Analysis Overview
SHA256
d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7
Threat Level: Shows suspicious behavior
The file d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:26
Reported
2024-11-13 14:28
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Adobe9M\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9M\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAU\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe9M\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe
"C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Adobe9M\xoptisys.exe
C:\Adobe9M\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 08a0754fbe31c01ba9e8900b48a1ffab |
| SHA1 | 375f5e71e9cf26bd6492bbe71f912ab3e0a080b5 |
| SHA256 | 7469988cba9576c19de8baa8a328c092ddbd32dfe2df293f95d0805d21288f1d |
| SHA512 | f39b7dedc1557df2f970b62f31ff2d562de2ae6788ef70ab14ed6fa876ea69c642e8cfc53676e90c712f880cc31b3b401e3a033acf6c3737c4aac1e8efac3ae9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 66157526a94222c21bf9d54e813e2be4 |
| SHA1 | 141b8416b843de5d4337d02045e671a852736c43 |
| SHA256 | eb48c904cf660aad2d1e01f0be212683d4050013bd82dc3f4faaf6925d88b6e1 |
| SHA512 | d04a0edefbf9ce2616f7d0f5c8777af9b083b3de08fdf46a2c8467ea3e4961cbf81fe5375162d56211046af17eb0b0d3cf8415dedccc23efa7deef0a4f2148dc |
C:\Adobe9M\xoptisys.exe
| MD5 | a71f62f91dee0b10d2983dadec22fe2f |
| SHA1 | 2a559d435151e9c8d55a5ba61cab424c49904726 |
| SHA256 | b54c7c403703e70506b2576c97fed246b85f527279cf3789f7f2c47e9fe2cf4a |
| SHA512 | f2b0441666e00a07486e258f22e145fc2a3bec5228d68b718b2644c02dbae9ff0d4f090c7d701ed406e21dab9b19f547830ae5cecd36b310c139ffb13a491065 |
C:\VidAU\optixloc.exe
| MD5 | 7675d5e766ff1af6fdf917053dc2d040 |
| SHA1 | ee525305a5d6be4152d3675757018e55119509b2 |
| SHA256 | 9007da71386db1d40359eec6607dd83ace389c7e6cbc64457b33c3666a042f73 |
| SHA512 | e26e0d35eb08e0d9afae67b8d88e43a5a13e298f98dd8a8e68f7f05e55e413f8aaaf7f5f12473bb95248266dbd0001fa325337d9441c6b896768a9591bb0ad47 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b8ef7f09a2f7060cfcec50f4f0083136 |
| SHA1 | 17f6647d6c08ca91ced72463768f0b26d1a09997 |
| SHA256 | 73765b568898b5f41dd393545e407a5fc29dff21c561ca6bb2df191f948620ba |
| SHA512 | 6dd117fd97d960c04c9fac0d3df2a982f9ea94020468ea77fe2ddbb2404f2ddc56b5def9cd8e0ea6b53833de02ee21002c3c165e0d6bef77c28c4e8219874a4e |
C:\VidAU\optixloc.exe
| MD5 | fe1acf9659b26548467177cd2bc04184 |
| SHA1 | afcb90e734bb8ebfeb4ee309064ae23bfdaf64f2 |
| SHA256 | 040241883bb9aa81679d9f9dc764667a4f84604251f128e19105fa02ca356967 |
| SHA512 | 8f1ae01a2c862cdfc4123e28b1bc40173d54690f92ae379921e9d75aa071968928441143c9f1b3965639ee39f9852dd0d49dc8ce9bbd06573bbe105d87d16ad0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:26
Reported
2024-11-13 14:28
