Analysis Overview
SHA256
d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8fe
Threat Level: Shows suspicious behavior
The file d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:01
Reported
2024-11-13 15:03
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDot6S\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot6S\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1E\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot6S\devoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe
"C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDot6S\devoptiec.exe
C:\UserDot6S\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 4cadb9de158f4faadd044e440ea4f16e |
| SHA1 | c3f38bf9d5fab4e7f291caf10f9e63128faa7ed3 |
| SHA256 | 536f9fd5efff0e16158b38265380189007c8e80fe9d10fe52899fe77d09ccee8 |
| SHA512 | b76bbf52ca1c39c9ae2260d6a5a7d2b97dba0af398bc110f7bf033f91e211f091979af1b5408551e6189c1965a0e1b11f6a80741e12209d3189841ad9044623f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7426802abeec6a3019fcf0338cac79b7 |
| SHA1 | a3508f60e0fe846443363ed482cc56da1b837398 |
| SHA256 | d0ebeec96da949cb1326e4b141678b0714c321fbdcb736e642fe17aa2603a9da |
| SHA512 | 54bdafe7f868f086ff33b923b4c42a3a17f6c69e0c79e970f90868430c5226697531eba95cc601a90c693ea764d34545e4ccdf7fe46745a7949b91d1b1acb3be |
C:\UserDot6S\devoptiec.exe
| MD5 | 93e43611307b07ee4729db2248950822 |
| SHA1 | 6b75f001e63c374c7a69065375539c35b79654dd |
| SHA256 | d3572e6d2382c7bf4299bfb99156221d45f0d54218da56f49c3ceb0d78c98281 |
| SHA512 | 6467f22c9322d8aeed2fb4862bc6780bd197300ca8865d5bc62330e3f0ef8b854facee8db1bdc64305d1705a03eb95578f690e2490b78901b4f2a332caff7433 |
C:\KaVB1E\bodaloc.exe
| MD5 | c32dd4801e92b109e2aec4f33c88db0e |
| SHA1 | b4773bc78c14e725927262e51402c7c0d0d9b6c8 |
| SHA256 | 2baba9a5e735f3828870421de6eeccab4010266eabf97c7ee066948ec4c280ba |
| SHA512 | b795b81d2270ca5ecfb5c3beb03449176f15b7b2ad197e31b60669a0012586bdc645f35839a3c62975174e4464c81a42f04e50cf35cccd6727723ea055a0b21b |
C:\KaVB1E\bodaloc.exe
| MD5 | 7a3d73b1605ef501100b4cefde13e9e3 |
| SHA1 | b149f3d6d01e80b83a0ad6cf9f57e781ad917a2c |
| SHA256 | ed834ebc19bb8f5771268977bbcd43d7ba1cafd2be2b24862f824009f04c5c22 |
| SHA512 | 399d734b37e4e397f45e93f91c4950f5b8d98a33b0bf7d5749752c1f7d54696904119c9558e45a4911cf55cfaa47e74c5fb7bdac3c94513f9df274c9b4091ffd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3025aeb8f56c7e6dc097785cbde5f010 |
| SHA1 | dc739b469fa1479e7aab110046012ce19e98ef28 |
| SHA256 | 53c4b71ff6baf077efffa4cc81d34e987b372478f932e4ad804dafadaf7360f2 |
| SHA512 | 12b9c5ad4018cc15ab6e3ff642da483d3e8423446618f34023c5c2fccad2588bec1aaeb3d7e0057a96f88f60f86a09cb81a9e05c6efa2649b607e61f1395527f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:01
Reported
2024-11-13 15:03
