Analysis Overview
SHA256
2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17
Threat Level: Shows suspicious behavior
The file 2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:45
Reported
2024-11-13 14:47
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocTO\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidCG\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTO\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocTO\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe
"C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocTO\devoptisys.exe
C:\IntelprocTO\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 4d9f7f5f3e256903cfdaf424f8779f78 |
| SHA1 | 1b07f1864a1d0d91aacc62e29a94c9d41e71b840 |
| SHA256 | f0bca21d18aee238ad3bfeba3d6d9254191c8751e91f345c2113306131e4c4be |
| SHA512 | 09518e626be150552681b598bb542ace4baf3e36430908a1830637abd51fcd9f72447711a2a4045506af3a773d0b7d56ef9d92718736e25d9fd8978be8bfc204 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a8f858406e9272d23611885f8e31bc79 |
| SHA1 | 2ef324cc9edbbc09d5fdb599d92d51163666ab4b |
| SHA256 | 57e96b2182bd0c6225efe4020876b26b59d6e7c958cb9d307d40065168efcf08 |
| SHA512 | ff5c6647adcc86c1c7dc728db631b3b5febf4b8eaad368c3b767eb16e2d5ed0a16ab182494be2bb334eb5f134620f2ebbf0628521d42b3bda9f72af573386981 |
C:\IntelprocTO\devoptisys.exe
| MD5 | 5d01d499872182d5c263c001ef593141 |
| SHA1 | 690c178005f53323d70089d41153cbeb2d1b51fa |
| SHA256 | 99e0316cf5fed3489d6b1bfc860d1b7ddf3010c1dab464dedb2b1a97fc009781 |
| SHA512 | 93875b55ff1cd46660bcfad521e7a48702e3ff1636621e8ecd46e91e6ac1c2a74dd54cfb8c959eebb19d06263a80db142024142205ef498f43d7eb9f084da4a8 |
C:\VidCG\optiaec.exe
| MD5 | 5876ce6c8cf65de7d71033ebbb002593 |
| SHA1 | 6ef4669018ed46fa4152fb6ded08cd5e2d8a1430 |
| SHA256 | 5a560b704f36fcc2d86512fac76cea9881b362c8b995cff120098f9105a3f004 |
| SHA512 | f76d672745db62a756f470b9d9731bfe1e715b32c07dd926474acf6e0c67459648fb00465de0b58f75b80c611e056ee61da32debb7f2ad863cb7c115566fdff9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c20f61091eae225f9960f1a01783039 |
| SHA1 | 96b1afa50c2aad6f2a801c1a9235b08e384ab5fe |
| SHA256 | 84348e3b4a0cef8be7a56ccf14d287f152b8dfe7d610c6ca395f0d6246e2f06c |
| SHA512 | 645faa28800c8523e638fbb2670675c42b6c7dc2b39efab7fd1d7cd7f2bedeb61cc48d6c6bf8bc1debb74dec21439d3c2a48b70621ce50f7ec29473ce2d26e41 |
C:\VidCG\optiaec.exe
| MD5 | 604efddb0fd710d48cda7c346692fd09 |
| SHA1 | ab3f053a3ca2fdec5c48e4fadc40b7898fc933da |
| SHA256 | 19afd7e5f06f06cca3f7abfcc9b95d1dcde063f2b181c71f119dd2b73f582ad7 |
| SHA512 | 6d40aa12865640cc85fcaeeb993a55f4debc93785ddc04c7ffad193ef37cd86e49aed07362e589685c337e2c7f3163f0823c96d82fa4fa96a811e560cafdc999 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:45
Reported
2024-11-13 14:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocEJ\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEJ\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDK\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocEJ\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe
"C:\Users\Admin\AppData\Local\Temp\2796fb9d5b265fda1474997832fc2dcefde7bb63253053a98d129b4e15920b17N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocEJ\devoptisys.exe
C:\IntelprocEJ\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | d3ac786736c5c09ad7a7a37589059ee8 |
| SHA1 | 25c447f8e94f233495fe41370d01d1946ba94044 |
| SHA256 | 710c6e2f5b686baca739038d70ebf551818c97d2efa450522796bd0a9975c40a |
| SHA512 | efde1259c5506adcc309c1952c900237c0907aa7d453658828a6c0b5db9028dec89fafaa555c29edd6c77de9fdb768c966037cc1713b52e9d5157069365d1fef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e402d68d7fc13a001ecd0acd3042f91 |
| SHA1 | aceb54635dc46479b8f7e9ada923a5ff71efe542 |
| SHA256 | f1e648130dc4898b0192ccc442cc3c5dd64acdf3ff36cc26f3ac9227af6d6ffd |
| SHA512 | 12bb8337ec892b5b41fcfe0d0e46105cff3521f9e43030669b32d65edaaa9a8f081653978fb44e4048d053fac04ce436dde237a31f16cb94d7d65f11f9a0684f |
C:\IntelprocEJ\devoptisys.exe
| MD5 | 46c6714a0dcc23879625434fbdf46856 |
| SHA1 | 5cb921e41601fadb303ad68f0223f62c99eb805d |
| SHA256 | 0d9e2b59b2e52438e448add2e1316072a5c2cd7622972dea0e70ace8cccd6320 |
| SHA512 | c3e6d71763a7040d3badb1ceff49d63b58d7399fed65e064f75384e595f04e4b24e51c0129bd1e367e31bc1d78c54d1780b6c24b53877a3029002c54aa1c7cf7 |
C:\IntelprocEJ\devoptisys.exe
| MD5 | e9f8e9455b0e8e02ac62ad25dd233f1f |
| SHA1 | 9eb8677ede049125305270930455e19a36394464 |
| SHA256 | ba58493018acd4fb0693977e8ec747c9212945d7f482a482eabda98ad62069e4 |
| SHA512 | b04faba91a20ea3b7b3cf21aa67c4b7f409c6f069b280723bbbe178dd6fdcfde3b8bb7fab43fd402358e6f5a1c7bfee4d46c655ec45a833b98567de7ea5ae63b |
C:\VidDK\bodaec.exe
| MD5 | f1bae7656eb59a370b6eb014d52657f8 |
| SHA1 | b145a3c877ad3eaec64f51b0aeecf5234a78383d |
| SHA256 | 820ef572aad7aa8c083f5a770947add8d037b4ac8af43698556a952e35e56d87 |
| SHA512 | 63a5dc6178230fe3f8a5df1488275fd7e78a9cac3998db94bd7cb7df3c29ecf496ab62761d964a77c13db56bc98331407c818724b451f029619525756e9e32bc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ce36f060add702b0d018eafe6dfe2b33 |
| SHA1 | 0787e8fe45d4b646d38f5d8da18fc45ce8524643 |
| SHA256 | 7ac065b91c27ae356fad3a7f3e67fb87b6624e85cc2236da0a53020993ab29fa |
| SHA512 | 42467566f290e3533666c603e7bab871c67d912a9eb2668023069ff76c9dbd21500ba6051deb090023fa28bf384d841999387345a1292298450d8b5ce09d8d2a |
C:\VidDK\bodaec.exe
| MD5 | affb54f7c8ce5620f081cef0b7c63361 |
| SHA1 | 734427e73724a3a9b5e04b5c65fe459fff0a7a64 |
| SHA256 | 04285cae8474228c82144ed6a19b0ffd04ad3df1f7ba7c5f46d4f41ca78e0601 |
| SHA512 | 3878b5b78041c2cb44583241aeecca691ac2016369c703eab2750ce83101156fb5a1924f80a752cb53b6f8624a4ed22617c79e678eb8235d25cd45ffd0f45c23 |