Analysis Overview
SHA256
5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91
Threat Level: Shows suspicious behavior
The file 5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:19
Reported
2024-11-13 15:22
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesFI\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFI\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZL\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesFI\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe
"C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesFI\adobsys.exe
C:\FilesFI\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | dd160e5a8ef0aebd63485b763c721c2a |
| SHA1 | 9be97f0a42d1f2c62100ec3879c1b2c59773e252 |
| SHA256 | d4fd15541037d29aa32e0cf44160cea148afca08efcccf6bb8d596767df46322 |
| SHA512 | 355bca43804e2e528d1a8c1514ea93315414b4b32bed5d8904fa33b7912613cbbcdd95a6cc9a77a1e248d61550689aa3d78e8e9d854b9cff8007461bb6fd39e4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b68c07106aabbc50afb1418529843508 |
| SHA1 | a02088b092fe561c8cb4c1e74956da7577d1962a |
| SHA256 | b36b2e2f020d174ce9b1ec9e0043e93b89a443394f9cf530bd5a14bc639aa9ee |
| SHA512 | 360468b8157f338c650d4a4986190d4d9136256dbc2cfbd24f6c20e3a15074016007e198f6baae441006dcef71b64d814b394ca5d44996fad5c234b3f173b602 |
C:\FilesFI\adobsys.exe
| MD5 | 9262cab29eba6c8ec58cf55dd510774f |
| SHA1 | 9c109088d1dc40745dede1654950cf3c14a07d0e |
| SHA256 | e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945 |
| SHA512 | 2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004 |
C:\VidZL\dobaec.exe
| MD5 | 74a79615a20fe723b400c0417b32530e |
| SHA1 | d15f1f57d6e9ee9716a9c9737ba4942b9af68428 |
| SHA256 | 958a4a91a093ad06f891d7698de1dabc1de320875d285d064db6085cf513d70f |
| SHA512 | a7899c3e966eb598f5ac0fa6c1576df0fdf4e70762a6bcfe9f915f8d4adf3bd5f437e2c91753a3bc0e20c3835d79c7d8b0e2cf8e16ea8501810a66b152bdcf07 |
\FilesFI\adobsys.exe
| MD5 | fd764139a9a843b45e6bf06dac8dafc5 |
| SHA1 | 618aaba214378c569911933ad96381e5525d8c9b |
| SHA256 | f2c1db4eb6164dcf724515b71172b6bcb110f9e382257c12421a2add331c462d |
| SHA512 | f624d1b840ef9e4d9061193ab1f7e7a532a3e006ea93e923de11dcb646ed40aca406a6a15d36699742a76fb328cd23164f380ab02570264ac0a89ad2f5afac63 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 55a4998b42f56fc4e7f1aed549763f3b |
| SHA1 | cb85c8d7018a0d985afb449274e787205d5e05cc |
| SHA256 | c844bdda81a82385bba46e68aa0fb60207b076d2b8ca40f10edf86af664145ae |
| SHA512 | d6dd316502892b9c3c3ccb364e794407b3eb29e386551c483710a491df2e79b06f98952967c81df3152a5d2430c9d20f0f4e64b923d83e6e521c39e3fadb0721 |
C:\VidZL\dobaec.exe
| MD5 | 901ac71f31d3a9ca006b13e7aacf6a64 |
| SHA1 | eca29bc8bece3f99e15f3214922074ca9ccd0ad3 |
| SHA256 | 50a0da751dca86e28f03ebadf86ec5c8f03fc5005bb4dbde224c06b223343738 |
| SHA512 | 35f2f0d21191ded2c4e5629302170e9c520cf9dbe55c9c48a467dfdaee55c0880a438b714b2c4688784ccdf7dc36acb2337863ac3dabe9e38eeafc3604eaf17b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:19
Reported
2024-11-13 15:22
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Intelproc6Y\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6Y\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQK\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc6Y\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe
"C:\Users\Admin\AppData\Local\Temp\5818fc8c0b422f34d43e66b1fb386c302d889296d5936c54006c2be14de85d91.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Intelproc6Y\xoptiloc.exe
C:\Intelproc6Y\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 822b70ba4f8d00611f917856093fc8e1 |
| SHA1 | 3fa12732b3a7c95dbf38d2f1fda4c44489d130c9 |
| SHA256 | a456ea7b3b3bb93f5b2d6eaf1e45b01700746a625fc8b741603af14a24a45220 |
| SHA512 | 0ed33791524b8c25800bb248a70c5e3344925e44aac01bce13ad800669cc52b3e68bf4a3876a7cfff01de194eb23ea11037084d23fdb46d867114bfd34a25280 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9b9da5991f68ce879aab33c91e3ed676 |
| SHA1 | 290ed55f7b65ba5bdbc1d9c778d0e9062c0f2a34 |
| SHA256 | ab3bd087fec7551afef258c923f95f2db59ea9f9a39b5f713b1b2a3a2092eb4e |
| SHA512 | 32d233ef65043207b10d7cc89969c27ccd06faa8e3ef10963188bb7ba199c3848a6ee6e955b34e9a8ac728560070ebdd0404e7012287bf6c4bf693db1c03548d |
C:\Intelproc6Y\xoptiloc.exe
| MD5 | ce764fbd59deb9267f7807f5493d9a79 |
| SHA1 | 5d584c7fcc46b519e8f5364e44caf58ffc885d58 |
| SHA256 | 46dc60c70f2d09fedede04528926bbde2c10eda330aa5e6a09f32368375fb73a |
| SHA512 | 1b5b69ee18f95dd92a88d784afb7a193a52c2811d9347a4da421fc9f527a2424125c7a874a0d25fea6eb62fc90451fe81d2ba29c6c3e81667b04d999e2d98021 |
C:\LabZQK\bodxloc.exe
| MD5 | de2b231770ffb8b8beb226a05b22f575 |
| SHA1 | 193a3d3d5b89f4d7507d4be28ea94503219699e1 |
| SHA256 | 03b28771500d0b951bbac4e6b427b4387e75bf3d573edc8d8a131724f685b857 |
| SHA512 | bbb00cf1b261ee7cda8697168e40494ace6a50e2b8239313ae921bf3890ac9ceb21897f2aeea59667d3de6c8e90ef502c81d41030e458d1aea6c72f265c7b90a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | be43caed81e77a04905770d1c9cb2d8c |
| SHA1 | 2b971fc541e031386ee289b143f5c962124dcc4c |
| SHA256 | b233dbac69bdeb9c747161490d22ce43d2c50d77fa21b1c625b3729ee8c23f31 |
| SHA512 | 944b45ae5bcfc76813eef8bd213dbedaca8f23a64a3747f6e59253abe4804fbaa38e860309156fa19a59f2d992abccf6115595e88f1b4b3d58f3c8ee76c6b983 |