Analysis Overview
SHA256
c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55
Threat Level: Shows suspicious behavior
The file c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:59
Reported
2024-11-13 16:01
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocG4\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocG4\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidNE\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocG4\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe
"C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocG4\devbodsys.exe
C:\IntelprocG4\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 917aaa8d2ee2247c28a1287c0baa5c58 |
| SHA1 | 43815268f379e30cbb770e8acc51f9764d84894d |
| SHA256 | 2e3e285b32686598f92e030d8e55378a41e03d5ebb19d746cdd713ae64ddafd7 |
| SHA512 | d488be7733e0b999df9d2cadfca8acd065b3182a00628c618637ddeb08426a69744bff98e126c98b3f169474a6d744f8648a70875e724471b0f0a05613ac0dce |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9357d004a16a2ac5c55b3f6455a19162 |
| SHA1 | adcaa8d1c41c9db2e8f61042f3c4b4b7d83f639b |
| SHA256 | cb65afeeee04885fdba8fd8e7749a49f797f84b8a30007d41c00defd99ff66c4 |
| SHA512 | 2ea48fc49a4dbd2953e23294014ff895b1b068752e48ab23e3cc00f8b82e72cc551f7b8c76d84128eba038fe3a87b9b5f5a1c49c99a867a96507dad2668cc285 |
C:\IntelprocG4\devbodsys.exe
| MD5 | 7cb60054bf77a0faf3e02689b03e6b9f |
| SHA1 | b4536b626578a5923df2923d187b7ba1d5eda377 |
| SHA256 | 2ed3bd06c619269c52f387b7744507bf1cf70c571b2d941e690eac6f6e4d09a6 |
| SHA512 | 1ad14c396df3f78f76c1c3b46786879c4b5a189a9c32fe16f2f479c4190b6fa6c41a3a302f0c4cd0ed6aff63a676744b20b09769cefcda5f820d8aacc708c2fb |
C:\VidNE\boddevsys.exe
| MD5 | 46dac6d63b6dcac0378582308172c3e3 |
| SHA1 | 640c3125ed550c63e00faea36b0803f9e9566f2f |
| SHA256 | de278a982fcab9dc32d417fc3c52bc9f8f319ccc8fb6d1f7f8eea74fe5c652c8 |
| SHA512 | ea31a8ad9227ff937f1215d6fc271c7e966c5e32cf1da85ce7dd54e5a5cf8d6287fbb133d0e050837376a02a5572d41bf91948194f60069d8079c3dfa5162669 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f89a81c78e51b1be641eb5b1027c438a |
| SHA1 | af53ce82d7a04ae20843c3def27892595c50aa9e |
| SHA256 | 01383279fb2c857f9243ec68782c1aa52f4d8276c7f6405b7700637e66ee742a |
| SHA512 | a91374530404111f2823fa49a0b00c69a23ae42522d288156ab1ecb8aee8d9f9d9310a06e8b10c8d78186a0ba94ca69393d533ba4cff5da049fbe55e291cf559 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:59
Reported
2024-11-13 16:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrv92\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv92\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAH\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv92\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe
"C:\Users\Admin\AppData\Local\Temp\c600961f93cf3e340f0d09d725c0b5f707c0b6d7332581dbd7b0eb041fde1f55.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrv92\xoptiloc.exe
C:\SysDrv92\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 02fb981625d948f2e74283b7e7ba2da2 |
| SHA1 | 6cf6bc1a2bd7d92472516cd03781d07f0e6f2e5e |
| SHA256 | dc18435782586f5566a58ca3cb648837148488f3399c648a97caafcba389560b |
| SHA512 | a3550013aa290426dc87fd03b5fb729154b53aaee9a66b8f85081bb983c48219a1937f6f1a98e43067ef1d8cb25a2c0a886e4b14f95e8a80fa3d456dfada0e95 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 31286424b4ecfbb182ba9e0c43da1142 |
| SHA1 | bb6995ced19e07205cf462e6b96ddcd3a2d2c617 |
| SHA256 | 3f83e721d01ab7e914987d2e02eb2133e519757fea0cd49fe05b877b5b724db5 |
| SHA512 | 935d1f08027ae31f334882e63cb69fc8d705d75024e21335c4b88737dc5b4003c260b50f976ad669cf2948541ee74cd013ce49b33bfc900cba6597129bc6b5cd |
C:\SysDrv92\xoptiloc.exe
| MD5 | efe47d46e92950e1182864074efcb04f |
| SHA1 | 80c0aa6afe5c374040d48870a10db601ed9ce01a |
| SHA256 | a179fd1367c0b1922d6cee252bc0881866737d249a3fc2541df0d12ae20b1b9f |
| SHA512 | a5151261599913874d6ab2e1c5060219f9caf850eea4fdf46601a99c7b5e1938ab861630794730ffb72bd4aacf18146a3739f75277557ea56b174d11dd6e5ae8 |
C:\VidAH\dobdevloc.exe
| MD5 | db5456e97221c77f835fbfee9b37bfc0 |
| SHA1 | fc378c0892aae8b3ccadd6726c2f3e02e28c4de1 |
| SHA256 | 8e84377cee6995a871692b8e0c362aa5985329d824abab1c9322447f93909bd4 |
| SHA512 | b862e39c302680f8280d9075da7dcec461776dec6f4d39f2db557ae87f6e577dbdb4c0b637e4174f96bcab0771ae54e6d66d960aa9f9abebae22385c4d393196 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bb60c3bdf0fe3469e51590ddae8a4b0a |
| SHA1 | c92fac64a14b51bef1d913fb7227efa271ee9286 |
| SHA256 | 91a4a219e9b2ff162c8faa405325004670e1c12dcfe554aad76f0ab185ba9464 |
| SHA512 | c0247a57006aea24be3e8bb66e200518e7bf4112b630a892f1d2fd7005ff6c6f683748d3ae080b9b7ccf7620a98495bab72cd51a3c46a2dc98f591b47d873a22 |