Analysis Overview
SHA256
05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec
Threat Level: Shows suspicious behavior
The file 05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:39
Reported
2024-11-13 19:42
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeFQ\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFQ\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid35\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeFQ\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe
"C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeFQ\xbodsys.exe
C:\AdobeFQ\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 2f4f552b77fc78387858e16b91a8a870 |
| SHA1 | 9e2269100e471371cf491bb1dd4e69e8de34c315 |
| SHA256 | ea8db3351a08ce4b310620c7e6de2ec1f60f2933d291bca587d9539ba13f3dec |
| SHA512 | 6ee22a19bff65bf8a770cfc2459f4edb161c217f0879c3008a11ce4b6fc547b94424d32c749575c2785479c20d2e4c0f5b022b49d15d125b06e663c1130882c4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b155b3e39e06b3575b6726bb364d5fdd |
| SHA1 | 1dd3f69818ffd3e39b36ac63f8575bef920f0841 |
| SHA256 | b26cbe043d24b7d0f7d8140dc74c3f8ac53eb0bf0e92dbe9d1b5bb6dfd40ce30 |
| SHA512 | ef7bdf6162984e46a14dce5ddfbeabd86945f77de66a744ce87dbf9f4ff5da2d83d1bd9e6595101b5085abcd2fb2d932560aff5b871504812317c482a0c0f0e0 |
C:\AdobeFQ\xbodsys.exe
| MD5 | 570781f0604c6fe804632481fee44730 |
| SHA1 | b191bff1d724bcda4db1ed21bf9d2423f52424ff |
| SHA256 | e6b70137bb310dcca44b000695c989a6224879f92533d804cb554922f5ba265c |
| SHA512 | ff1fbe1ebeddc488fee5a53db9417347b81e8000be3a2fcb4c66f924b153090a48d759bbf32fc3f0d8da86127d907b45a76df415fca3df6131f70e4b5d7d3e98 |
C:\Vid35\optidevloc.exe
| MD5 | 05b13b74913047fd75b7f4a770377aba |
| SHA1 | 6a4894dde519557e98909c8c8479d462075083f6 |
| SHA256 | 8c5f2a46ce4f20af6184c5ddb9c5814e4eb2663f6022244a83169fa75ab223b5 |
| SHA512 | 0cb5478e627485b81074db3008f659e878be5746889576f6029bd9706766fb92444abf8bd5e504113416b6871dc70b2e8d0ae62fe3edf6c78382ce53316cc85e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfaaaf5da2e6b9c81ba2563eba0282c1 |
| SHA1 | 6facdaa9d701db4a0b106259f14d86df91c77962 |
| SHA256 | 658bc49ceb067e2cb8b5f892db8381d1d8cf171bfd989fb38bbfe0e6f7a9e05c |
| SHA512 | 84759242acc3c8c5319712cc391f445abd814ca3fd8ff1c5a1f4f12ece9f20eec83fb1bcb6f6942b2749e050cec3f0052f6fc9e29530108d382ad830c35a774a |
C:\Vid35\optidevloc.exe
| MD5 | dc59439633ec057b6298e7f89b2eda01 |
| SHA1 | f2ef46b6ffef5a8671b791ae16a54b2c5b065ce3 |
| SHA256 | 432784c8fd180b39f1336a03c96b7d28a933e106db3baedee08ebc412ad2cff2 |
| SHA512 | 14cb32d42847faace92ac8814022310957c582b9e6ddcd5ef9e78df28321072545b13e6d01eb62cdd23a30e1d60073b1cc34047ad154fd069a9439c16d975043 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:39
Reported
2024-11-13 19:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesWC\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesWC\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3Y\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesWC\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe
"C:\Users\Admin\AppData\Local\Temp\05bc66475bdc509c65c7b1babcd20f7b61ea5443e8dd2b553fa44d32f25f25ec.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesWC\xoptisys.exe
C:\FilesWC\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | a25735249dfa8df2b449aad2a8d2cdc3 |
| SHA1 | 3c1f64814f2c502bdfeaf0a325cf629cb964052a |
| SHA256 | 2e5ee732911f260a6c5ff910b323d30a46ea279a37b60693ce900dc77a195aa8 |
| SHA512 | 744dbbd705babf87c180c656e0cdbad0df99b2ccc73667e78da7b41011aecbd62312047327141712ba45d9b09edbe78f59128e66ec18ea7c13645c0b6dcf6a2a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 81f080fd68dc443b81493ff0759b90e1 |
| SHA1 | 86a65be0f2141177f683991d8532b607a8c797ee |
| SHA256 | 75d4bf6eea7587fc7b8f7ab24060740d112f0cc89a03482034c2c29c7547e326 |
| SHA512 | a91c23a95fcc6e1f6176020c1a799f09e60b29828d39fa8d2c0a82e54a8b2f317e0e57ce1caa53756dad1338cce3c0592daf499f0f2f7772b00a62acdae70aad |
C:\FilesWC\xoptisys.exe
| MD5 | 3167e6b1e470a7564cae4d083209803e |
| SHA1 | b500b88bc2c62971d74af7b7a15b7142f741e3e3 |
| SHA256 | 83bcaa3bc217028aaf76614c9d9eb7776892e35208115f78f09178b3882f368d |
| SHA512 | 54722e7b9e5d8659d9b05875d7b44fd109921968b9f08a3426eb5496c1c4312622e8777e66b61509432e8f2dc4df71ac7e098b6b1427fb6fc67022e0c67d76bf |
C:\LabZ3Y\optixsys.exe
| MD5 | 1846af9e8b55558541978d7c56478edb |
| SHA1 | 547f27f580ed217db608fc58faecb1dcb3b7543b |
| SHA256 | 7c6db1f5dd41aba0b5ee24e4372b0e3cf316d0b24b7ccdf6d15f3d773aa5b4dd |
| SHA512 | 863a883ee684a9eca2ce85aa2a2cdeae7c5dbaad9776f5795f2cdc6cba19fbd24e571c2981520079bd260f48dcffc8b1f42a9d9f65c2582894b1d60f6e94df9b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1391beaa430dc5583776bac500925b33 |
| SHA1 | d22b55a954d275f75ee8308aa496e6460b6dfb8c |
| SHA256 | d570d8688b3eb25573751ad9831de29cae83156e87e963c2d448165b99acb13f |
| SHA512 | 1e59353781bddb48c9badb10e69b3b9f74561de5c7e3bc84fe329de92e52d5bf30c8a630e1e0da390577c61d2f7553d6f0636fb6b4483432f7cd0c63c1a88eb2 |
C:\LabZ3Y\optixsys.exe
| MD5 | 55587261ececdd9c07d831582f9bbaea |
| SHA1 | da32e0233ebca29f26d1a2fa771731e07d25e813 |
| SHA256 | 8ef2c7740c810abdaf554d43af08ad83b0ecee122580fc787b00c7b25eacbd36 |
| SHA512 | f93bb69739f58c01e41600266c744dbde51a770a9d5e43dd7b2f24dd6009faff38f8e838f76206b2ee502e8b78d60b103b5ac2ec5e2c24762d42aa6912cc6d41 |