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\FilesKO\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKO\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBMQ\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesKO\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe
"C:\Users\Admin\AppData\Local\Temp\d857930fe114370e37e0ee63121bf67d862ff9dc02d260d29fd608e6bc22a8feN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\FilesKO\xoptisys.exe
C:\FilesKO\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | dcc27c2a6684512a0ea972b8b20535fc |
| SHA1 | c582b3becd0d24b534e365ba51cfd8772e224903 |
| SHA256 | d2908e1acea4f68e7774b6004178e99f2fb649f78c0ba3a46a743e4f1f9b2caa |
| SHA512 | d7b05000ac04fac4fa22a0925b7f16df0b1ae00704617ded4fd957d530f6aad2bb11f6f2800158acf26a02210a9c89bac9f96b027852dd8b9fe8e557bd32abe4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 06e4c85e8fc9d6a7e980b44242fd7d1d |
| SHA1 | d1f22ec2a837dfdb99d4a609b9ed255e6a9c0e0f |
| SHA256 | d0afeb441c3b63a91fc38e642d32a2c54a3f9965a6caf212db631dbd1e8ff0ba |
| SHA512 | 3ab71edff9fa01d3cecef2ba9a910ba11e5c55337d613c646d903422b3ef0fbcfbc98db22131d9ad3d89e97736aedac068b388bb092bc21cff2aba0a513e460a |
C:\FilesKO\xoptisys.exe
| MD5 | f78741f516a790ae34e381d17f0930cf |
| SHA1 | 6b8b2b61ae3698b051ae42592b6263bfaac2bef0 |
| SHA256 | bbf657d0c0be4da900d566e22e92d13c447c51eb5acaa7c845404fd28909967f |
| SHA512 | ef054a3d7049b746c8ac255420d489c2230fc4833d51617757164dac8a94946c81e06e6c2d463325cbedf8885d7f4ebbaee1b20582f70678a345bd3cb4d6a600 |
C:\FilesKO\xoptisys.exe
| MD5 | 7e18954650d7fb070457c299658b5db1 |
| SHA1 | 4a20990fffe65444cef99497f8d834fa9e90b5e8 |
| SHA256 | 52282513e9111251067fd0db2ebefe520b21ce0a4fcc124cd97d1e68949bc4b8 |
| SHA512 | 69824db61e34d5e18fe9659db468a263b5e2a5a843b4ded6d46d13127cc6ec7c31d48a3c3636391bd3446cc5173fca1cee354ba937f2f7edfd82e56b401e0f64 |
C:\KaVBMQ\optidevec.exe
| MD5 | 1ec9437fbef1898e248347ca079d6a75 |
| SHA1 | 4164e7b7eb3b75dc9a000bb40edfc301ab8481e8 |
| SHA256 | 3617a2d4db03eb27b322d283eb99aa5addc95ad654904f0dca64cc54c20253f3 |
| SHA512 | ede283dc5d6d3205604fb8239430bbeacf96abad43f34fb66bf75d59d99bc87af41ed72bbca0a3281b0bcc0ef236e7bea0fac8f07b39c5f5fd31eaef4d030757 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a59ea64c5ce7db52ded21d84b75175eb |
| SHA1 | ce6561b996e2304dbb293a757b4c44c1d5926a2c |
| SHA256 | e7ba41bf1315ce985dadb4a618327c231cdbe046c53c8d48e342d00ff8f57bda |
| SHA512 | 5d976b1e14366372480fa8fa457372587ad820223729097ab2dbbf298c3855be495e5392b1ea46b3001834f45b97ce38cf139173c7b1a1342164c25941720a90 |
C:\KaVBMQ\optidevec.exe
| MD5 | 26a4f122560a52d0c5c18c06cb674d78 |
| SHA1 | a6d93f3a1f0c83b8ba71598cdcb293a92a74e704 |
| SHA256 | d5abe735ccb58e161ca14940f6f7e294d9fb19217f5bd7d35e80e6a8850cb82b |
| SHA512 | fe629a25d630380a1d59021b778bdc3b61ce2ca9839b864109c2342ea361db8aae796c6d9cdbd163b53593a7ce5d333f067f51fbc961fa02e8a52354a7a67f4e |