Analysis Overview
SHA256
943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353
Threat Level: Shows suspicious behavior
The file 943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:57
Reported
2024-11-13 13:59
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\Intelproc6V\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6V\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQI\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc6V\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
"C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\Intelproc6V\aoptiec.exe
C:\Intelproc6V\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 3a62edcc6030bd85a4099ca4dd80450d |
| SHA1 | a12a072143806fb9fc192705cc1ebd7a564133da |
| SHA256 | 66ee382ea500f237b55e5497cc9938b6c1a33d0d3efdb33aabe458c735d98029 |
| SHA512 | 84c86d43981a2c75add25e9c9e08c45f410064794bfaac64eca7fbef9526eff2ef1d61fb06a45888fb344648cd52065570b847a297a43667b43cdbfbe4ec59b7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2b81e6884cfe14868ed208e3d77e0c88 |
| SHA1 | 2cba0f09c4948f7c59eeacc478396d493b1e9c96 |
| SHA256 | 050040fce147c64f2022bd74e8034ab61ca365bf56154bface0ab9bd5f763a6a |
| SHA512 | 789bb07ac79e5d094b36d7aa0eb76b476763b1fab690fc1c73aa192a2a8baa37fe708fe1d923a6ae568aa7936d6da3f1a9b0f953efdcc8b2f04848eface12caa |
C:\Intelproc6V\aoptiec.exe
| MD5 | bceeb783568178019cfa9ce19da30a69 |
| SHA1 | 3918c6d01f7a27b2a71133015ea935c5555085ff |
| SHA256 | 41737594ceef89e9d4d0389deb11f042ea5d02e903e1359b3110a565e7c0b1bd |
| SHA512 | 7f5f1ad508c1398430e588ab45f558d602b62af4ef7015ce011fe61ef27edee18de0252583558376c713ddc3fdba30604a1b0746cd79acd745c19075f7a1bbf0 |
C:\GalaxQI\bodxec.exe
| MD5 | 87ab0b020aded2d0bfce4ab0a9da2292 |
| SHA1 | 7bf0c19e7588737ad424a4c472653c2fa17c36bd |
| SHA256 | 1c920b36ab3e2286cdaeaf468a23e7f2a21aaec85f424031d742b443fc300693 |
| SHA512 | 5e51e18d71e5e16aeec15a6d42dc28a66a8cfa8f3ee07dbc88f5bb5915b0aa0e64975647351b4e87dfa9aaf3afd2e882292e1c559dffb65302cca6c94e8af067 |
C:\Intelproc6V\aoptiec.exe
| MD5 | c3bdba2be798e539dd11f214b2a1162a |
| SHA1 | 34eb55a22d8bd869abe8f9f080f7a2ccbd3c23df |
| SHA256 | 14dc162ae13b4322b3689c94cfe65848dd07f810518af9bc3be5598d52f897ed |
| SHA512 | 9663ea9f93cbec70dcb9db0d811916888ce98c45f9e9c15b2c10103c81829f28c8d8390abc6849df0f449857208754e8da807ee21f531eb417cbfc31c619d037 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 477c9dc0ccdd7be4ad3d4433ea7b8807 |
| SHA1 | 03c32efbe585c089c882e1adc3586eed68c9197a |
| SHA256 | 13a9ab85cacd1572eed87984b3ac55081512389da82e243887d470a4523d17f5 |
| SHA512 | 62c9df1e8c47f54a529318f6249a73d445f4242ca35f1a039ad3e15d0e2b48ee5f070c10f27cf29031dbefc1788a9af1e0964f5e20f09c245ad21617d652e0aa |
C:\GalaxQI\bodxec.exe
| MD5 | e80ade7701d3be3a1f00c21fa282a787 |
| SHA1 | 2d2bf04e9e64d43cc9c8fe5630b21e3836cef37f |
