Analysis Overview
SHA256
bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1
Threat Level: Shows suspicious behavior
The file bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:02
Reported
2024-11-13 14:04
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\UserDotP5\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP5\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8F\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotP5\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
"C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\UserDotP5\devoptiec.exe
C:\UserDotP5\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | f2eafa825f1801a63dbb4ce5c6c681cd |
| SHA1 | fb057224d5fd7386266a14100672f07da14d44b5 |
| SHA256 | a37fda687aa6fb450b6a891610d60b3de85a74f28416a58196d3b0d9fca848bb |
| SHA512 | ce4bf61556c27c0ad59e697483ead1ad729a059cb152690fb15bd2b9c083d727f9eea4718fdbb583448cb6388205294eb5a5513bc6873a0880ca0239d2a001c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2467272bbc3bfe1a5fa8914fc39a26dd |
| SHA1 | 7d1013633498b18e5dc02997d7e549bea3d7fc78 |
| SHA256 | 2fe1d651c3463821461050c6a8a01dbbdb14abae19485ddf0a300297465a7eba |
| SHA512 | d309d58e402d0776a60c81c0368790c808c71d6ac759a0922fdb8a44d36921946f68af6d150dea385b101d855f5690a5f2774685513a8ed2fbb7c4fb9615a3a5 |
C:\UserDotP5\devoptiec.exe
| MD5 | 69a50b457a82699512e1ce115c7f8200 |
| SHA1 | 68ae71fb1a529229cebbca1013f3bf520c9cc713 |
| SHA256 | ece1a4b6e6d3c667b568e48db5bf42716adc80f85584616786b94d1632603739 |
| SHA512 | a225e6423d6139877c8e1c4606a84cc0064134c526a14ad5da058228b1eab88c18500b3d771444c7595b84b7e5216fd24c7992733eb31dda177dcace512d5b02 |
C:\LabZ8F\optixloc.exe
| MD5 | 9ef5dac7fbd87ffdb3bf89bcfc7c5c05 |
| SHA1 | 087d3d897589c0405fc60e3c1306a382a87d4c12 |
| SHA256 | 1ba3a266d5d854e990e04d0d3f9964849e48ed1c400f851f442c1fcedffed311 |
| SHA512 | 27b9ff13f85dbf5afd9b603d8c41c3947a4648fc78ad2a9bfa8c3cf277f89a98ba2a075728a5d118ed8f0233c0dd08b52b335adbf6ce3b161cffeed5e86a741e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 99fb1b66b66821cc18b8b902aabdccd8 |
| SHA1 | 8ef118e05de91beb6f8d2c80d2006c88c5459f76 |
| SHA256 | db4b40aa48b134644eb2cf488561ec3869b872bd9049996e9f8cf77ccd650ecd |
| SHA512 | 7381d1a75b92909c3165df2bd61f63ca0e8ba39d865cec15d42cf1185007efe2339a4b4ee0dc0b9b0f7a5960388c6eb3cce905d80fcfdd57b73c6cd32b57e5c6 |
C:\LabZ8F\optixloc.exe
| MD5 | 561a7d67a18ecca1cacfa37a41330b59 |
| SHA1 | 93d1824595d591a5431b9c3b606bb4d0574b515b |
| SHA256 | 737f0fbe32b07223369e0777830f46b5c8706a6c249969311ee29acb2e708424 |
| SHA512 | 7537ba9be5ab4ba82b8aa791f29f97524fc666b3b261e9c882603ad6e597dfabeab99822e8ecf03e11f532ba920b64b3e3d078bd40fd76d9f3e3e745b480bc86 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:02
Reported
2024-11-13 14:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
51s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\FilesK5\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesK5\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW7\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesK5\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe
"C:\Users\Admin\AppData\Local\Temp\bc7950afc7ef04ee79e984b8e42ad9609756a517f4db9e0eea2f04c571511de1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\FilesK5\xoptiec.exe
C:\FilesK5\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | f29d4caebf09bf45b1a1f9f1e262d359 |
| SHA1 | d71b9317a448e85bffd61810060171341e096957 |
| SHA256 | 1bf87b5937e2e3e0b154a642d57ad9f2e1a97050fddc6e06fbd106f6a9e4bd83 |
| SHA512 | e2ffcc9229e00f3a5fdbcd5ff6a889b95d8ebf6ad9827f32184060919428731974a994ab3e3ca79878b51c314bbbdff23bda8fbabd59a9cb39ed43a7d9057e0d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a96e9fc442e505bcc2aa89346f892f69 |
| SHA1 | 38e564d8d5574b2023f6624ea300519e75d8e37c |
| SHA256 | 6ec52caf8872b79974f52a6e3cc4fa954c2b69ab7d3465a77c3b236da23119fc |
| SHA512 | 6223214883efd27ebba73769e10410849b941d87fe38832a97d32a0a330dc32bf529dd765f1b0f20609981877655ac6baa16399e5781d15e1cc1a1b638199bd4 |
C:\FilesK5\xoptiec.exe
| MD5 | 02fb20bdd01980c50ecc39ccc3415a21 |
| SHA1 | 21b05d7466b3e146a179e81736d06bd0d10f8788 |
| SHA256 | 20c4aeea203e067d6894a8b48aa635df314aed05008814c963c0217bbd523c1f |
| SHA512 | 54c642259bad3412d4a50a355d9d065f51b8a0b639625332a1f8ebcb4af3672b36e4c15054e4dbf24447c8dfe3912808e08946a38f6880abe21f605cb1f89f16 |
C:\GalaxW7\dobdevloc.exe
| MD5 | 8864b0c4fe87f28392653743d81c7396 |
| SHA1 | 480206a18883af03c92a2233acff4a8a03ca9095 |
| SHA256 | 731ee64bba07b75af8ff4c0f3fc74154255b18fdfe4991163d8dd71b3e88d13e |
| SHA512 | ef12a1fb54fcb363c634f914c7310e73a849385220015f4fb79b487e1ce2b811da94b019e8ce9fd160c36fc0b440de4c83bfa6220aa1bf75dc656390cba14c47 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ade1294290373f7ccc21047fe19bd81f |
| SHA1 | 0b6e49aa89cbed2bf64c6bc6af1261fe5680efe5 |
| SHA256 | 64ad49cb61702173485975b2adc78f8f25d782ad930c6b71be16342d23ec378a |
| SHA512 | 4d4b4ec67c6ab677723b1d8bcd80c57c0cbc5b604269eaff7a2f7831b9ef93ddc6e47c0f01a2912916ff19b4051b22690f1ce5b9cee3e1eb8a4fe21053525334 |
C:\GalaxW7\dobdevloc.exe
| MD5 | f9362c78ba394e10d0e555c66e50f9b6 |
| SHA1 | 1bd0e3a82bbe969666ad46c8a8b3217be691fc11 |
| SHA256 | 275113c4769a2e67bb6e9fafb65c90fa2b5bba52fd6a6f2be85cabeadb14d0c1 |
| SHA512 | ce3aa4f1453f65fe66f38a35ce9cabd093b86e00699d17a6e58e354a2a3f38570b32ec4bacf1d612c553f1a77622148d2d87e283c3c123ab1bc205de92db5582 |