Analysis Overview
SHA256
80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858d
Threat Level: Shows suspicious behavior
The file 80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:40
Reported
2024-11-13 18:42
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrv7X\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7X\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOA\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv7X\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe
"C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrv7X\devoptiloc.exe
C:\SysDrv7X\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 493d5c21aee366d64c2af43102ce1008 |
| SHA1 | a801c72ab4275a296c72eac198e62fb0f74740cd |
| SHA256 | 196a93add8eb6ebab87f2ec57aa6063c86e6b94958925898b9d02302c854d818 |
| SHA512 | 7434bf71b260b995298ab0100954268a968a04d5c4a6d5616967cbeb23b830e675a61311cc421286dd139f7da11d47c277a999c89d42e6dc229b8e3c3e70bf5b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 298244c5b7b1451fdc495cbef7a6d405 |
| SHA1 | 47f18585612e644f1501849c826b773a72f659ed |
| SHA256 | bfc9b8b951bc0bf4530dee585f9e7cf4772455117ddc15f7bc1708a3b51b7dd7 |
| SHA512 | 8b99d22d7598b7e1b17f5e9a64ac0802103711d7e848eeeb53c77be5bda8dc1652e7514ad206fe136f1da81f9eb7a3613f4eb5dc6c971b7a83bce3c3cb63cf9b |
C:\SysDrv7X\devoptiloc.exe
| MD5 | 56fcd3203476ea680f0e2920d8326191 |
| SHA1 | eba91297f1b53f1862db0798dd6cce71621ef76a |
| SHA256 | f5658ecaf118e21ee75e400f1997447827e2101c56ed6cb4bc0dea07b4a2c5b5 |
| SHA512 | 66ef1335f128ebcc651acb3f9f5c855a766f439bd912f362fb908fca4a74ae8efd1e048aeaa304326ec61603fb1a7c63e5b59259aa57b585ac407c41b9fc091d |
C:\VidOA\optixsys.exe
| MD5 | f5a50f2faebed22a2da007537e39ad61 |
| SHA1 | 2aa56c20222442595701f7237841bbf70b07036e |
| SHA256 | f8bdcf44f471a4adff28617fc78609537a1172981465040366bba04bb2aee7c8 |
| SHA512 | d71fc1d2410cab6a92dceac0bcf0855e03b236699b6ecfd354bbda7a500a22827d0dad992a8eaff90df93b476660283667d0a8fd83235c35cc5c055bc6af5770 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8b9d4ea5ea9dbe1e16d5411bf6ea4c4a |
| SHA1 | 453e0052fa93b144ae5a8be8030a850d2908db98 |
| SHA256 | 223809b988f763b6742c16549e4583baca0e0cf04bba2e6abe44a6600ac55446 |
| SHA512 | cbeaa7eb7636ccdac73674874c67e1848f09e1f0cbfa8f0c668fd677e7c26676a15828d2bb0e5a144c272ac89c9ca6a04cb26ac4109e7e87bdad6fef7356428a |
C:\VidOA\optixsys.exe
| MD5 | eeac235b928d0fba3fa52837f42132cd |
| SHA1 | 2dd961d50771d81b29f4177fa1cab6d442bbc46a |
| SHA256 | 7b01accfd28116618def125470fd0bfcdd1b151e98888b3027fde945566d5b5c |
| SHA512 | 683cbb61657f3f79a5edd3385a8cfc5bbe364d54760e65eb3d52a0657d1d8b56eaffdebcc9f6037ab49a48355fe8c63b036a3e2289950615e7917972e56eb45d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:40
Reported
2024-11-13 18:42
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\IntelprocK3\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocK3\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJR\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocK3\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe
"C:\Users\Admin\AppData\Local\Temp\80fac444f3459a3cde04b8461eb1b5590859412c913f0b32d88e670c87c1858dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\IntelprocK3\adobec.exe
C:\IntelprocK3\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 7d3b1bb195b9de8c17c33165febbf3a9 |
| SHA1 | d2c3f1c435fcdf4e3b6a29af8775b880b2588d12 |
| SHA256 | a9d995d54babccd68cac5e066ea0afc40abf38ca2f5d720564af2e6c96d0e8c7 |
| SHA512 | fdcbe2720d7d8be2d40e374cd0d52d233df979de58e48bd63a986dfba174945a8a13ade09e7b92faa3613cba4e9d07c65fe24002483bac8f07a21cfebfec9d86 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a5eebf1b3816885e5c6f81f70d608739 |
| SHA1 | b486f54cc04ebd8a72adeea45f7466179bb4e055 |
| SHA256 | 2ae02e332fafca2b8b528b795ea4cb72745ebd6102736c2001844ee34255778d |
| SHA512 | f9c84e0438ddf9b0cee9b6c6d819e776cbd57563c4dc503a2bf822868f5f6e488f923ce0fd00eeeea0ad2a315562f0c559762780ddbc7acec8d560b0865cf568 |
C:\IntelprocK3\adobec.exe
| MD5 | 23fb6a509f1ef64550033cd040ec3e7c |
| SHA1 | 42e32261ea3394db34014f23e5756bab822e91b8 |
| SHA256 | 975af57d6ae90afb9fa3527c735bb2acd55636468d81e9ef9ccffc084dc24db5 |
| SHA512 | 986ef4f3c200a6966b4fcb1e368e6de616f05c1e4d7651250ae17e86c9744ea172ea9c54aafa44e03701f9cc201a26a5ff9c9c9951dc825c11c873bf52b6adf7 |
C:\MintJR\bodaloc.exe
| MD5 | 5244a0d911bd0209858fb5dd73f185bd |
| SHA1 | bad354400dd074b1f428dfd77bb1e9d0fa33eae0 |
| SHA256 | 3f18d1d03400c4d710f34982399fe5eeb8c6a1ec26c52f5e60d3fbdbb38a176d |
| SHA512 | bb44dae1f47d312ba70fb07f3f78f118fc54476508654d8c920ccb2764e193de902fd13dcd82f6c9f4e48de5c8921272062cdb118ddd04725d702df7195b6d9d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4cb3aea3cd860078c70fc647d2037a33 |
| SHA1 | ae5ec3105371c7b6a43abfc99a8291ee76a35bf4 |
| SHA256 | a433ec941bb67e8bac26678c62086c491e68cff60a9bca2551b5311976849829 |
| SHA512 | c5eefa2b920b0d2af7e4d9f61c603f7d76dd50fac8b7db19f681ec95c8044e18bd4693ad33aedc17f71c506ac96b02a783e9cde6913710b3f4bfd1e526199dd2 |
C:\MintJR\bodaloc.exe
| MD5 | 9305ec970a739d6bc97e7f602066b52f |
| SHA1 | 046b45d61a897a6a256b0c5bdd834f49a39792c9 |
| SHA256 | c622ab2cfcd54d19f59eb11c6781302d3dd08c5630187afa2cc3bee4bf191510 |
| SHA512 | 08c31c00dcbfbe9438d65e5473a6f65788370101be46297e277642586353b8a12c7f2f53c22252520fae5abf91b423bdad58b0b84e85112d5aa7b888b859f9a7 |