Analysis Overview
SHA256
61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721
Threat Level: Shows suspicious behavior
The file 61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:02
Reported
2024-11-13 14:04
Platform
win7-20240903-en
Max time kernel
119s
Max time network
21s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\SysDrv6F\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6F\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6Y\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv6F\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
"C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\SysDrv6F\aoptisys.exe
C:\SysDrv6F\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | d2c1db91d215a7a271a1a058dfbd21e8 |
| SHA1 | 8e649273c5af08c4f68e241109df6428533a380a |
| SHA256 | b125b61f68ac92ecc719e933353d4cfc53bff826dc10a13c87a92f1801946dd7 |
| SHA512 | 4a13f6d636b2898e41dce7f3918563bfb3ad96cc8d946e515ba836e8f25da9b4a12d6b130a513c1b3bf447d622582523648054d85977a76fd2bd274bc143e7b2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4751437b84f5c3003133f481656cb405 |
| SHA1 | 99374676fa38090d8d42662f61d516211be4c8f4 |
| SHA256 | 88669376afe4c44eac15379408465806484b1d86dfacb7aa940c31229a8dd35f |
| SHA512 | 9ab60e5dcf32b2d3a1659a2bf4cfc7867db581c039ce00d78616a72b0723ba0a18a69f14e08c28c987a792fef9a4e44e8f829617a9735df06b1c18fd449514bc |
C:\SysDrv6F\aoptisys.exe
| MD5 | 0b71cf4b9d78b382d463c2fbdd3cc1ba |
| SHA1 | 92d244137b7adec22c1c7d079bee3cfa8550d3f4 |
| SHA256 | e29f00415a75724d417446e9c69214c97ff82f70fb6f813c875eb075b2ee47db |
| SHA512 | 4a0c2ada2312f29f964ab156810c0bc5da8f4214da221b659b02e11d9c7c4b27519865602b28f73b4754f1986c1c4ca1ebcb2478b49490cb81caae7aeb05941d |
C:\Galax6Y\dobaec.exe
| MD5 | 8dc4d9694c17621720c320e82829dbd9 |
| SHA1 | a9ac9ea870162fc6dc14d43c98824d48c29ec74c |
| SHA256 | 73310f0dab90499fcda3b7fc967815f59418fd9a16eb2c5fdae380da74753d78 |
| SHA512 | bc76ddbcf70495f591f732f5a318f0de053184a7f9a94a2200be2db198ca084994c595437e721fa7d00df285a550501c22df2af8f77fd72840210ccca0fc8b3b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 80ed7815bbde47c76c6cf6cb013adce3 |
| SHA1 | 5206f29b028a8001a622c4abdcb6e313c115425f |
| SHA256 | 7b66ae35cd2e4b373cecfc063a6055d1b98f386f9c571203411b1f4b2eecd00b |
| SHA512 | 980709684886098809b84915817b472d599f6ccd0182af85b44e688c7dd337de1ab973db4e1fe69fc5d375befb449a0b7c7473a26f6f107d6c879c23fe4e1366 |
C:\Galax6Y\dobaec.exe
| MD5 | 18aadfae444dfd5c06ddf87ff8524e92 |
| SHA1 | c51834056811b84108abe7b4d62d7f1184fb279e |
| SHA256 | 2181c1e41c97425acba5ce7cc8bb6c54044c4e5ef900685820a49fc7a6961e2d |
| SHA512 | 3270ec1249191240eeb2d0c69ecf7805cc0209250ac525c491da6e8145eac9b73149aa4a3a3d82b73300a480c0c6e040483140322dc3fcd6bdf6abce87fa1cfe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:02
Reported
2024-11-13 14:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
