Analysis Overview
SHA256
790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77c
Threat Level: Shows suspicious behavior
The file 790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:44
Reported
2024-11-13 19:46
Platform
win7-20241010-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrvNQ\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNQ\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIO\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvNQ\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrvNQ\devoptisys.exe
C:\SysDrvNQ\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | aeec5ebde2215ddd4b862121cf1799f9 |
| SHA1 | 73a5946088a4d454164e6b2626de828a6e38baa5 |
| SHA256 | cf69ddd7d46476a69a8bd85561e5d8f92ca0c9c36ddbef13e67c79a5a6a83dfa |
| SHA512 | aa5ac7e714d5608a9eb05bfd8672efac2e4a06ceae7e40baee0ea31d26213ec00ff2ce9dafbda48bdc59ca72a1d9f638004ed8c43e72af9d9e41602bc5f4d353 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b7cb8726c8ed3a0ea5e43d346a916e10 |
| SHA1 | fd701aa13074eeb7e734dab2f8fb1c9a2ef29644 |
| SHA256 | bb73e1d35454a6e74998bfbf50af49bd650f8b4b3aa66d9d1a27bb9226212ba6 |
| SHA512 | 2f77e80214bcef1529bc25a5556473a8fadf00747830f82278bb362cddd783e17b06cbfeb59266aee856433699831f9f4602fa5936a5ce212d743bb69f16106f |
C:\SysDrvNQ\devoptisys.exe
| MD5 | f524c6a40f0682c4b938be53f7a20554 |
| SHA1 | 6bdba2d6ae8b1094670ee639d596e6a21994cb05 |
| SHA256 | b550c5c9932254894e4de262927b10ca3888fdcc0da03e5bdfccbf949ff68a63 |
| SHA512 | 5cc2d72bfdc1e14a73f3b863b0dca2b7b01f0235627c054f9771051db53cb68984f37d264f66f60570543007b2377e92612e93c74da3caababc40f9f7337d254 |
C:\LabZIO\optialoc.exe
| MD5 | 95ec9e541711f094e40dde8e4a9d303a |
| SHA1 | 10e04f1166a36b638e71005f8e154155b02043c5 |
| SHA256 | 8c8d832bddfb55e420ffd7ab803ac31250e575c76154e38e40da5559adb6b8d2 |
| SHA512 | 61e599721f64774198b15582317b64339e0feafd8bafefbee29e854568808c2724a0b029268a3c89e5c1431bcc1bd9d75a82422c99c1ebac1ea7ba11496e39a5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d927ee6937f70dc8cd9e0df3d6b97be7 |
| SHA1 | abdccdfc7f1459625d8f9f76a07ca6d60e803202 |
| SHA256 | 9ad5f4359b4c94a8c69ed6203eb6c3e29db3195d7c1caac99b599db7ee305ebd |
| SHA512 | 7bf92157e24b6399a6b675cf6d84fb2948245345791d5b9975178b8b35a222046ba7a9e56919e12e371b41e5ff56eb2b5c97f2267dff5e5a065952ccf47a3fec |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:44
Reported
2024-11-13 19:46
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\FilesD6\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid4V\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD6\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesD6\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe
"C:\Users\Admin\AppData\Local\Temp\790f3f1b0e68e1bd8e76bdb6a3c589836c26359f05c09953eae5fbcd754ed77cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\FilesD6\devoptiloc.exe
C:\FilesD6\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 59e16ac7a32a2e1349f316122321c304 |
| SHA1 | 1ac5fea011b358999456f1b3eff3cb76602c1c8d |
| SHA256 | 8498eea9026373609364ab12d2fad0d0bbd1d9c9ed3494bdaeb3824034916c9c |
| SHA512 | 99c169d3a18a49b6f8a452ed0bc6369bc3b8ac610eab5f5c2288c288eeeff3e861493fbc80f0b53bffad3886812f0f2b7ef167e06d8949dd272e7e845eb729ce |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d04452ab047af7adeb76577228048847 |
| SHA1 | aa24307f7179d393a73fddb2f8e80723707a4329 |
| SHA256 | 5c4202a1cbc5e5ee1363813c68140ab94f6f28ef3eb9cb9a0b603ffa49395fb6 |
| SHA512 | 0f4b6811263a9ee79471969dde988019251135c241465f88653a20601c15e9d5141c8c74bfa616908a543065f91f944c8ef072a0c17adfab5ed0ced67cc99d38 |
C:\FilesD6\devoptiloc.exe
| MD5 | ef732a9c8af24891e80458506d340bbf |
| SHA1 | e62ff9da3bc4187fe971195241d05be8b0080f4f |
| SHA256 | 0b749aa1acbde88693b7e0aea1b210dbe8939e54101e3ed4192b12e315db213a |
| SHA512 | 3e8c3b4cd8ce0d355178c5b078de181bc1bef56f9cfd1d01675747d082abb342003899aa2f498fcfdfe91ad1edfb48b4e6b552570088a0ffac3cdf3fb74873c8 |
C:\Vid4V\optialoc.exe
| MD5 | e9eabce3921c659d6084f90c86a99f8c |
| SHA1 | 8a82f67fd961308a6de6d34e516f213fc4900eda |
| SHA256 | 685d9f2748f4edeb4bef0d82e391185cfdaf7a037f38505fb372753a5f94c085 |
| SHA512 | 21d938164436a199febdadb5f4f5a57a0626eb73c32cbfcf3d6014b6b830b34b2edd74c531c9979d74ed5c569585bce8b12d54a4f3fc7911185f402b33209a63 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b41e6da08f66284d1098ca9c9c297038 |
| SHA1 | a416f93894d6f477e8f69cba81d663c2c898717e |
| SHA256 | 947c5457d49d9105a5c68a2e6283bf891aa20a050d9fde0d5273a5c21e969b39 |
| SHA512 | 716920eee56a40831ab0f986ff80333f0171809856c736547c515fcea5cf6bc1e784b89e64089ac455d9f65d1f7b6f9fbdccedbc8face0fd0cea72119b167cbb |
C:\Vid4V\optialoc.exe
| MD5 | 4f22d799849ad951d457b82eff37db75 |
| SHA1 | 4e1063fe8d636bd72f9cd680c689c23c67188ea6 |
| SHA256 | 6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948 |
| SHA512 | 9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a |