Analysis Overview
SHA256
a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19
Threat Level: Shows suspicious behavior
The file a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:35
Reported
2024-11-13 19:37
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\Files14\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files14\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB7B\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files14\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe
"C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\Files14\xoptiloc.exe
C:\Files14\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 0861458b12da7aaea02b06f50683e942 |
| SHA1 | 54330c54e6d01f70c80b1744e0a249e4c5fa4134 |
| SHA256 | 597f8518f7d282fcbf1e663eac35f43b1154ff7585421d6b8d0ef503a4df0bf1 |
| SHA512 | 3b32deb481a249753a419144f21802a5627a3dbafc03da9fb19521eb825d9f80a20115a37cfe94e28cb15fd1287f432661005dab0f6c876e59d6f543f66a6b6b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b63f35fd069afe7be731a1c4dfd07aa7 |
| SHA1 | 9f5e17b7e0a868c237c37e0ed78af7cd56385e78 |
| SHA256 | f22c4be106c59aa3a94350f383a41688042dee3ffc72b4cbbf2cea3c788dad82 |
| SHA512 | 651f5803c7cbd24d35d579f4e2d5bbac3caa56ead3ad4a97e2314372c23ef7b78aeab8ab26688a382a3067ffb789d0ed0bb192c00bca3c3325eee0f98af4fd45 |
C:\Files14\xoptiloc.exe
| MD5 | e95520128700cc9cfa0d7bc8e6b25d2e |
| SHA1 | 748eeefea2d40a740c544c0fd6ee6913c723daea |
| SHA256 | 4abb936b0d5f017f0c62be6fdddeed40f42457be62c62cd55f12e789ef79a179 |
| SHA512 | 6b33dfd019544278c8d1431d6f7037497a26e6b61ce06892b84da3f7ffd805406877fc5bbc4c7c6763910dedf31bbef8154ebebb97863a1c874582250531b406 |
C:\KaVB7B\boddevloc.exe
| MD5 | 10c6685610d3ba50335629f566647ef2 |
| SHA1 | a14357af81f756726ce8c99bbd63deba89d5afc4 |
| SHA256 | 56ab3e760d0675d0f81149e6c49643cf7c1b0737b8708d0981738b2c4a657f43 |
| SHA512 | 9347828907308c0c68630677f1b73263a6ee429f451ae227849e3b71703f1b63eb4d35fd4ae2d9aa73af7de060551f226b0b55496126cb6c63dda8821a4f4d13 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 750d49411920a8b6ce9cfe71cad654ad |
| SHA1 | 966cf1c208d1eb1b0140e292d025fc396dcc4397 |
| SHA256 | 43915b354e92d1617d3d72ba986294f08e577259ddb1071cd2f765be95ff745e |
| SHA512 | b1d9277ef7bdd3dd72279c45ec19b7caf61ddd028ddf9ec05637aa0a544a6033d696eed35c650309e519983aa25bc5496c2d17e6a560eb098a78dc77f6ea1407 |
C:\KaVB7B\boddevloc.exe
| MD5 | e7927e0c9d568d8120efeec957d02d25 |
| SHA1 | 605e842fc6960c772fb1acbd8c4a8d282582cab7 |
| SHA256 | 4e7218a9508df364d57c2951ea8df34d118fd849db091cabf2daef1bbea3bc44 |
| SHA512 | c0be7ebfd3012780f01eb25e1c8c59ffdd69748aa3c99e8e20b183034f888e3422eafc4806fed46713804a4114f98428f451987bea6be1cff79e53cfcccd8124 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:35
Reported
2024-11-13 19:37
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesAG\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTT\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAG\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesAG\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe
"C:\Users\Admin\AppData\Local\Temp\a4aacb1506ecfdc349950452b2548c63411538088d023163b9e9b0cf675fcc19N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesAG\xdobec.exe
C:\FilesAG\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 9d2d30d19a352c030a6de3703d7fe3ec |
| SHA1 | ab9f790b2d7fe3c76f377bba55597b9ff1113b27 |
| SHA256 | cc7b3789c57ea8e928ff42969edd9c73a4cbbae665d4c145a82b9af1a04a3212 |
| SHA512 | 3596456b1869add780f898c03da5902689686e76c9159e7aafc6332980c0e28a91a5f437dbd422a1e09a0b38a2dd3757b199b640cb39fe68e3032c7ca736a0a1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 464100f6aa735f4dcbda9383faceb615 |
| SHA1 | b80459d07ae34f48b96b90bba9836ecbbd12719a |
| SHA256 | 21a49ea6ccaf04508cbcaf04fd3661d36200b0108a0c58977dbe82419e01a61a |
| SHA512 | d929c8f22fa005492da8bcc9ac5878a8092ddb6743977bc98f473856756cfc9c03ba922654111b746b55fbdf958302b37a3964b41cf48fe725c8b967ce287014 |
C:\FilesAG\xdobec.exe
| MD5 | 1ab6e7cbcc7719a386ab983cebe37992 |
| SHA1 | 57550ebf8845955f7a930626f67d93f5224a7386 |
| SHA256 | 639ddaf8ea5b13763343442b519e3e4dec0dc6a4d2d68b9f030b6abad3932238 |
| SHA512 | 1220900fb33ed33d888986d3102d189a19c47b8a2588b04299bf82dbf9a62850d88a239d2c588dbf927922b84cf6eb7fa598a70ccac02334268828c81e56e372 |
C:\FilesAG\xdobec.exe
| MD5 | 000d368620d59172e173aec43e82aed9 |
| SHA1 | 4f7fee2bd5c3a84595da24189b3eba10dc8a7c47 |
| SHA256 | 444d9bfdc60d5ecfdc1ab4cff63bbface0dad22ffdda051f0e3016dae6346e5a |
| SHA512 | d0f8f9581d4c96c3e3233c98d6ff59ee93e62946bd07abf609e30b21be3eb88ccca8a1541d128430a6536439b3c8888a696f3d9fa291e69f2a4766d0a564b2b7 |
C:\MintTT\optixsys.exe
| MD5 | 3cbca5e21ec86c8175f953e96e9e9885 |
| SHA1 | afe787b6415b7073ee6e31b68b45177bd4d5863f |
| SHA256 | 7364e0f269ed97202b8e5890e21965ef2c95f76155f249382bc4022b77dd9aef |
| SHA512 | d53d8a385f21b921f9223ef74fd56e826390cf0a99a8f4b0791f15676fa9db516453833619f9700eba6dae9b9941063a47296475fbf86a2a7f96aaf0adece452 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 10a965b6e96e3ca1696986fe996cd191 |
| SHA1 | 675865c800d96af53fe7f8366a5e52b080535c32 |
| SHA256 | cd5bbe7d5c237e5f93b58d40ef5f6c0ac4a54b09cb17565f35511109dcbf9baa |
| SHA512 | 167afd0c22f09c1a7d2482237fe149119f4e6a5c2717086c6202fe91cb0c32783ce5f431241ef6c1fe5efac08b167c3743dfc93dabbce4d52e7a5a2fcc3f917d |
C:\MintTT\optixsys.exe
| MD5 | fe6a9c933cb55ce53f66657db24ca04d |
| SHA1 | b75870fd0a4d8dd5cb912998a8eca9cf3ef8c8f7 |
| SHA256 | c76e8c15bea6a33d411adcaab6bc0781f7e4a153949af7f5101e11970a97a323 |
| SHA512 | fe6b5f7e28f7afc2b20e53279fd10a32f380d9816d51a74d53918d93b94b5b6694242a4e1a92e71956ca9a50558eca88bc524e10bb3c4e9fa35e1f4de59adda9 |