Analysis Overview
SHA256
369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439
Threat Level: Shows suspicious behavior
The file 369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:59
Reported
2024-11-13 19:01
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocPU\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKO\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPU\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocPU\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe
"C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\IntelprocPU\xoptisys.exe
C:\IntelprocPU\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 525b7c304301df9900676811b9cf1ae5 |
| SHA1 | ac4b69e34c5873d584d09763e6b651ea3e922b68 |
| SHA256 | 206e89084b43832e6cc6061d766360ec4f51b0765014f936f4949468f91cfade |
| SHA512 | 1e0bb02e11f8ff7b70cded0e51bd651de46bf90b1d8258cd575a5dacd16cfeb61e660f969ff2fac46437880ba44221db049a7c2d2fd8cf65c3a00dfba23a1b05 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 30861bd084c5c6931167e16a8444895b |
| SHA1 | 1bdc684a341bcdc7c3987f894e658c7b0853af84 |
| SHA256 | 2d5b1346608e0fe102320b595e3183f11eb6b71f27cc2933532bf1923860eccd |
| SHA512 | b897a02d56fc0618e3dec9b2e4128d5988d573fae1c0a8ed62100f1d1784af64b1f439682df6e9a2232ccde030665dc98837ac9f01724a8c1c8e1468234a442b |
C:\IntelprocPU\xoptisys.exe
| MD5 | a5e40d6f97b10c9e5b7a2269df0e03fa |
| SHA1 | 5888f5b5ec87802ec2c3b8e493dae3d04fe89b1c |
| SHA256 | 25ca43fe86b412e284f4eb3681e925c812a03ce8704af24ae7c4534a852bc432 |
| SHA512 | 049f33489c56b6842207b14cb53b34600884a32c76f0d86c7f5dfd0bf47b02897430aed054acdb0d001ca512a42516b1ef2ee101e992df7780e2beb99f2b65d0 |
C:\GalaxKO\optixec.exe
| MD5 | e4c519927ef7a100e643c02af674aa4f |
| SHA1 | 50970a87c3e9e6662f26d0a7ce6d65533cc1b303 |
| SHA256 | f68268e03910679f87f38bd0ce1ea344d214efa955cb28035b2dd413b8c20492 |
| SHA512 | 4fe15878c754b2de0f8324eba4d8076b8c6c9e60988d1ac1afee28cf42de472a6fab30579080124185af4df68e42fce204865dd209db025f234c0714c71e83e3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e1b095b2b28a834350216bf844be97ed |
| SHA1 | 8d5cd8f1178eaae8b4db0ae291676e1ccb771110 |
| SHA256 | 9273dad151bd975ace48286cbc3570fa68a4dc9616cc9739bb54d5557ac9ffee |
| SHA512 | 12bbc6f38a75b7e5a34cb154666a02198333382e7bdea68509c20fab0ce24dc3aad163b3f5f402c2c3f2322a0891c598f705286b96033a5012f55660ba27c276 |
C:\GalaxKO\optixec.exe
| MD5 | 62bf76156816e85f28a76abc8d9624ec |
| SHA1 | 48a8f746f3a47f62713d5ccaeb3181614fdf61e1 |
| SHA256 | a4cf7f65b89aa267e9f6545ccf4196bc9b4474769415449ba8a0e7bd292980f7 |
| SHA512 | 2606b59007054b83a0af20fcf3e45c3cbf766adae3eaf788914f27cb106956a225adec511a3a175121d757a7a254b9b42107b05bae0998a42eb3f233bb3af474 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:59
Reported
2024-11-13 19:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\Intelproc7B\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc7B\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRI\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc7B\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe
"C:\Users\Admin\AppData\Local\Temp\369bb4b47587e477d983104cb6c1da0061968785776e4e60a3b06356141e0439.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\Intelproc7B\devoptiec.exe
C:\Intelproc7B\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 899547b01b6cf849bae1f887588ebd9d |
| SHA1 | b4c845fac83ef8354c21f669c36399ea07955a8f |
| SHA256 | cfab8be0a7c33ede511cfa431cdc49e8aefc8777a0432be711a07209ea330bd9 |
| SHA512 | 47c67c9a80ba831257176884e0b350fbcc36ce8352b508564aa1fbc29fb370db6f91511403bdd771755efd313156e9cdf3968c49389dc6d514d65eebbf2fa0ef |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 407939c6d94a409a5357c72a2fbd2eff |
| SHA1 | b23ccd50c7dd296d42c0d05aa51413f02de1342c |
| SHA256 | eec69e991a6e592e8df9c1cc762724a5650a37da0668ca85b8b278a60ed98d80 |
| SHA512 | 0b2848758a90399ff7e9c4a700c403c36b4b825d901145e4f0fa840c87dc05942a0dfd084fa6a6acddfa8d7d9bd460ca677419156bfb1028dffdfeba0a360014 |
C:\Intelproc7B\devoptiec.exe
| MD5 | 211c211281a83cae04ba8989e177223a |
| SHA1 | 2c6a912a90ce71ae095e8f16a97222e28964a271 |
| SHA256 | c2beca0f3cf592fda96ba710769ff2d67fd97592da9df195990bf22499d20a4b |
| SHA512 | 10dbfb3c33737e1b9a691fdbb89cea3f018443e481d57887d53a605597bc3ba56db26480f2efdbf443c71b4f4a0b594257d8f34f4cbd7826ff71936f4b5487eb |
C:\Intelproc7B\devoptiec.exe
| MD5 | b7482ea8193a1ba91f2f004c1261e17e |
| SHA1 | 9b1fa41e613bf2ad71e4107ec6b3eeebb01159a1 |
| SHA256 | ce32f225ad535928baaae503d22d5090a3fdd840bfbf285023346fa90a4c3514 |
| SHA512 | fd8c432f41f97265d24627cb85126ed750475d10fce67ad78e4b53a29444d1063b0d0f55905a135937cf31fdc423959d719d9fad517b071bc024723663c9713e |
C:\KaVBRI\dobaloc.exe
| MD5 | 7989bbaca2b7f84dc6d9381b62d3a7da |
| SHA1 | 2913fcb6f306077dcabf049913c5fd4d84ad0083 |
| SHA256 | 4c9bce9d8b08e60133199ae19b1827f22b7aee08225712ec82176a7a5aee68c1 |
| SHA512 | e72f4ec40f93870fd2c38d3e09ab193a8b66e558d79780412ff325fc1cd29d1a0af7a15d0f6794dd4784a69a729b137f0e6af30a242fccc8e9cecf94bf957f97 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c077321176a6925972375dd70582bbdb |
| SHA1 | 13c3a42656f6de7848890f64d5620cf82a5ba556 |
| SHA256 | 5bfca9ffbec26f7bc83e137fdcc483cc6a6f66d20b17a303d85e4a148709f47b |
| SHA512 | d181b2518bbb78530b2ff931846abfee5554c47df1b18cb95ef7a7d49110c58f489a1884483cf6bb718cd73ba1d71e59678c5589d5cc1b52d328ff2d2f76d092 |
C:\KaVBRI\dobaloc.exe
| MD5 | 048e8bf6e18cb567d61346794bf6b41b |
| SHA1 | b1c6aec708d5c2d694d682a8d6e325b235d6cb6f |
| SHA256 | 4c6aad5ab4398d2e9158f236ad68301528796fb8f007cc5f971cf3f2bcbe681d |
| SHA512 | 132f8b215e4ae3e2498bfc3cb392f8b4d4a3e6d3ff7aecd701a926ed948ee930b548db96c87068026b7dbe11da3f5b8c8f2c3985b5e8cdea014accfa54e94f79 |