Analysis Overview
SHA256
1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8
Threat Level: Shows suspicious behavior
The file 1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:58
Reported
2024-11-13 15:00
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvGP\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGP\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintI8\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvGP\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe
"C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\SysDrvGP\xoptisys.exe
C:\SysDrvGP\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | e40cb22cd778aeda33628b32927d5acb |
| SHA1 | 3463b8b1b67ed3e388dd432b71a8249a7ff25f4e |
| SHA256 | 647c75787e907af4921f290a0594f664eed7acc8227148ba5d62a90df71824cb |
| SHA512 | 67419d644c428b469d84b82cadd095f9931382e3ae84149d73f270ef95f2b8024b29e9f5f0e900e35c3385da39c48c50bc7d31663f97e1dff7edfa00753ea72b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8b10d297e3bd9f8cbda9f8f5d6a7e430 |
| SHA1 | bf58bc5baea2bb29be840211ebefb66b07ae1003 |
| SHA256 | fe392ea175c556b9aea7f465233dc71f80b411b29cae2200f5f3f4027e7e085e |
| SHA512 | dfef4ad76cf036c918726d61cb5cc370854c429d1268ebaa02b3dbee654eddbb2e03c017f3b6c20f880454cf45888005702132d0ee1f0ddbe78317d10de64089 |
C:\SysDrvGP\xoptisys.exe
| MD5 | 78069725fd3ce9f5249091ec18ec0600 |
| SHA1 | b3000f5b94c71434999ba12aab3afea80adcdcf1 |
| SHA256 | d8ffa67636713e4efd267b916a9ae682c88538e8977f48451e55b97a252f9008 |
| SHA512 | 2cef8bd581b041681915d9d3c83d920480b64693ff4b1f41e7f80ec3a30505f3fd6c323656b1ac824cc3925dd37daf1432a22b524ae352cfa005db907f7447f6 |
C:\MintI8\optixec.exe
| MD5 | 5d9dc0a0699d92283ef0766b906187b0 |
| SHA1 | f02549e35720b05721877441746032da3ecb64c7 |
| SHA256 | aa7e7cd6dd1488ba71e8a7fd51c6d581a183f9e2d77da3d523808f71f2a50b06 |
| SHA512 | 721a7e2510634c2906c0bf5a7fb176950899d1931af0d75e87104813741cf9743d59e80f9ba95491152f554db618f6d9723dc97a94dae85876ebb730cdfcfce3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7c56cca202bc50eefd649ee84c3e6007 |
| SHA1 | 8b17ce3976fee76db1131d690f7e96b26fc99074 |
| SHA256 | 5d1495a84f826a14cb3c804671c289311bc23e283c4e31f000d3cc4bc3bb79c1 |
| SHA512 | 12c45aa57827afac9ac940cb39f380636469e32a2f9f01db2df1a5d07955503642dc52f02c4f8652c86cc9aa6278727274f6893be1482a6556e04167332730dc |
C:\MintI8\optixec.exe
| MD5 | 929e7a14db951dcdf50d514010834f1f |
| SHA1 | 624109813077f58be431194f5b90b710b5457d66 |
| SHA256 | 4987f05591999dde25dc22a559595e5c5afe2b30d45e3d36741895e14c4b41e2 |
| SHA512 | 564e0dde672321e19eae218dd11f1b90b3fde8da1685ae2a25ab127b8d9376ecdb3f8938320f3ce622a95118f6eff6b3d346e6a40170abc978ebb251f289e080 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:58
Reported
