Analysis Overview
SHA256
cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01
Threat Level: Shows suspicious behavior
The file cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:16
Reported
2024-11-12 17:18
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\AdobeZE\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZE\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2S\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeZE\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
"C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\AdobeZE\xoptiloc.exe
C:\AdobeZE\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 5ef57d5de891f8270b341e6201a01530 |
| SHA1 | 44346c8946c4cd3a3069a2fd1cb2a40da70896f8 |
| SHA256 | 7f1c74f06504d73fc85c5d814bd560d80dbf7a21f45b32f245372aa59662408e |
| SHA512 | 0e968aaeb23d7b6943fc3a1bc5db90ec98179e838188eace4e2bc7deaf3236f53cebbbb7e536223feb0045901c47d735d77045193e7d6b18d8b184f957339e8e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dcac5d7d2d6a59fd76c5062b964102d0 |
| SHA1 | 6f8d821a7093bed08f2f9cce14dafb8776fc8bf2 |
| SHA256 | aa3389f15a84137d53d7396ef90360143202e2b61c4bc126024b19aac94ba5af |
| SHA512 | f37a0ae6adba081ed82326e554119c680ebd2ea0f9587834b32a7420b525eb44d63e0034a6bef842b1d292955f42b6204dd4e1c3383b43bc20ba940fa0eb64b1 |
C:\AdobeZE\xoptiloc.exe
| MD5 | a7ac2f2d035cd80576e7ae6d2a0b898d |
| SHA1 | 51bf56b59b4ccbd88d34ca06da1ac8b4f9f89380 |
| SHA256 | 7a5a8f7e397024be2197457caca0c01b34d24764e3b46fa273e30a3fe61f00d9 |
| SHA512 | f43d6c6d91c8bfc934b9742796c0d2f2f526c407ddf65e1ccabf6174c7cc32eb6b70452a634cd1f5aeeb8c67174ab8f0f7df063ac3bee421a8867f3ee8fe4000 |
C:\Galax2S\optidevsys.exe
| MD5 | 88f8a074b18cb51ce30f218045ef6743 |
| SHA1 | 1a4e85e2d749b83978c946dd5b6110367ee14d77 |
| SHA256 | b3eb1ad5ee95a3db5a895b0885c142199fba2aff19d5b3acb195298f5969be53 |
| SHA512 | f7b08e44fa30781a42136e9b7b1399c8cf262bd5fcf4bca269c1f7453cf0abbfaac22c3ec4d2747a155c4c01c8be49b868844066e53b4f8d344010b0a8d8ce3d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 60d3d44dd1b39d5b6b656c42de023ccb |
| SHA1 | 686be8e032d3aa2250c8a176ba20c616aac6a5c2 |
| SHA256 | 15237d376fe39348e103096c078aaeb08907c17f6200d6a132415ca2dffa07f6 |
| SHA512 | 222af408f1cc155e72fdc468dca9eb1c688008898818dad8dd28b15903e993bc3b0a9d21bad5a107e716caa4f3a93cf1e88d6888a0e37636d8aade3945e4aab1 |
C:\Galax2S\optidevsys.exe
| MD5 | 9f8c69e041464bc84c1351cb6fa62307 |
| SHA1 | 5dc6b185580a842747b0b093b44a7fe6529ef957 |
| SHA256 | 04c3468dca5d1444b55cafaf61adc20fbde14e1a85be06b2ddcdf63dfb10a544 |
| SHA512 | 2811b80abbd4f99a8ef520e4d53b8041b682bfd4fe50dcb7f1b539fea84959d530c311b45697310292bf6be796274e378c5a931fe40c6a2188f2820191a9bdca |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:16
Reported
2024-11-12 17:18
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\UserDotGM\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGM\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ6P\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotGM\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe
"C:\Users\Admin\AppData\Local\Temp\cb3688f74bebd3712e7189525b5bddd7897b0fc659e2f540e9f669e0580e8b01N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\UserDotGM\xoptiec.exe
C:\UserDotGM\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 9b04c8dd2af9ca806fd615b7f4b82882 |
| SHA1 | 720a1c3839766138592aa869af5d2188345292fd |
| SHA256 | d7125edaf76f06f8c4a78b5460950cfc0f48995ab7f6303965fde310aa268e25 |
| SHA512 | e954aefb6e9a3036457a3c2228a88ba3fa7eabad7ae4a777b6a371bab1f69e324697b9c8ce7adafd3e13a583b6f4340be27c8fe00ee9f595872ccb0cca0ed651 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0f490545dcc0116e13e59c42cfe70fc9 |
| SHA1 | b95f29a24ded5214565ce70573f9175c9698a91f |
| SHA256 | 4329d3a3ad95ded40bdc3aee9a0c0c3c2db827374aa67512a9f07cde8048b828 |
| SHA512 | 6c356ee407ccf3b77f6656d922885f315cde56418dbc12673727a85eacae9b937f1bf8bf9f8eee0a7da9e7f4ff17dd5a78fa869a204de945cc2bfdb6cdfc81b3 |
C:\UserDotGM\xoptiec.exe
| MD5 | 523a370865f0b1be7f45e3ba0c0089db |
| SHA1 | fc4b2d372f01505a1f7b56b7951a4c2ac4303673 |
| SHA256 | f1e3022d02d52847f4508b69c4b5b0f427b0e723b48edcc367f30b7923be5647 |
| SHA512 | fa670c94f1cf6aa534f87821df3aeff7f9c9eef8fac5aad5ed583b38f4df91feaf00389c3954d18ead07d04734c9d78bb7668cbc518b16d2a26d73990905edb2 |
C:\LabZ6P\bodaloc.exe
| MD5 | 07fe53e036adad9d34e2e66b1f28c1a9 |
| SHA1 | d0b6a82cf7d05776a8ca2edd1d4f04c79be1297f |
| SHA256 | 5578cbdc067a67fea314675b8a46857b112635cc47faad7fe7281fbbb601c5e1 |
| SHA512 | 5b5eab820e58b7f0660b15e4425aa10b9cd63f34a6ca4364a17a0f8c39556f0dede10c6fe2276a71b97bdae20752ffacd2df7f829bec851efddb1a4bc6256f26 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6f6c2cd458413ab1f676197c4edba2af |
| SHA1 | 81a206308a3271a19affab3b43f60378a14cbabd |
| SHA256 | b1c0d20fec10f8d1856dd8fdc2aac263ae0c40f09a05f19b3cb394ba2831846f |
| SHA512 | f07c272b3c073c5594c9759dc530641ae2e613ccddb43c86cc013c4c44fe02620be813b8f0bd6de73c07849359f4cc99f5cdd7b17593f0edabecf638b2483627 |
C:\LabZ6P\bodaloc.exe
| MD5 | d97523eb37cc9b1fd31db187689fb578 |
| SHA1 | 2daff9958151e843bf2d4c925e9ae4703ddc319d |
| SHA256 | b336785dc65f3cc904e243aca411ea2660ee63cba53aca3ebb2797fee4fea410 |
| SHA512 | cca378c10ddac19b9ecb1c630e635b3475f80738e862473a74092de6df06aca55bdcded24c427c0b7f7b9815e9c9019ddb63ef5efad8d44ea15acb470b22a0c1 |