Analysis Overview
SHA256
739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32
Threat Level: Shows suspicious behavior
The file 739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:56
Reported
2024-11-12 16:58
Platform
win7-20241010-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocJQ\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocJQ\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7B\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocJQ\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
"C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocJQ\adobloc.exe
C:\IntelprocJQ\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | f64081d471bdfd6ad575b1c659698b67 |
| SHA1 | c85f897af71fafea0d402a472d4ef8b91692c2ca |
| SHA256 | e57fe8ffacb0633970080b047cc6a3e0f0366f30be5b149007b323bfa66c7d28 |
| SHA512 | f0d040ba79fea24fad3028691dabfb56589f99deb8bf50529084a4b69ce50e3115e429280fa5d9d38e332d9d635acbd066a649a7229a1866d911dfd97e578712 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bf7fdb1ad51ee2af8fd995f153e807ed |
| SHA1 | 12aab9efc60eb3532079834c0161e9ec749637f7 |
| SHA256 | 91798aa195205eaef6388fb4625874a5ae4badc693e5555b42670067f7e9cfdb |
| SHA512 | 3930cda80b470425d3835966404aaa3e002dda5cc9aa740c9d74723bb406188cbfe903ed59aff03e57104bfc574723b2afad4b43055f3a2338a0ba6a3cf56075 |
C:\IntelprocJQ\adobloc.exe
| MD5 | 43c5ff3fa226186052b93c85613117fc |
| SHA1 | 4bd4018a724340c2f795bb47cbf9baffac9e3917 |
| SHA256 | 558a115d5e77d7f5701099b6e0c079d3e1256cf5118670bcac59128d8a46bff2 |
| SHA512 | 61d971a6f303571c7e088da9049b81cbf4984897ef21aaaa16f8d4e9f04c7511cd5c1dc9d56c1402be87223a62eb5974585f684aba8687288ac35543d28d775a |
C:\LabZ7B\dobdevec.exe
| MD5 | fa8337145b7e1dc9dbd7907a5f1c6880 |
| SHA1 | da15b9308684e77422bc0114264a73ce17adcb2c |
| SHA256 | dfcd73efaafe3a3eddfd365dd875cd72cdb3c858f087fa5a4db1c1d764461942 |
| SHA512 | 01347505875e30f005145ae192dc7ff999a85b519d3e9570f7e3b8fd2eb3dea70804d451786f0a25e1c6da21a4af1e005e1ddd71354b7887c5affea653e78c15 |
\IntelprocJQ\adobloc.exe
| MD5 | 3232993d075f305d28bb5312dcc0cf08 |
| SHA1 | 212ca000fad2991b3c25fbe56b886b74b59ed4f1 |
| SHA256 | b042cd38e24e98ea6ec603a6530e4eef65c0478c92c972cd1958571815021280 |
| SHA512 | a8343f1449a9aa7f3302044b207e91c02340bcf2a917aee1a775f3afaeead504167940d0ee839e037f62910b55aa796049e14da2f433d303bfa13104b6500819 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | df8c38738e2bcb9f1ce3c570eb48b16f |
| SHA1 | 4944ccff5d9d55196623270b889cfaf4bc693f57 |
| SHA256 | ddd0e88d7ec21b0f58a3709c26ed1f1fb2e89f00160b4b846490316b817afd38 |
| SHA512 | e9690a19bc158cb52c6eb92ca980b52481d3929ec277fbbcde0e1f8df325831c0a92b435fb60b6943d0fb7a01530c7daa9c4f849d6cb98f4e4a129afdf68bfc7 |
C:\LabZ7B\dobdevec.exe
| MD5 | d405a6e6ec1ee7e8bde0fa127d94f818 |
| SHA1 | 3a4fc1b8659a42c0c87e2cb68df493ef10520626 |
| SHA256 | f7769493a434bb396a726643dfcddb3d418728f3d2de4d39bc5a2304e2078ec1 |
| SHA512 | 0db30b1f330437d858e2a4f9ab32ec3ac5e2b5fdf0605b6a0bd6f7bd3b17f31a4967bac0fd7b59c07caf47c5cd0bc0b3e81597652c08a98bf5f1913674124529 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:56
Reported
2024-11-12 16:58
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\UserDotR8\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotR8\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBGN\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotR8\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe
"C:\Users\Admin\AppData\Local\Temp\739d57955826eaf823b0f58d73b3de3803a42fa081b609358e1b20022e092e32N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\UserDotR8\xoptisys.exe
C:\UserDotR8\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | b70dbeecfeaed875dcf47f675d67c37b |
| SHA1 | 597cf888220ca9328415d6aa01a5b72bab6a80cf |
| SHA256 | abcebe18e2c52eb506383d0f65370bd12c3d6e1b0f4430419eebafdf9044d08f |
| SHA512 | c57157ca89c756f507a47b4a0814ba864fb51df5ed9795213c2cd710daef77065ca6a08cb4fcf7835da40181b15d10dc710db1993e6b8009173906415ab28582 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 71fef6c5a7c141e4be15071cde472add |
| SHA1 | 4e99e1f43e5210251a07b7b29043b5633cdbcbf0 |
| SHA256 | 8a29ea35142eeb2d8f70fb7d64bf54ab70f2ac798b213f6f3a0639a2b2cbae74 |
| SHA512 | 9913a145f77ce0b32fdcb477a8a1568b00723d1f81d31621d86642d24355824c977f0baabdbdf4d23d2d574d8d3cdb659e1343adbd20dc87519e12a0206ec506 |
C:\UserDotR8\xoptisys.exe
| MD5 | 4df78a5601ba1b5b581eef69e34a77b8 |
| SHA1 | f17972609a2e6407a89829c71070154861c922d0 |
| SHA256 | 3dceff21bca32885fa18924d13d8f91965ffcf1c2c0d7eac47546bb78ad65907 |
| SHA512 | ed0cbba4815e07e38805c6e97e35e60f19f2ecdc3502c678cfac2e54dfee55440b51e23a5676ef1b2036c06a924f404691799221af2841b211c7cd99ec580245 |
C:\KaVBGN\optidevloc.exe
| MD5 | 54561225560aad2546dadfcde1c1d94f |
| SHA1 | 5bf0caf64b258b0f18d53a9e45efd4506656c80f |
| SHA256 | 03a7f6a182fd85636ba9a0dafdf4552300ab6c1bd8a5eb86761a0fcaf4486289 |
| SHA512 | f2c2cd7963b31f9c0bff47af68751c46f6dc1cd07079086a3a68eb24db18a8cc98fbad8894055bbd1fc4c7fe2847e8cfb1a56c4c53c069d34c67234aebad1e5d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 261cfd1eea9e8c20161886b269915bc9 |
| SHA1 | 401220c366c9df786ecc1cb683b87e0febbb058e |
| SHA256 | 5c9b98b8c0292d8bed3a3bd2605b6643273e4a357d11a8493cf37a0f67c17678 |
| SHA512 | 0b49ceb86d2a9d983c857ea966d9e8338330ea578cdc3244c05e21a294fe63a19cda5090710ab86c187b314c8d758a6f8cf501c2f8b0e5a529acf49edc3c5f9e |
C:\KaVBGN\optidevloc.exe
| MD5 | c8190a91500bb1d9caa61e3b11eaf128 |
| SHA1 | ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684 |
| SHA256 | 6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e |
| SHA512 | bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b |