Analysis Overview
SHA256
df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3
Threat Level: Shows suspicious behavior
The file df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:30
Reported
2024-11-13 15:32
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\FilesVF\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesVF\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZN2\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesVF\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe
"C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\FilesVF\xdobec.exe
C:\FilesVF\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | b767e3ee6f1aa9d524391efa111c1f69 |
| SHA1 | 69ec8c4ba31492ebd9346581493ea53729afbbea |
| SHA256 | 8917f3b515ada32fec8011dc10680be7ba8ecb58fbb80a0e47077075ed1d9ebf |
| SHA512 | 4931e170ca046c7d8a51cc5b0b3120f07e3c43ebd9900e4e25651a90cdfb052122ff3d412f822a962f5fd6bd8ced90c86d248db5f4314bd1fdc2250d2c6fda27 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 167cadf391d6fd911d0723629fc4f940 |
| SHA1 | c6512bb155b714680f5a714797a3bd349dd388e4 |
| SHA256 | ac6a39510a80ec227f27dc7adc58ac084e6c462ad6aa65624a1f17de7bea4a84 |
| SHA512 | 4ad8b81874760e51550a7da626c917136020faa271eaa3811e1ba844e13a730e79ced7e80cbb95ab18358d421ea94c6c538605bdbe33b36c0350dc109ef9f22b |
C:\FilesVF\xdobec.exe
| MD5 | 09022c7bfc02109103ef04397fde9e05 |
| SHA1 | 1ecefba1e21be10d66975ab1ec1d31d315382585 |
| SHA256 | 2029412a342adf5afea2cd98d591b0c24cbf9216c18922cef44d0e858139c191 |
| SHA512 | df769d8fccc72da8ff91a7dd1fbbd2bd0b8f98adc2acfefbf419d38e87f931bae1489716b69ed0438ef3e1055f3599a1e1b90b2c4752a94a71112bba7dea5bb3 |
C:\LabZN2\optidevsys.exe
| MD5 | 13b5d8144427f39724c3ae320d7a5bd6 |
| SHA1 | 9eb8df15d4ded4586051a02c0da0c0a43dfadb63 |
| SHA256 | 553fb79b09834734dd90c0bb2d3d71e0153c313f86905e9df14372964db7d7ae |
| SHA512 | 6ee3055a42eabc50824652ea65d0d86133fbb1e10a277b7e1d604477daebd7786eb59bb9d6280e04882c80d948f6bf40b3a169d4f2cd03e37f5255d2fed9c962 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a59c780af6c17a6e812d36a27e4e2080 |
| SHA1 | c21e2c38f2a0e5162b43b4a029ee77eba22c88e5 |
| SHA256 | a76e5b1d737d71342dc1efd1b70996df06f12ffde144c87d88191d76ed3af215 |
| SHA512 | 6bc98707ed3539eba3f5b1e23c9ac4cdf8a816479a11b56e9b6312b0325528245f8e78c47c26d7712bccfdee73481dfe56a7f3130108d1da2cb0b9ee119858b7 |
C:\LabZN2\optidevsys.exe
| MD5 | 214b700e6f40b647dee04a7b06a89752 |
| SHA1 | d670bff37cf73c781d058658b5900fb2e1129a19 |
| SHA256 | 22ae732fbe3e2d4e85dbaa2220105533d9b80cb777ef7537f8d551b76bebb941 |
| SHA512 | c341d7fe7545b3aac68109c47ab0848d151f9d2d1880d37de6a919b83d636bd812aa575819c8ea69005ca35d970d7d80431234aa9a3d6a54612ea7c4c4e3f3b9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:30
Reported
