Analysis Overview
SHA256
1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d
Threat Level: Shows suspicious behavior
The file 1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:17
Reported
2024-11-13 20:19
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe09\adobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe09\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBJR\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe09\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
"C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe09\adobec.exe
C:\Adobe09\adobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 021eb4fcc749f28b9869ad1e92fc02f3 |
| SHA1 | 5e803924990c1dda724f7c8677920fca84b92921 |
| SHA256 | bccbd021cc4bd90a3e9f8a7f46bd5f28fc8d06ab31db83cac12d906bc0c7f017 |
| SHA512 | 5647ac3a37d13d48200c42b96177c0c04d3b512af6832504ec84a700ce22ade0a6555dd184f1130d5d9041c8463362303dc43670cc0074b666d66e53dbc5f7dc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 549856c44910ab30e45fe7fe1083ffb9 |
| SHA1 | 06195baf8a35dc93ade96c133043b07ba7e8da6c |
| SHA256 | 3bc57ba1ef5ae459c734908388ade6f188790a79e07a8865d8ab22ab2fef035f |
| SHA512 | 93170cf6dda6c34b8e5f23af9e08831929b3665f3683c571ad92c6d532b1e9961167fb924a9c82211aafabdcd02a886f4738c345ea27ab0efaee7787f05c2fa6 |
C:\Adobe09\adobec.exe
| MD5 | b85ef880820ad2f02706b10170e533fb |
| SHA1 | 71378239fb161e35c8f79d7a951d7d09d4f45b33 |
| SHA256 | 824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78 |
| SHA512 | f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3 |
C:\Adobe09\adobec.exe
| MD5 | 4bcd56c0b024f85286a7b25c833420c8 |
| SHA1 | 5653b493e3e6fa9e541a4979bd5223877a91348a |
| SHA256 | ff7d3a1e861340eba7f1f8cc678d1cae1136e2f6b73abdcf13fb4ed08f670293 |
| SHA512 | 638fdddba89c3ecabbb0708bef43b0763d6e4c86a51f449dd092ec9d905cada4d49504a3aa0451723eea56cd265001f48575eab0214a3a806c33ed05e9d0db29 |
C:\KaVBJR\dobxloc.exe
| MD5 | 7a6ccd051b149b4819712a9ca8954bd7 |
| SHA1 | 4c192974df9de201ae81421b4f62f983e1778181 |
| SHA256 | f72f38204a58571bc57abc5403cc81f0a3948f7988e7a31064cc47fe6a1e7bca |
| SHA512 | fa5667bfeb78f70a02e8934ef81ef5c81b8b469f7322d136c0211ff7acd6cd0249fc975a3b33ab6bc739ed2ea0ec1bfbd38dec15eef50e35a4a71648a2ef8c97 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5c7bac193bfbc09abe0f9417f2d469da |
| SHA1 | b552d728ea434118f9174a30b2f81566d5387ff8 |
| SHA256 | 81157c6bd89dfe6c0343b2a2ff733a2d92c79335fc5d1fc890d31cd0629e0d17 |
| SHA512 | 2c2731b528645056f3aebd478cd26f6e339e97a69d021e28755276becf3dd3910fac2398360afef79201e5571939eaa0e048dac59d239f53e0c2031286cbf431 |
C:\KaVBJR\dobxloc.exe
| MD5 | 9066f9da2f6e14f558228b695e72cbf2 |
| SHA1 | 91038a2a5cdbee686253b1163db1462b67afdc3e |
| SHA256 | afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4 |
| SHA512 | 41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:17
Reported
2024-11-13 20:19
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\IntelprocEN\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8K\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEN\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocEN\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe
"C:\Users\Admin\AppData\Local\Temp\1d8059195aa67d5f35718488ca6fe7744b9f6a29fcc3285dc0d52040da4cc98d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\IntelprocEN\xoptisys.exe
C:\IntelprocEN\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 9fe05eb649cb3fefeae46b3de12bf33a |
| SHA1 | 5611aeec3ab614eb0d1c0196c5ad37ddb3f8d735 |
| SHA256 | 966efc8639d9aed8f4ad72ad0de053627af9ca79b6f88d2f6bcbb476efb441c7 |
| SHA512 | 36b0b18356f5b7f5e2f563affb3abfaca08229e266e2da1e1b7f962485a0928435bafc68ad38c0be1113e7fd7fb894b02c0612927675cd92969644f061663d96 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bbfdd0f1bee35ca488c6f83bfade777e |
| SHA1 | 2e1c4d36d1a94cfb170269e90380cfffeb2feb05 |
| SHA256 | d721a797fc0919f466be0730953224994e6d54aad95bcb0e0bd21f390457a13f |
| SHA512 | 2ab1bc4e0e81ce32bd309b836a284f64cc886cfce3b487f83a9fb21a1b80fd3baa34e2ff813f6dd82a8c1cbe8f655ce03abd68574a7d16c49a4d8d1c0272c794 |
C:\IntelprocEN\xoptisys.exe
| MD5 | 61b773990ee27e9e908970e63b267f79 |
| SHA1 | 522f4b8bd8207fe759634142fdb72607b71380f4 |
| SHA256 | 8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d |
| SHA512 | 6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e |
C:\Galax8K\optiasys.exe
| MD5 | f5cb686eb195ddb2282ffd14effb878e |
| SHA1 | 2d6a7f811f036d3fda786578740bcdef3a386a5f |
| SHA256 | 5a15063b97c68386a46629afa79ce5bb1011f01bdab231bd57322fc7c3e39b1a |
| SHA512 | bafe99f28f35b4c1006ec2b438f15f5f1a3054470912a37cb8c152f4d0188cec30c9c0419341b7e63207f8aec80ebb41db7723fe497ea62a9a24fb8bab559569 |
\IntelprocEN\xoptisys.exe
| MD5 | 5855b73c05354d6eac6685706d88fcf3 |
| SHA1 | 6c58017e4df15f898ac573d26d60575fbfe1a7d1 |
| SHA256 | a2ed01a37853781061e435791341918c517642c2f02961cd148ad038bb334bb8 |
| SHA512 | 214c39c4d6fadee3999b0727a2524e5280d48fa17a815adafbe6f62078c17f2126f274e2cea51528ac8155d0326a302cc9980a397f7e7e0e8d313ec6cec0a768 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 638833737d69d54adcb5d18a01dc8746 |
| SHA1 | 09c5968f55e40886a7cb19a09d6dd03eb9198e8e |
| SHA256 | 6427d03502532f90b1974758adfec935dafd921873b0c06b96ec4c76bd9eae29 |
| SHA512 | de4829f371e243d843e1fc9a583e1bb309e578b49d8e69d6425cf6f9f5a6f3a3c5a08ca490dc4a3b71f6488ac9520b356765770f5885956f86d56008c171dcb0 |
C:\Galax8K\optiasys.exe
| MD5 | 5ad888056f3ee6159a823db579c762cd |
| SHA1 | 426a43e45686ee1dfdae8c46594cb61deda45515 |
| SHA256 | 44e8a212c1c3a3355a7bf40b9fe7ccd0e40cced292f8f240a966573595a8792e |
| SHA512 | b45f5d0bd5eb852dc7d197cd622d60554720559e1a823292f629956e814c539a7bb12cc2cb8f9c1ce0356cbc36c21bb51f1122ea384c4f0efadcc060a01ab70e |