Analysis Overview
SHA256
f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59
Threat Level: Shows suspicious behavior
The file f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:21
Reported
2024-11-12 17:23
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\Files8L\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files8L\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGU\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files8L\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
"C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\Files8L\abodloc.exe
C:\Files8L\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 82fcae6015a681b350226948f5e3f935 |
| SHA1 | 1a32d4f9702fa5822e14a579e59bb13062a0b6ee |
| SHA256 | 152d10d2e6a0290b3a7ed08c777a089baab1709e8f2f5d8e7251d1a90f55a173 |
| SHA512 | 9803b951c9f66747e80de51e7a6fc400f29b0ca24478619a59dc904f5e21ed4c7ff7d184f118d1fe658fa54d0ce2e4f42d0590a503f1ba2bf4f8eaf631a5ee13 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a4adcc1d879c6d2ed5a199b9f2e0695c |
| SHA1 | 11221ce860e6460d14327a7fd260afd843e90d26 |
| SHA256 | ef1516b072fd86c047980be60a7d836b2ca3fb0521dd69c682aa878f17df779c |
| SHA512 | 4b3413f7c256758b8fa6eebe9e431e4f9c4af0e1c1b3aed579993fe1919cecedb892daf64af0f8a24cf84e41ada4a7dcae02eb2129d840da137ceaa55dcb4c44 |
C:\Files8L\abodloc.exe
| MD5 | 89ca8e830854f8012259773a61dc967f |
| SHA1 | 4b1f18f8884a4386f9c1d3f783e64c0ce5465b4c |
| SHA256 | 5d31f1cbd39bdcc27c869391feea93cb3196b358d1840342cd608f924c30c35b |
| SHA512 | b27170accc643bb635b6ac658e7c4d9e60b9dd84218f8df34f467f70e836f398a18b32957cdda68a460310069d765b9b6cc8054e3328456e6687c875260d40c2 |
C:\GalaxGU\optixec.exe
| MD5 | 33696980be08d5cdb6dcee573706ba56 |
| SHA1 | 83a39601efa6bfa2ba8411f1163bb79cb9e70e7a |
| SHA256 | 7698eb111cbf3b2cb8b54316741983a72def0d0a5328fe04178328bd727a8c0a |
| SHA512 | 1a468048aadd7b4269b5f4399a4609b9471fbb2e66648aefe1dc981214f2a4c0b733f677c3b2302c08889d9f59a6a3445df528a779288c7aee7417be0c1e0ba7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 49e043eab4cd37be3bf7196f5b57dfe7 |
| SHA1 | 067094ade56f3a914e745549b74e4b46ad28f46f |
| SHA256 | 36df1efce577221afa9e2f48587406af339b87cc8d3ab49b723a798e4215607a |
| SHA512 | 7eb611245db2d4b1d5d98f82da53a51e3ff7395bed0434c7d9b10a8d6bb4ea466dd425bef2b4ad63be468c776e17e9f3a4bbf719c0f2f19a09529ef49860b798 |
C:\GalaxGU\optixec.exe
| MD5 | dde4a13fa75a2b5e813b5ca62b1ad98c |
| SHA1 | dcf35fac07d7c9c4f286b575647b71fae7d6988e |
| SHA256 | 3fbbc23426607535e589c5bdc94808807cb759e33b2a943ed1b532f6c0e1c643 |
| SHA512 | 6f43ecda17cc5a3074a9ace8333a848829b60254ee71cd953b0263334e7a25bb34e7424bd4a8f995127f9d7cb973daa5fc36573e68a9f2836758d6ae0e1297ba |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:21
Reported
2024-11-12 17:23
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrvY1\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOA\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY1\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvY1\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe
"C:\Users\Admin\AppData\Local\Temp\f7b760371515fbd10bd9d3c5b770e1132192aeea568f538415ab8036c94cca59N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrvY1\aoptiec.exe
C:\SysDrvY1\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | b0db2fc4c001e1678b8463652484550e |
| SHA1 | 327afef2fe550e9ce3109d435614e65c4c03c932 |
| SHA256 | 0543244fabbd49892985f4b4a84b8e767a2605fb057cc9544959ba25ca61ad75 |
| SHA512 | d6efc49f9e417fb829705cba251062679ed2bf7b049dfc642c42f3562e6361f61bf94354f2dad43ded771bf3f4677a5e50ed1077186a6399748bdb4b486b07f9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 395aed0919abbcedad21936d19aacc03 |
| SHA1 | 77d75bdf52c71dba2c6c5bb4cefff4a8e1995915 |
| SHA256 | a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30 |
| SHA512 | f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af |
C:\SysDrvY1\aoptiec.exe
| MD5 | baebd565738a73b1785d23f85b9b1880 |
| SHA1 | 3e776227196d9cbee3a9edf120876f20e6af105e |
| SHA256 | d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7 |
| SHA512 | 3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0 |
C:\SysDrvY1\aoptiec.exe
| MD5 | 63500340a71f9a11b60ec273155857aa |
| SHA1 | c10f4d8b64900a0a3c1513a0d704eca7dca02ccb |
| SHA256 | 384150a36cd9cdae9137632bd6df57ee2933342a01746e2f51b45c165586be62 |
| SHA512 | 442a22fca97b7a23364bb31d68cd14b1169ad42e24d5f9e5eae933fc1584206b7772089f2adc8acd0dac30e4813cae8356188e3094ab6d86d324a5834a7b3720 |
C:\MintOA\optiaec.exe
| MD5 | 7194af4ca8b5784e038c373119d798e5 |
| SHA1 | 9c114add88126c1358d7020ca7697c5b0528ea2d |
| SHA256 | f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050 |
| SHA512 | dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d259cd59da211a5963f7c7745cb9033e |
| SHA1 | 7fdb1c2fa136356e711bff75cf69608592c28474 |
| SHA256 | fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0 |
| SHA512 | f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51 |
C:\MintOA\optiaec.exe
| MD5 | f1532f6d4577f6c53a5b165b06d12fbe |
| SHA1 | f3c0c35d06ed9298996e1b5fb93d43354c4eaac5 |
| SHA256 | 4e1e07606d8cb72bb98ed4392c64962ac7fa5f0e029d7daf06a60a7b44d8fdb3 |
| SHA512 | 10934786bb2fb62e6c0c40a4b81f18acd3d993fae996b7a3f2a67ac108971e6e288d47e4146e8baecdb87e7a9be5275022879d44403e750d83abe02c73d85043 |