Analysis Overview
SHA256
9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02
Threat Level: Shows suspicious behavior
The file 9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:15
Reported
2024-11-13 15:17
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDotVH\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVH\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBB3\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotVH\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe
"C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDotVH\xoptiec.exe
C:\UserDotVH\xoptiec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | be795a43aa40762dfc0fbe805dc0946c |
| SHA1 | c745266079e00675469581efdd88eaf83a3bcd15 |
| SHA256 | 670d4fe9efa4e62c2d2cbfc2ba2c623fc39c3357cd7a31ecb7c38ef10e8e2614 |
| SHA512 | bdd660ec0891672e55faf89a10c576c576275abf1100bb1da289d00eea85c47aeb96a6f022a9cc81c1a8b3f441d6c4fcdfe392c56f6871cb14a8e7113aa155d1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fa58d119c24bbd9e6e81e3ccea4e3e15 |
| SHA1 | c9f9f03b04c609465c0091f22fa467688a8b70d5 |
| SHA256 | 2f561807e827530c47272b1afe73c3d88efb9c0a3464bfdf12d3edbe9eb4ea21 |
| SHA512 | 90a8618236c49b8768a5b9f460324d91447827ce2ce20baa8f860f5d60eba153793957edc12fbc9163e8c487b54707ee26c02b3ef8f761199fa2a1cbb5bbb57c |
C:\UserDotVH\xoptiec.exe
| MD5 | f5737e85561bc8e9be2266900fc3af3e |
| SHA1 | 73dd868f740cb75c817acb34db922ab9cc24980a |
| SHA256 | fc4f4787790ef67811fd31ec4e18dd9c0843057f1766034ffbc5dd730af3090e |
| SHA512 | a98846ee973fdeeebea7def68672c28ba7d62c4bb5f2a59c4d4faea43df5a134ad80b022a2c8f970ba09058adb120a09df40d3897039ab35872aec0e470528ab |
C:\KaVBB3\optixloc.exe
| MD5 | 90ae4fede7abc64a0f6047848c4df1ed |
| SHA1 | 7d2c7ba2bad34d678099158587218c05d33d67a6 |
| SHA256 | 41632a9068f4384ad13766464bc2bb3a2e48d779857fa7bbd7fde485473c7a35 |
| SHA512 | 91595e3923179f9a9f869368413314be202c147352239d379c0c5cb1fbb9f070bfefbc1d4def79c74c8d4aaf1a11f31c6206ef87d200340b874d7fa7afdc93ec |
C:\KaVBB3\optixloc.exe
| MD5 | c4a6d68bf0b3412cc2f152466faba16c |
| SHA1 | b7f84fd600c45d579482495bd5667117377c0f64 |
| SHA256 | e8f94ef1cf616dc9ff4fe7fdb1decad126b4f7a34dab3e9995cebefa8283c6a0 |
| SHA512 | 97db0b2e833791bb428c9f2eae88f38ce6cefdd8ee8be9dc572ab77f4b18c02761a67f5699c2513dfd516479de7ff0847bc87be0243e702e5dce0408058db450 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8e507f8a850dd9d3525bb19867131370 |
| SHA1 | 77b71f39bfa32a3db3aa18e7a6f1c6fc07e1da97 |
| SHA256 | 8866c15ec09a76f8b3a70083aa7ba946c7d99385568465f7fb8e1adcca6168a5 |
| SHA512 | 948c79447ee729c06eb9351d62858ab4dbf0011ae1b7bdb9f0d89b8642611df38171927256cddf2bc36856ad4d76f0fbaadb7a74814c8a2ee72d772c95befa3a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:15
Reported
2024-11-13 15:17
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeVP\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVP\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxTS\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeVP\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe
"C:\Users\Admin\AppData\Local\Temp\9a99a5476a048f1f58ae2722f2d48f13750de9bd3dd515b395cdc66f1deced02.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeVP\abodec.exe
C:\AdobeVP\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 3ea48068c22a2c8f13f6e177a65765be |
| SHA1 | 3a83aa612c9e79fb0795c4c0817aa078de1782e7 |
| SHA256 | 287b92084c02decca8223e218e7125c2d117ed67c0f88c54a24dfe6edda9b4b6 |
| SHA512 | 9e8b815faf1130e5f3231f20544af41ac3a8f7613c11e14fd3ac398dc9eb9088644e6c8057cd86e709a256d767db6f1b77470983d3f5c59167f3f085bf0732ec |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 12d7627cbf617e86b62a1966520a2479 |
| SHA1 | fd4c5c67a8e694690566f9b588934a2c3f80816b |
| SHA256 | a5f5a728e901f4a5e9268dd5627b83b6286908c25d6ae3309c4605b09aafe449 |
| SHA512 | 05326a489eee5a89aeca9709d8ce99123a4437e771f43512a2bed33dcb1d7fcfeedf881be4699d73502b5f68ab68afb2ce93b6e562188ef284850376121052f7 |
C:\AdobeVP\abodec.exe
| MD5 | f276d371689b874f604067fa4f5ef4d7 |
| SHA1 | cbf0a100007dc08428f4a2cd783913ff56182df7 |
| SHA256 | a3939e0190209d5d3f4dd9fb03dcf29c54cca2a720fd6d2241d7c801975bdb07 |
| SHA512 | 9182dbc97c1e1ff6202a97d9e377e89f4bcc0c40c51a24f0af1c1ec737b3e164060acf3fae48d037574605688853bbbcbd934188b57e495bcb6976944ff63b70 |
C:\GalaxTS\optidevloc.exe
| MD5 | abbb940985738f510e96bf61f7c818e2 |
| SHA1 | c35a107bbeeac5d253ecddd81fb660c6babccda1 |
| SHA256 | d009e7405498a2865f16a0fec7e97c60df0eced3e963d7948ec6182f76cbda0b |
| SHA512 | 4dece998bfa8e2cadff605791be07e2563038c2b2452e807ca9a358b9bb502f0eacd963e6cbbe1162266ed62d63520fb368bd96f694083dec398a10912726de2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4e29043f7f2a6bf4b9a3008340b3a9e7 |
| SHA1 | 0ee258a5faacd7bddaab424aaf2960f4deb31dca |
| SHA256 | 1c60ee21d4d0c8b0accbb2826e794222398d11f05db71f04ef57cfef3f180cec |
| SHA512 | 970a4ad7eb18d3ecdb85a123e354d3f8377ecbe584466a93bb094b82fa496cb7dd86f81de6d28c57409a52781370d1b9cb09457e871010e9c5e7da700d9e1ada |
C:\GalaxTS\optidevloc.exe
| MD5 | 348bce6fb7f54a54811f3fe4b0c8bbeb |
| SHA1 | 2c79ec208bd7bd73726b3589e9edb1d859334951 |
| SHA256 | 7189bbfae50206c6f1061d443826e4a4b995da4a93b3c272be1f36dd6fe362ba |
| SHA512 | 26f0acdedce6e8bc31ed0b9401bb74dc04a888af0a8bc0e67ed54ab58724d723c50e77416e7a4a75f82e46209aa196937ddf228852e2f6b8c2951bca6d97d52d |