2024-11-13 15:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\IntelprocGO\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6K\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGO\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocGO\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe
"C:\Users\Admin\AppData\Local\Temp\df42d66c6b94fc935bfe1055bdd75828db2cfd02c824fa04168b4ddb39b949c3N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\IntelprocGO\xoptiec.exe
C:\IntelprocGO\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 2a96b1a75ea2c7098ad4f5e8480f29db |
| SHA1 | 9013e46dc577bbe8783741fa3e57399605a617f5 |
| SHA256 | a298c5c8e2892881edd58708bc4ef5567b569290686ac84fc4bb66737ffb6e78 |
| SHA512 | ecdfbbde545066bce48ae1f0cd033d4936e485a17532a8ece135d8d01b5296f80d4f88b4ef492faf765b999c1da5185a9e20509578a8fb7f463bc36f37494294 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f5ba38e00e5afd973113fe58fce0be9c |
| SHA1 | 0777e70d5301434a3371b084065e5dea3b70a8f8 |
| SHA256 | ff5c0ee33667105695593bc73ec04c4494a0fe0055eff9670398f6208be3fd5d |
| SHA512 | 29a5e347122a9e13b143dcfb7862ed77550543bc41daf95c0eecb1a25dbbeac02d488d1a04439a65c9495bc511f8f098ecc9ed70f54dc4229e3c1b1d7196da29 |
C:\IntelprocGO\xoptiec.exe
| MD5 | 310a477f2ab4e83f82629b0504cb89e6 |
| SHA1 | b08d8033dcb5bbbfbdea50d4ad3d97fdb1b9c7b1 |
| SHA256 | 67bfd01eacab889af37b70137601d6cf84d3ab1b92c7e83e3fe9de3aa9bec5fd |
| SHA512 | 0874e12192d75766807b6b49acec772c2544e1466c077650251b8b94bffabee50d67f9e308ef4e39e50f8c80b9f7f00ba61055f677d8d391dae2f39feb9c7a98 |
C:\IntelprocGO\xoptiec.exe
| MD5 | e08e8951859d178fe57eeed4537e44b1 |
| SHA1 | 56ae9d424bb1329c023334895bb1d0611bd2981f |
| SHA256 | 0b39502f39833684d6af41a21447778a03b051cb76fb8635dc005c3aa9ad748a |
| SHA512 | 5d7ec9b59f4d8ac82cc35d2fa683dc1571bbf9a1fb35b2adfa36ba180be446f65d7029dc1dd5c16b0a2cf82844e95581fc311126634e79be055b4eb8fc3731ee |
C:\Galax6K\optialoc.exe
| MD5 | 108782d842a4db88af5a5b7393d5f3ad |
| SHA1 | 0933b1e88bdfcfa4ec6d1d21277f86627c712032 |
| SHA256 | 341a903b1f2e99f1a4ffa8b785a1ac71afad7331cbd4761b0ea31cd934249699 |
| SHA512 | d13053ef241db3c2bdd0d672aef3382a1519246884930e6f506b0806ec07d27d1f5e13485ceda89396b0e7fa402e991f7811d0c61327c2ae00ac4825332f756b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 80012ad533048c56495d602a9be8ce1f |
| SHA1 | a38e78bf122fcdfaeb6d04e979c0aa3811ae6cd7 |
| SHA256 | 6ede114951f7f4a4194e3c8f65cecd90a57fb7408fca2c1caf8304eadbd565bb |
| SHA512 | 922a3be9e09698d2e21f9c1b426b48c6c8ef57070347b340c4c7ad17325c535c92fa9f8062cb7aeac0bdfe84e557cd4d369202a5d7c65018bd58a2d595ba542c |
C:\Galax6K\optialoc.exe
| MD5 | c4257eebf0c8705b9b4ea0ab5ad2aefa |
| SHA1 | a275520d44e215b9e6cf750b61087b1e1088a86e |
| SHA256 | 9f075b97ece907085e3beab38b830fe74ad0fb2caaa98fd8a159fbfa58091bab |
| SHA512 | 51ecd0a13266147ff263d4c6dcd9e6198f8a1cef9aa8156381bf081a6eaa34f4ce5a8f82837128a4a64984c19b765f7cb3cba318ce07c47767ae180437988f9e |