2024-11-13 15:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrv19\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv19\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZR7\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv19\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe
"C:\Users\Admin\AppData\Local\Temp\1e183cdc3c644dbcfd35676548a831265eb736bd86914f72d023136db8eab2f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrv19\xoptisys.exe
C:\SysDrv19\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 90a4f4abb6af0674a435319f136057f2 |
| SHA1 | db3f60b031418679b862b17aedbbd5e33fcdb0c9 |
| SHA256 | db016c46d997e4733bf8c305aafe6959f40c7b3c643bfbb6183f3f983a33db3c |
| SHA512 | d9f628c47b3e6757f856cd4a393fda34db4cd220da415f7b445d67f22177f3a73a17271c71d0a81bf9f37bf8d7b35b1be6e91de3409e3930d0c88f0a2c452822 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0cf0695c7b77b867e86d25c0816fee2c |
| SHA1 | 30126c04eab076bdf143d22aefa12242800f3e32 |
| SHA256 | 9c35f41626e28ee36739d1337c0cfeda555b89a72d355a6b4d1bc657e91e2e5d |
| SHA512 | d7c24d5fabec17cd6547e27fc125f5f86b9120fbb103c555e31ad7428a9a6c50822fcbb54a55bb2a31994898e0ab1607929c66a7d81baf7890764e6ca1fd1e99 |
C:\SysDrv19\xoptisys.exe
| MD5 | 4518b81a030138a15158a7101b2a1611 |
| SHA1 | bf9000eea02be125a01bfe6c594127cabeb4493c |
| SHA256 | 6047b9a1fa6af48401c6b2afca1a98dec02a787fa5aaf609254eb7d549abe86e |
| SHA512 | 5f8e661680fa26406c1a416f0b56136ad1169d298e147a33ff95dfe11dcdbe75ac1f516cca55ae64c0e4d58f2552655e816d3464fb7835b0ff4d1a1f812d2ee2 |
C:\SysDrv19\xoptisys.exe
| MD5 | b4b5e49f3d9227da48cc29155a2b967a |
| SHA1 | 69314658a56eaaf3753d0a8e2866dd283ffa7d24 |
| SHA256 | 0bd65eccf343f4af6f764ecc0a04efa4898fe01852fc7b9bb7886fa1581a7dde |
| SHA512 | dce4e03fe4e1242aba5e6eba2c7b6758ddddbbded16d87d6b0d17b75d63e8f8e347f80da1ce490602a67c3ef9dbb52e6dea9bf627ba9ec11bbf33f65f97b1a99 |
C:\LabZR7\bodaloc.exe
| MD5 | 0f17bac87de88b2f4884ceb9bc3bce98 |
| SHA1 | f5527be8b1b5aa9e0a524218d07e0131f815a4f2 |
| SHA256 | 3b4086cd67f25e7bc45aa23c8e0fa3877c6381a8b2a216db2c0fdf7e30cbc74e |
| SHA512 | daf40bb9e5b0889c281f0b1dfded3a12e7a1365f4dcd9f66c78a5c747914ffb31ac885281a8d297459ce5fed0863340dfc48bf2b308ac9dc88da7560187ff98d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a6257b22a162e1c338aa68e4db97b2cd |
| SHA1 | f1f32cd4d2911197f463b2711af42fe9f6c876f7 |
| SHA256 | 83ff45e4627be7a0b96b900ee3f70efe943de7eddc3c35b59849136c6fe105cd |
| SHA512 | e767a42479950e1df32aa2dc5ace0f6d33609f42ea8e542d4c57ad0fb0bdf1d7b520d5ef69de1d09d68481894cfa66683f8f5db7aaa6152f6e5f353ed06b9ab9 |
C:\LabZR7\bodaloc.exe
| MD5 | c0fadcf260eaa66b9231ac5357b0f6ba |
| SHA1 | f51c29f673522a43573a03555bb01570f71dd71e |
| SHA256 | 3bff727cd8e93892bcc2501ff87260f3001c5ce4a3191628e1ea80e868a97415 |
| SHA512 | f1bd7565a51b0596a4ba0918e2c642d2b6985b6c747451474d733afcb3a406125ad6cb86263e4db20e42e54e44456a159e65046be987269be5a3497dfb71d62a |