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\SysDrvRX\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvRX\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT0\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvRX\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe
"C:\Users\Admin\AppData\Local\Temp\d8bed679922f11dd8e279f27f5e8c2204e60bb40cd59bc5dda09a136660c77a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\SysDrvRX\xoptiloc.exe
C:\SysDrvRX\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 07bb3af3a534c170a24b78ac39cc27dd |
| SHA1 | c94bda7716a36684e558cf9660d6eef777a4380f |
| SHA256 | 8ff105ac598f77934212c08fd86e591571d0e33dc8fbbd055af3cdc070028940 |
| SHA512 | 8aa13949c57e5e87e42cc2c61732e70562d41e9197eb6968cebd4fbfdb48b057af8fb859e1408604aa6ca465c4102a6c109b5c5b3bda0cba9c1a3eed1d1f4768 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | da88213b5db821379367becc39e1c434 |
| SHA1 | 413f95027d6d439e1d142c9347bf5f73a5b1ddff |
| SHA256 | 6f4e786d9badef4705bab11936663676a9dde22d03c0435646dd6b41788363ec |
| SHA512 | 149d17e6dc908d1f272d3ea99676e176bb85c0b75f40206f7a16e0b83129fd684fa2bbf511e856f6313a440f51b1c9c44abb74aa63a8aea07e94252f3322b8cf |
C:\SysDrvRX\xoptiloc.exe
| MD5 | 6d05995b594833c3d2db00ee557b3fc8 |
| SHA1 | 303e05bf4740609141ef4ab95dbedc8aff4d9ceb |
| SHA256 | e7f7646af90a9ed9c977d6f68d9f34458cc9609a55e6eaed9dd63ed6958f8980 |
| SHA512 | cf82af51bccd02d64eee1d3dcd2a6aec462c5fb6f8bbfe9730f6d94c0083d841b088f3ade1b0880b029a3bf7370956bc73715758f1067516884d5d54c3cc8117 |
C:\SysDrvRX\xoptiloc.exe
| MD5 | 0332f88e8aed203222d82e0e5c618eb6 |
| SHA1 | ebc529cfdcfc5d484aad168a00effd82f1e07a1b |
| SHA256 | cc38033449755c724cd9d9d8184eea8fd9c04ca0d5cce1fd10680857196ae1e8 |
| SHA512 | 8f6f104c6a793a583620be86ded2e3c1c1fceb7aa587fb49be2dba32499bb10233ce2548975f9c5a8dfe5bc087d6c00f0c5271eead0f734f2c260a5748cdfd1e |
C:\KaVBT0\dobxec.exe
| MD5 | 29795b86841d07f07f9ee75c0887ad62 |
| SHA1 | 634243e5b88eab655e2ef45e32d322f9a914e655 |
| SHA256 | 6ae0bc40dffb333af0b2beed18e0d0905ce52a7b38b4fd1655e548ef90226fcc |
| SHA512 | efa13fd7844ce4af1d68bd05a6e6e29de0226cd01ac56f2ab4cf359fff043adf4414bcc8dcae6c009b2432edb9c4c86a75425527533ad3046a339232af24066a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f947a55f74751558cfd05b983fb2cc06 |
| SHA1 | 2415eca9a2119893caed9b982a16df7ccf837c58 |
| SHA256 | 37ef7cbca7d3fb54b109c63eb59dde23df6bea4252f64f3ff993a17b1ede8dad |
| SHA512 | 9b163bb7b3079daf469af17218db6337a81828f90334cc80cf20c3c864fd7f3b8111ce1dfe75f38e5251a0415aa57911d111bb835f0e33b2183943a22f100bc4 |
C:\KaVBT0\dobxec.exe
| MD5 | b8a2f55512b502a00e41600ce7a5c7d7 |
| SHA1 | bbc3c1b881139443af3e24ae64b83b60a3a66da1 |
| SHA256 | d288551e126c0a0f7aea16534ad96e1a2d878ae6c30a41167552401f004654c3 |
| SHA512 | 6ad37ac39a7a33da6a9625b8a444dd181910a074010a38245133f1f9de81a66ae43f074a4474eb90e637ce7eed6a5bf1f47b09afa51960ade015f7052ee32e15 |