Analysis Overview
SHA256
104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635
Threat Level: Shows suspicious behavior
The file 104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:42
Reported
2024-11-13 14:44
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesH2\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMI\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesH2\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesH2\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe
"C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesH2\aoptiloc.exe
C:\FilesH2\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | b1b98f2110d001ed67a07c03f3ac47d1 |
| SHA1 | 87c1eeb6d5653278fd4c80d873b33a4d4ca15369 |
| SHA256 | 24015ae0c3e170543bc93f0804d826b7e352f172854fe42d8f009eea5304f9ae |
| SHA512 | b8a584d13150b43c06b5ed3f215b8605c04f82f9c3917164271d7a0f561c76e5af04bb1eda1167223b58b91c73932134236553e997a50b8b84be9ec8b092904b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7b4586c7d0ed4a6055d86a065a309934 |
| SHA1 | 0d280932475022fea299f43e7d2a3bae0c298a1c |
| SHA256 | ed66ddc749999e454d112b8d7b0b3f77d7962471f1c098d62fd52c3595f219fb |
| SHA512 | 9923dd801235789e4d19aeb4e32c17aa2529405d9fa9a036f6eb7c3f9c324cb5fdfe891cc6cb446340965f5ba1dd543544316108b56276626c055386e703d397 |
C:\FilesH2\aoptiloc.exe
| MD5 | b7c5074bebd38c0c08e613d52bbf90a7 |
| SHA1 | 6f5288a3d22f11c7212c520ed78f0b580d423341 |
| SHA256 | 0616e662be38619725e4420972b2c53bd5cc47877530d7f7dd3330149536ca95 |
| SHA512 | a5014314f6434128303662d06ecdc2c4aa7c318b392bef077ff6735d05a53ddcfa7dab77fe61f8c98870c475d0cb8f83854e5c71cab9588a4a93e0b91b7f1790 |
C:\VidMI\optixsys.exe
| MD5 | 5954fa508b0801fb5c778b4f85ae893b |
| SHA1 | 93d0855dcd976389e8640bc9b9a935f0bcceea59 |
| SHA256 | c13c86c1159211a3b61d75b5e1ba4fa90ea3ff1840c4488a443c9727efa8e05c |
| SHA512 | 42220497b29d815d68d3bff8dd7fc9d10cd2f8eecb84f7a3ee11b4503da0ae8dad751fc52431baf7669f06fc9f92c5fbd352236981c3e8c9917e855cab3a230d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 936bccf42889f636b7dcdc2af09c426a |
| SHA1 | f31d210a08ca3efdf4a569ed82736e33bb1b0a99 |
| SHA256 | 1ecd8a0a46b2ef5a243201b2fa7fb506b6d0256656db6a0130261f1e38dbe033 |
| SHA512 | 1d824a6f72b18ee929d2002408f06bed8fa6cc65e1c32910d4edce66cd9947a196ec15fcd665d308fb05d8ad0877d95f1b24830b446b16b6e8a7bcd55117312b |
C:\VidMI\optixsys.exe
| MD5 | a23f7a74adba50aa1c02adf6c25d7149 |
| SHA1 | 030c42d398e3fdcbde31f1723b54cd2f5ef8061d |
| SHA256 | 4b5180eb37729e815815d9a73a06ec62b6f7b36496933ae63b43686c901d6f52 |
| SHA512 | 81b2b1e87fb706ceca540573764da5c15ccccca478a4f5b993cc08c19e3b5b263ad72e5634923951a42029cc93d3b2a5a15cd89247f0a7df3be7b2a38eb131f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:42
Reported
2024-11-13 14:44
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrvYO\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ60\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvYO\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvYO\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe
"C:\Users\Admin\AppData\Local\Temp\104487b0354d53ce8b381a17c0adfa791dabd6324923b12732b8f4252d6b9635.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrvYO\xbodec.exe
C:\SysDrvYO\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 19ee7990df9bf9c74ba4f93373ad9780 |
| SHA1 | f0b53d14e2c76c855ac11e362bc798b5000c1b00 |
| SHA256 | 64e77c1b3916a881e880451f1b48f4698ab004f2ce205be0093b95048fad142d |
| SHA512 | 1f64146a27daa0ae0d5361ff2f2c453b9a3d61be94b437744fe1d8722b3aecea201d0cb0b4eda7459e42978bb5d4724858838c8080814bdf6b15d72da5b96293 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2bffdceaee9a39e6f325952ff404278a |
| SHA1 | 7eda7ea28384b8c34eb041b136863c4092ebb5e7 |
| SHA256 | ba93ebf37b66a048d0d555d4a15046f09d7f641889e105257d923d8f6cf439cc |
| SHA512 | 5374ac9372ed77fe49731b8b16474779a1f5c11ee3390497738ffe96a8d9d1fc8486815f46c235540d2303a8fd730fc9623c429c386751141cfa4ba77b1041d5 |
C:\SysDrvYO\xbodec.exe
| MD5 | 7481dc52235555227b30f0c687d70b59 |
| SHA1 | c4623690e20fef9f3b5b506cbda6165893c3b777 |
| SHA256 | 9cb84a9a1c462432053c0ca361fdd2d39fce3ba9ff7b4ec9bd24885120816d9a |
| SHA512 | 67e6f9c332baf8bb887becc691bc340771680d103a1556bf5819cdd40d34d4d1814644441b3859733c6e18c46bedda8e934bca6d2b52ae171f860024a29fa7ab |
C:\LabZ60\dobdevec.exe
| MD5 | a697f85a37cb219110685203afac02f0 |
| SHA1 | 17c3b295a965674429872a5f92a27a0737a2321a |
| SHA256 | 4c53c1195a3d5c43880c137750f8af5ab4892be8907e1f7df1fe1581a5d03172 |
| SHA512 | 3b207862353c14173b71d8c61d36f2ca7baa71f08b029608e517fda41524959581f514e0b96b43a6e97eb6c0c97d9700a2afcd6af94e1f64e62aeb2f1813fd3e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 848818d114d686f9d4e572cfb9393a37 |
| SHA1 | 56583c93612c5e8dc102fb54b297131719324ae7 |
| SHA256 | 90b5a7d868993f1bb0b879650d2cc57da45b188189fcf569355fe5f813ee4eb5 |
| SHA512 | 34729bf2cc8f983957943a761f6b8b5c863a1bb737dcb9e536fa6c6f2ef0d196a9edc5dc102c9450b95fd43418453f5b0a4ab4bc90927e8e336922e80ac826d4 |
C:\LabZ60\dobdevec.exe
| MD5 | 388529c98612861e378d19a03551b59a |
| SHA1 | 0bfff1ac10b6f5f9d5494a84838412146e0ceea5 |
| SHA256 | 26aa1eaac6f4f2c55396dd67f0aae27ed879123b36b46575781b6a99e9ead0ff |
| SHA512 | 53ae9864530a168e2b1aeab67805820507635f185381823acfc567570017e041b7b08140e2677c901771359cf7a661a7f796c572731d55992be2ff27983adacf |