| SHA256 | 5015b552a359213dcfa148b09249e8f164afb93327ca5b796feb7b32498b18ba |
| SHA512 | 4034af83235b22e9dffee7fbc8d2ee978103ba600228c7d821059c9a877cadfafa3661aed2540d42230c4f54afafc542d8eb538a91b6726a6475f78109ea5b0e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:57
Reported
2024-11-13 13:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\FilesP0\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesP0\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCR\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesP0\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe
"C:\Users\Admin\AppData\Local\Temp\943e7e49df3bfe80e5b4eb36f43e07a4e3fe22b37bc3552f0a208828e21ca353N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\FilesP0\aoptiloc.exe
C:\FilesP0\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 1858afaf2bc7659da41969f5772091d8 |
| SHA1 | 85b63e2cec40a4b4af5a1a64419af85f2d78bdec |
| SHA256 | 06dd07a6b87b810089ce39dee9154dbace2eca05473075913d1e1c9910eaff9a |
| SHA512 | 182235a91b2202ff3a7918eae3f16046ac8c31ccac312d10cdc99bc25851ffc7a5f6987afc58e0aaa36c0b543306a72543547c5766e031af2b41ee4a9e2cb681 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 34d3fe86bf098731ff51cd2b420bbdaa |
| SHA1 | 55f1418d0ff7f6b71ab19eaa0a8722456a6fda60 |
| SHA256 | 962642b00047fcb93a21f5d6f153388d2c81271dc0cb61eb45f4fe3c01fc95e4 |
| SHA512 | c7f06a8a963f8df32fadebb3414e8983e42915ca65c81b7467da7f2d6bfc9188111f40a47d0e0e62c2b80b74f66a5afe0cdc0c1d8bb44d8fd997e08088c9de60 |
C:\FilesP0\aoptiloc.exe
| MD5 | 105376f95e3a7fc442938397d2600fce |
| SHA1 | 1efa3ca9787c87edd678830dfb30225a07601654 |
| SHA256 | 5b21dc91d07193582beb446c88fd26a6e520d88e6f1fddb2cecf3a20bf0bff7f |
| SHA512 | 93108f58d0678fc62abc87e7593edf5ffbf9a12859c83c872457f06cbaf1f191d5d3e8249450854229b875ea9b5a157503aaf158911a4ed9de415188ea0c779f |
C:\MintCR\optixloc.exe
| MD5 | 820ca0c38cb9749b1df9ddceb26e207d |
| SHA1 | 20dc3de64d15df1a2dbb04e7428a1f2b6771ba7c |
| SHA256 | d0abcb2a8ed39a19cf25c63fc9b4fdbe3866bfe364feb33a8ea359cad0403dd8 |
| SHA512 | c4552c12873a55622b0e39d8d69ef91ac7772b2209d5083c06a51ce9adbde60bcdb4ae1ff8fc0124b793748d1a83fd32c96ba3d6ae3c8d821081c665abe22ec4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad4a9e145d45266ae956d1a69fc05a9b |
| SHA1 | f48b0651770597447a76bf5238fc6fbf88026213 |
| SHA256 | a1bd68dc2876026459d343dc6e673fede62204e56ec1b22c3331ba68afd1fc30 |
| SHA512 | eecf1563a2bedd952ff6d61c09c5e5a96728772fdbe1e8c32b1f12e4ed0f3341e2b29d123d87630388dfbff68df0baf9630d9941f48a5c6789f51515250f690c |
C:\MintCR\optixloc.exe
| MD5 | b74c4aa52b4bb01bdc7c19d9e37660d9 |
| SHA1 | 7328b82067434d1f2d5b46644fa126ef24c170e2 |
| SHA256 | 99cb60ceff99b1e4c55ad76ca84e83d7081e55e5a7db66a277b44d0a55ee07ef |
| SHA512 | bbf0d156f7ff9aa41ca9c7aeefe824b3698d8388af787defda348fcf5ecf21f737bdd21b6f7626428b98ffd43caacc90678ee7163887224fffd690a021c70bf6 |