfaa5601144ffded7b5d496c1d114aabbcdd8358e1c3ac8ecc1c248512f6cc5f5c4b7afcc5f |