51s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\Adobe3C\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3C\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZRA\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe3C\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe
"C:\Users\Admin\AppData\Local\Temp\61a97192b8a35e284934f5d2fa419da2a68ec532ab4cf2cb80146ffb57265721.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\Adobe3C\xdobsys.exe
C:\Adobe3C\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 83013bb49262fccd5f50d83e8125e78d |
| SHA1 | 4cc44c01dd222c56f65fe85aea891d6a85f9ac6e |
| SHA256 | e06920e3bc7d0b4711791aab03bdd52674c1c4321ddad9acb4ded3dd703a1ca9 |
| SHA512 | 80231f95f4a8ca31d4ee28f255410ccffb2cb272aeb055995cc0d8aee15522b6e87aa1d4418625e4d0b3077d3c083946c21fcfac5eaef6979934916faa4df198 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ffc0d1cd4946c34dcc17614e4d2ea031 |
| SHA1 | 79352c77ef6bf8c2da257c9b3d9dcb66a3ece370 |
| SHA256 | 071732c6e8dac28221c7fcb8143c088b04ad6134101138c066bd30d1eb53237c |
| SHA512 | b2a06dfb5e1e4fb617c188ac572cde0b71a9757d28fa042177014b51c217973e430fe308c60b40595181559ee6924a15fe51f9714ac8ec6a6149339304b8ed17 |
C:\Adobe3C\xdobsys.exe
| MD5 | 2993743e97101bcc2692d14a9df3b0ac |
| SHA1 | 6dfadb8e5770f049f1ff6bf105439012ad76cb42 |
| SHA256 | 57805ba6bb90791255d15d49daf1b3641772b7d4d19babdc1e0bee563385c1be |
| SHA512 | 2b18954105ebf5fa991b2844f7a09bc867b44441c8cabb386ce9a7474d28f0d9f3fa4ff09aea02d6bb96a5da288480a1f05a138e5c4c32b18a96c6a810645dea |
C:\Adobe3C\xdobsys.exe
| MD5 | 686d01bc1fa8e85df198030cc4d4b461 |
| SHA1 | 6f50cd93019259b028d37524e0f632706f7dce5d |
| SHA256 | 3b8153f09a41e15f81b89c963fa8f0ca96ac19ad6081ecd1c8bb0fdb40a2b9ff |
| SHA512 | d14355d7e1e25cc66719d0c8c503cc510ed666c30dfebfc2d5d0f35c827504e1e7545b9de09708d6010891a94996bde4ddd18b941071a563cdfc8dd024403cf7 |
C:\LabZRA\dobaec.exe
| MD5 | 312ac801da99bd2f9040a19a077f69f5 |
| SHA1 | 575cae10b4a905ee4a07f2ced1198513d56afb75 |
| SHA256 | e2e92a74dd30766f9efd9436c4f531fbd18521a2ba827df313428169cba731fa |
| SHA512 | 5465519163220070a61f32824852ab8ae5ab84367afb95b78538d19b03720409c82833d08e1012a6b6a5a71f0222a256f59c3f761555d7770eaac26111c756e2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9b9f1c265392b1e48922f3ba5c5f7cf2 |
| SHA1 | 70c3e76134ba0a7283efeb45fdbfd64c12e27a68 |
| SHA256 | b23a2c057038e804b2467302cccb5c6154efd7d44a5f9a41996d07c86d0a8bc3 |
| SHA512 | 4c05cb6cb212aff4287efb01b8d1bcaa86ddc4720c787fd7593931f82ecdecf8609dc61eb96f61a42421e32508f8a0b5108266adb46e9732532862dc31f65cd8 |
C:\LabZRA\dobaec.exe
| MD5 | fdd2527e3688aab6c6b1e76c7de10c73 |
| SHA1 | 8f94b17fd6aee482fc863022984501c8acfe255d |
| SHA256 | 2977ee280cdd347385da19d1a3a571b6818e0ca471a2d2f65051427be2bb4853 |
| SHA512 | bc086b179f2f15033524edfeac1d02843818a4635492f8bca9005efa044ce50ae6ebab7de04275244568161b912295058d630c926c3615559f95186f5457db67 |