Analysis Overview
SHA256
86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2
Threat Level: Shows suspicious behavior
The file 86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:53
Reported
2024-11-13 13:55
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\SysDrv06\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv06\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWO\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv06\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
"C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\SysDrv06\aoptisys.exe
C:\SysDrv06\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 6ef74dd3016d64f515ba4e074dd4d433 |
| SHA1 | 477514f6e566ac581a6569f3ec13574946709c69 |
| SHA256 | d9b639bbd5a18ac0b6281bee668df202e8dcfc599644c22873aeecd6737552f3 |
| SHA512 | 6ede84138690e4b96e5eb9a8798de094fc2aa7612abcf462e8d39da464f74ab3960592e4712c9c6aebff9cef99abb863090c2623c352b9fcef6fd9b2e8defe6b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e90be7b1713350130b9ff41b3a2c7a0d |
| SHA1 | f81541c6023c39c1d445291ca64a8a3fb9ad2037 |
| SHA256 | ec459313cc598ed34332eb2c36bf078b206d06a281928ea80c6f08af8d41b719 |
| SHA512 | f029294903257997438e2b092e3bf9c8392812f7694dc6f681495b245f1d5008fb1d797f6390d7aaf00bad6a6c5866611178a60d00b15babf32a4602e38b8717 |
C:\SysDrv06\aoptisys.exe
| MD5 | bc78fad020d6cf8338d6b2a6ae286757 |
| SHA1 | fe86d7d7d48fe5a9e7b05642a4f23c78d33282a2 |
| SHA256 | ef48ebcb9e6a347ce2b1e5054b37ff61bc0205c89232108d3a08a436aac044e0 |
| SHA512 | ca8fe7ca8d34711ee1ac6712722b5ed106bf1b94650c243e4f019d07e2a40fcbec41ff02d5d052da8d1040517dc15c4689ad22a8e8f4e87108807b442aec6b5b |
C:\SysDrv06\aoptisys.exe
| MD5 | aaaf500951fd8b5f5cc1bfdbee7d6434 |
| SHA1 | 3696cb2f1034cc2a0f154824f590832a08c817fd |
| SHA256 | 4235106f05b78c74b7d2e7eeb281c5953a29b62c1787477d1a3514fd52290b24 |
| SHA512 | fab8c247bca39e2030eb15fa1465e2cd360a00dd58b30c41dc8ed8a4d9ed2c20004476a46398f78bc02b875609762caa2b5a01c437960770278ae1a8202d65ca |
C:\MintWO\optixsys.exe
| MD5 | 5ee0242c59ac6c6f647cba701302eb90 |
| SHA1 | 432845c980dc4563bee919b4289fbe575c782b3e |
| SHA256 | c1d3e2851bad7d96ef870beb154b89f96c31aff05675063609fadbebeb83542c |
| SHA512 | 5e2293efd0b973f412ab2d22620cba2fbe3a57207c77f1420b1cf9d45298c7bd6660ee4c5ba0d82ab006ca7eaef36e3d97564e0b0543cc2700547d911f5e7384 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bf6ceda0b1ed8a76c58ba9ec0d79e726 |
| SHA1 | e4cb1a2ae26716d719f4dcc90e439fd4d5359f3c |
| SHA256 | 8663fcac9199fd59a2f33311eecadb42b76f24d88fd3f3b2fb220d571ab9fd9e |
| SHA512 | afeedb7a5fba2a15dd3dcb28a9d856b90d679f90640944b457030c7becf0cff465e4361e1bb75b659e22ede2ea562ae458f9ef9d4ba2f46a185b79ec7729ca57 |
C:\MintWO\optixsys.exe
| MD5 | 69b0c2abcaac6981564fc2eb050d65ab |
| SHA1 | 4b1c013c60c91d256fc8aaf029e06a78acc4ca48 |
| SHA256 | 769758108b1398743473b3597de04097dd888adfec927c9f9a7ae51e90017f63 |
| SHA512 | d2f361a5327959dcf1a28c56bfa2911e9ca4c19c93bafb7188af7b5e0b4e39bff90eb33dfa176a75044e8e9bc516279a5c1afeca9c66018a65c202b401315035 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:53
Reported
2024-11-13 13:55
Platform
win7-20241010-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\SysDrvZX\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZX\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLF\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZX\devoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe
"C:\Users\Admin\AppData\Local\Temp\86b692ce840b0f7053327b44895b33dd8a5893ea32c42e3bf9e0f659a270d2e2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\SysDrvZX\devoptiloc.exe
C:\SysDrvZX\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | de80a0e50860c7f5be8235410ede1cbe |
| SHA1 | e7049a39b4e490bf31c61645ae38f9da07d1b184 |
| SHA256 | e03cabd85fb383860672103775dda1c5122fa8a0e17955539b7869ad2ddfe1b7 |
| SHA512 | 693f330dea1a8cafadfeda2bfd013cd566b8dbbad0be41a61be9a7c84dadf810448cda17efec576b020135bb463bba7a0530028cdc4d74be84c3ff02ed529bfd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 278ee6f9bcda58cc2218f55904c4a3e9 |
| SHA1 | 87871fe4f8e96876cda5543a14781e939e749c6c |
| SHA256 | 2eac99da5a3f72e26d34eceb2fff638dae7bd988a3b5a500890644f743f2028f |
| SHA512 | 13d1a39f2e41b2d187cf3820efab67926d8f6df678b374a2d32a292c22eb3431b9e911805bbf3c5d291904ab221b987ca3864f539fde7f71ed83d83072407531 |
C:\SysDrvZX\devoptiloc.exe
| MD5 | 63c8fc098a41c8cd154848bdf192b138 |
| SHA1 | 9da89e97aa7df1f456b0f07a0f1992fac30d6c32 |
| SHA256 | e50e16f94cd8a8008df12a0d267b3138380c65ea09b82bb48c07738105ba8828 |
| SHA512 | 1ac55c5a7ee8773577fa378adf2d02e13beafe579a87c31c14c615c068051c0e1e819828de73ae251f08859e0a042f26365007c207e99acb9fb6db55e8902f30 |
C:\MintLF\optialoc.exe
| MD5 | fa3a3b35d029d18e3d23fa27357b88f7 |
| SHA1 | fba616205871016148bfb2bcc0ca6ad599b1df5a |
| SHA256 | f41a5b6bae2c15fa7adf9770ddf89504b06b70409afb919023fb728667bd1b3f |
| SHA512 | 73f334f181c52459302759a8d166cff24c72ca450306432cbd73ba57f793544a8a76f9e3cec5e4734fc4c18ec2880711aa2f43a0765a758cb621a52c5dade6e9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 55b38c6aca9d9e298fa7176b75e1b559 |
| SHA1 | 26c601fa0a19713967932f2b86166f4d46fa1718 |
| SHA256 | a6c0048a17b9f3a0c1214a44067fa9770eef53c946d5bd3bd2ef1599924568ce |
| SHA512 | a066c27e26c6630b26c44f4ec21b1aaa76f2d1a8dbfb74d1a0fff3845ec248168da3805e32bb04155e1bc6675e41b0b1696f2c2b59ebb683b6408b7c14af14df |