Analysis Overview
SHA256
28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92
Threat Level: Shows suspicious behavior
The file 28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:16
Reported
2024-11-13 15:18
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\AdobeEV\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeEV\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV3\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeEV\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe
"C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\AdobeEV\xdobec.exe
C:\AdobeEV\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | fb9365af9818fe12a46a5d7b01c95c76 |
| SHA1 | 61d7eca36d54cd7c129aa0591853ec59150d4d94 |
| SHA256 | 9ce462aea8d37045e9af3e3c653c26663648f97ef39ca4be913518827fb85a20 |
| SHA512 | c0444457bd00ed602f3408e93a36d8545f42446852af6c9c37d372ea261d1a492476590b73e99eff11b771be431143f6d181a4a5e25aa1c0320a909780925ab1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ac4abd805af9df71c25adb31de4cd3ec |
| SHA1 | 269efe2eef1f98f2b125e2ec539de50c5aec4e32 |
| SHA256 | 301826f6d4aebe81d4129f4a8e2269bf5b5593c651ea556f426acd4327881ad5 |
| SHA512 | 8489397faa2d08dca9d9b0ba78ccbd7ebe3466e063ddd426438d77f1fd5b2fb9f80883ac344b67aa5bbd629842cc7e3807c694c9280a9c381505823d2ef94728 |
C:\AdobeEV\xdobec.exe
| MD5 | e9ebe47ef0fe5348a0d1b2dd317ebaab |
| SHA1 | 8efbaeebfe56825916ab91cf4183d0f83fe7fb22 |
| SHA256 | 4b957da7cf081711063285e8f2ba7a6432f0c95ff8299b321ede787d137437b9 |
| SHA512 | e9ac7b80e7e02a2fef04a9ac48b1e124695ee756db5f7423b5fb1770dd955411c2de7691f726a4d4ca0256b737d188b2f948f6b9c0cbfa4f0d4984e5cc8d75ac |
C:\MintV3\bodxsys.exe
| MD5 | bad077e68b5bb3280ed9e1760742f10a |
| SHA1 | 77719d8c2eb4143ad3b18f8c772ede1c39163e8c |
| SHA256 | 773072ec148108a63b7f588dd3a854ffacd0953679ed77d4de40d4041f453c48 |
| SHA512 | e70c910651f69b1fe89fcf42b883f2f198178956fc6b0d2ba78f55184f8bf8bcd99ed727caa310af4b1b9950173b9110177a114249f02a2aa2680939e78539bc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 490ece1e111313f29f85fa9f968a4825 |
| SHA1 | 7e4136541f18af19efd180650d73d3a1301f489a |
| SHA256 | a69023357e8789e4ad3fa0d756aebe3b22d4e5fff94c3050852447d1c8f0a4e6 |
| SHA512 | bc7a9b42cff9e566c4c1adabaafaa52363367ef11a42b505a7efba0eecfb85c2779a79157e847ae81f3fb1e85702089edac4460f9b62c0fcc0b863a98f433a65 |
C:\MintV3\bodxsys.exe
| MD5 | 1fe13f17d7462c5264238358adb95c70 |
| SHA1 | edce1025ec7b27ddf6cfeb8169f4439a7cd9763e |
| SHA256 | c1917537219ddd8f79285ca6413291862693840932d05b592864549c43576c80 |
| SHA512 | 4a01542a33f859d3b86b232cf598c09cb83f02aed10cd5fb1a4d4f2823900c1db82530223c258220426ee418a3a07c6b76ff578b34a94464a91b1fe9b3e4ccec |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:16
Reported
2024-11-13 15:18
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\Adobe96\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe96\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax23\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe96\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe
"C:\Users\Admin\AppData\Local\Temp\28faedb4c5126d80eef6db6722c8ff6c6232e8a37559d0f0c8438896bf63cc92N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\Adobe96\aoptisys.exe
C:\Adobe96\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 3da07b193c01f5b9c5c5eea7fced600a |
| SHA1 | b921dfb43ca326f6fd840cf5ab97fd3b4d121b3c |
| SHA256 | 01e45c164250fdb8a07adfb873bee0555c6ef72628139f23d438a84aecf4c7d2 |
| SHA512 | 99de24438db4f2352c4297c05ea5ae1639febbfdaeb7af98edbbf2e29fb46e82a3f30a072c5d75c32dda810f2cbb458bbb9f5a70a529f6d16d282c5884cd013b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a10dc36b3fa802f174101dd07269cae7 |
| SHA1 | 86083947d8f143761f502e44ffa5c118eddcacd6 |
| SHA256 | 72c27edb6598d59505149ac63596ef52d3330e1430287ff84b9935a784bca4af |
| SHA512 | 7467e5f5c2879042aaa7b1ac59f09ece81ffaf4a37e18df12ef15dd823d80d19989894341eff49b7d59b23cd9a6d42a1361022fd67a8710625527cfd4e89621e |
C:\Adobe96\aoptisys.exe
| MD5 | cb4c12cf2a8ab6b931ced387bde2c676 |
| SHA1 | 0025b2f7da83d5e4b007ad3a9dd44891270cdaf1 |
| SHA256 | ddadcd132671a0cda5e333152bd45f4953f932e4c56878b86761dcc349350c03 |
| SHA512 | 554a3648b174613104681b5aceb23d6433d21414abcaa1012c8d37856147551cb6945bd8d23f9cecb7ec9e9b01f52400c95acc4b933b19e3f5cf3a4510082cc7 |
C:\Galax23\optidevsys.exe
| MD5 | 614c779a340bc63bbb2c6fd44b690a8e |
| SHA1 | afc2af3aa2647905de3ffbdfdd2298611e627c6e |
| SHA256 | 0bcd4c1676d7c7b2869f5823102b8d5ab5b5185d56a9ed14bac5a403b2b6f41f |
| SHA512 | c92e60d8488e2d88c1bb5679870786c0614aa2026a2788f11b255ddabc6e73bb30569fa7487befa7a8d71a989cf0ceebcac4e1cf59d6f79df76a46a6c805e4dc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 30416ad0271f6a994699b257d9aa0933 |
| SHA1 | 344bef893136b459b03b959c0d1bc6ad4d13d734 |
| SHA256 | 51834ed872ae03953a840b320673d49af3e5b4a0aea3c4e8409cdc35e3cf8a5b |
| SHA512 | ee858fbe6240aa32762d650dbd850663d8fc87070bb0454bef031f64ebe433b6cc94bb4e5f8b962da3408f8fb1560b7d0cdfa34b8eb52d3be5e37b58962ad834 |
C:\Galax23\optidevsys.exe
| MD5 | 2405b9e909620679d0dd1dcf571142b2 |
| SHA1 | 77646511a4a62f3bbad760c57f27ebde7162f03b |
| SHA256 | ec056716e4c4abeb90c0dec2496effe11819b0f165f7d66701c88fce80c6b016 |
| SHA512 | 095ab05e7e9a58fa39de0acd7791f9e22f00e5b001c25324b51987f7febce398a78447c7fd0214a54943c6cab93207f1971b9890d7cac00d4809043f1ce262e6 |