Analysis Overview
SHA256
b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9
Threat Level: Shows suspicious behavior
The file b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:19
Reported
2024-11-13 19:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDot9H\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9H\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHZ\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot9H\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe
"C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDot9H\devdobloc.exe
C:\UserDot9H\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 048f9547232116948524f3c17db5a06d |
| SHA1 | 3d474debdc066a3a8ed7f4c381b57284261f3e99 |
| SHA256 | 69abe2e4ecf9acc4efd06c665b1aa13c9b97cca49b06a3ac8ef108e29ec64224 |
| SHA512 | bba25549d0198b5404e656dbfe4e3a778374cc075ccf7127cf0118b2978f6b6e81af23b13e6e21665e0772558be5fe8002df2d3b7c6a282e69e9f96105de8fa1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0122ac9510d23517b45e0efb797813dd |
| SHA1 | b39bede8778ccddaa440d7fa65bb5dadeee5cc99 |
| SHA256 | 71d6f8405fb0341cf768109210ca5081211b41cb6dd2014afcbd02d84ff3fa9e |
| SHA512 | 6baeac8cddb20f913fba78897502f6c1cd15f0f77535a716e624814767b55001d591280e8736719de5be2d716344030232859949b6f7e3870a00d3a21509609f |
C:\UserDot9H\devdobloc.exe
| MD5 | 3dd148bcd03eec6cd5a39d99fd738701 |
| SHA1 | e62d7acb63d2bd591a6593a4c7f02debebffa06b |
| SHA256 | a38f11d87d14dc72e7498e1605bb55fc83214e998001e59148eb2fc454de19ef |
| SHA512 | 76f572624cbf16e1eeb2e21d7ad43cb770a64e414ab799df93180e896a10cf5e1f9e60f9f243595ef4b4f70ea75829a0fea265a72c811d7bfd2630cc8e12066c |
C:\LabZHZ\optixec.exe
| MD5 | 738d908e82796d7c212c3b2962298b45 |
| SHA1 | 3c00a62c79993fe10928712fcb8c26064263ed94 |
| SHA256 | 11a8c910200cf83f450d1f477f325bf177c24347e9f9ac6291fe56b498f880e5 |
| SHA512 | 8402324fad5d1a6f501d0efe30a6060855c191d6e08e3f0fb3f9a7d913cd4216a624a0a5e1bf4db6af7d9f7e62879f7dd1c88f0b91a54e9d42134eab4848342a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0bdbd6c04dc6743dadab7b1beb82d3e3 |
| SHA1 | 04f650b1367fdbadc58669ae7786f3b2cc657ac4 |
| SHA256 | 94601d7d99387e9f69a866e573d115030c5b535f822ec170ba5f75a57047f9ac |
| SHA512 | b30494452282b87218f2f4282e8eaf61e4ced36e79571ff393f53580e575e02c5ccb815e499647129adb482232ce166eea7471e6392aa8d787bcd335de363ffa |
C:\LabZHZ\optixec.exe
| MD5 | e5ff7a85229cda850ff022eac9f00e88 |
| SHA1 | 3a2a629194b39d59f7fbb03a6c672c222b354415 |
| SHA256 | 5c6ca3968000c30ec8b12ba6f98166ef5505d384835deb6687f751e52265d349 |
| SHA512 | 9dcdafb0c8ec3f48443d54c16242aa3e7607decd4e589d89bc6c31d6501fac4f2cc578300596be736f02ca3bae78ce79ba91e63fb33812d64e53b5825a0b7361 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:19
Reported
2024-11-13 19:22
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\Files58\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files58\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBF\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files58\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe
"C:\Users\Admin\AppData\Local\Temp\b285d1a1346f6c0ca385e13735c2abca5803df28f8575c537c319e7b129a43e9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\Files58\aoptisys.exe
C:\Files58\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 90fd7da63eb61d6b4d0413ad526a821f |
| SHA1 | b973ef30deab3c15b49c0922e05e28d248681bc8 |
| SHA256 | a1b0ad029293853c46ad4828af7c65e0d583dc5ed9dcef7935ab35f75853abd1 |
| SHA512 | 3c461c03772b39bb5f3bd0c06656d22e94157a8f928d73c32fd868fa5d32eeaba7a2cbd3feff6f07f80ceb2650a931e0d3299fb8c37ef642136978bfcdf4c629 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3e3c6d12ef5bfa8c32b08a08c42db7d6 |
| SHA1 | b327bbc90ef8b3023afdf8c3e11088cb8493c064 |
| SHA256 | 1e4b85762f84e7751bb32de5aa65342b5bb42f9cf4f664fe7b772a3bb309561e |
| SHA512 | ead6ee2d2fa2e2f0f4cd0db39aff5efc67e5cb6f76e8307a90e6146d7723b26e94422a8b2660ff74ca4efac910b8bcc01bb42faffe6efa7fdedfe1e292969622 |
C:\Files58\aoptisys.exe
| MD5 | abac28a9ce761c8c2a0e868037b90fdb |
| SHA1 | 48348c6c7c580b197299ae57cc415f63bae97862 |
| SHA256 | 7fabaa1fc6e6831a68ea044c8eb8ade2d59aaa501a322d2a2940f636352160b4 |
| SHA512 | 0ff73b582bdfcc215af4a505650f45b4a565ddbc1e7eb9d8d25739f4803f1f05b17e98658c94f709e3b3ffcf738e476334e544cecb5a5ce7f9512087cc9411a8 |
C:\MintBF\optixloc.exe
| MD5 | b4e917f6b011a78b2cc82655eb1f26fe |
| SHA1 | 028dd40f98ae6bdb54dc51ede13156b87fd4e433 |
| SHA256 | 6bfa8477e7e90e067e3520fcafd04027b67c95b95199d6a99e979c97b877df52 |
| SHA512 | 667ff4b289797717a6beb49a101e89ebc8baa1f769dad2906ae1b7deb267577426253c8f0bb457f5669dda39f036507b0ad9d55400149eca648f50c10334fbaf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6bc05255c559d404cb67594cda3eeed1 |
| SHA1 | 42f9725567338448fe642b5488dd8539e615a5c0 |
| SHA256 | 4f87eb3916bc0334ff3391a34ca3b7482e4f478fef8b7a9a7f91d9acc21458c9 |
| SHA512 | 905d71e01279503320d65b5673aa6bc191a376cce827f3b1032ecb7ab825b96fab3fffd911fcd7fa024bf770ef69ff8dde9db36e3642075bd74b79011746c7ac |
C:\MintBF\optixloc.exe
| MD5 | 2c368577e9554133d02c83bf54a3ba6e |
| SHA1 | 49b7a9ae2d4b99497643247e01905888709f9fd5 |
| SHA256 | a133dd9ff9d9f10e5866c760cdd82f93cc9b63bbc2f61deeca3dfc19530bb3bc |
| SHA512 | 6738917ab34d25b7951ccba929c783d529abd278da5610a245c6c13691fecc1ae024dff9e6702c16321ec7300ee950a2a7fa1088dce430274f937ce643d834a8 |