Analysis Overview
SHA256
e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3
Threat Level: Shows suspicious behavior
The file e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:47
Reported
2024-11-13 19:49
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\FilesF8\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesF8\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidAW\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesF8\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
"C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\FilesF8\devoptiloc.exe
C:\FilesF8\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | a0bd2b11ad5837f00336cc483da04ffd |
| SHA1 | 840d7b01bc8add794ac0cad2ecd45718a9fd80e4 |
| SHA256 | 6e74992ac1d5189304c9f45c802d5aeb3b77390a14f85b0328953a052cbdedfa |
| SHA512 | 2035d5feae8300a3ba3a095a6759205921a9a79bc1d0b9db24146eb1f6f3d459669d2dc140d7b00a9f62001e5c488e7294469119eae24ddf0e5c71634d13aa5f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5149113981a84cccf739780fbc7ab915 |
| SHA1 | 992410c85c6bcc6eae5e2658add46c2bb3b23144 |
| SHA256 | 01c83c5fbd1b37839d43673a5716624c4ed3193388f99e994a3e19b22ce5f0e7 |
| SHA512 | c13b7c130ef927988dec78352e6e9c881fcd68a6ce8528baeb45daa373572d0e02ff465c0ed33b1d6618a3f58fc90a35d118567309c3ec7d825fa6f7d86637da |
C:\FilesF8\devoptiloc.exe
| MD5 | 01f6dc0fd9cfee905a32ec0e44bfe379 |
| SHA1 | 2a33f473c66ee923ce130aba95e74f635016a872 |
| SHA256 | f532cec752aeccfd65f117dd447738b6d5ca1b7b44088b27d31d96c3fcbac8a5 |
| SHA512 | 4810e2dee24a3229d45b398741546330551eb3bd7104f7b9dc0f9a76184d45b412225b42ac01f7d1dfe32cb7038c3cc30d6ba3dbb499b46152a36f27515ef90d |
C:\VidAW\dobasys.exe
| MD5 | 58a803e8ee25d86137c60e71f80fbb53 |
| SHA1 | 4365b5c522aa4b281e5611abe0d712985fde719d |
| SHA256 | 368270304e32ca969a88d37bf2aa623813a2d0bdf8a0f119b5f68c7178c615b4 |
| SHA512 | 67548101cbdff9dd6201b1ccc46deb741aed61a2d5a0eba78b361d747750246d80cf47e5dc52afcbd95cc01e933953c3af0008776fc498affae3bc456bfb851b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 014be6684566d99f33abf37c21eda6ec |
| SHA1 | 73883dff98bba10219e219825ff3e54b0d501033 |
| SHA256 | e7bbc710f1778907287e388c326a186eb03e0fe20fd85771c819f8a415d55f46 |
| SHA512 | 8cda271fce4d092e44e0e0a9f9601e0c5afffd6aaca7340082ac5eff51daa3b9696aa7ead7b5cc47df4646b1bf8f5408990c7b4b401daf97494fe9141d1b08e0 |
C:\VidAW\dobasys.exe
| MD5 | a1178e5830ce897a1737c045adf6a5f2 |
| SHA1 | 824d26b4bda523a5c7970665896686f8c5e015a9 |
| SHA256 | 999e1089472ee5ace3170b8a97581b492244cf84c856c52ebcadf235dbc3e572 |
| SHA512 | 41e9aa4d80bf17d275aef747c5dec58b47fca8cc34915c8027c575049d4a9d0aa2e4ecb69cfd48f7420e77b303520083b2c6bf1e3b852793289a6b61c9a7cfdd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:47
Reported
2024-11-13 19:49
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\FilesR3\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0G\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesR3\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesR3\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe
"C:\Users\Admin\AppData\Local\Temp\e9cfcf0a25b635a27a3fcb4c3dfb031a706c0d7a2fd16f01c5cce8e57f58ecb3.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\FilesR3\xoptiloc.exe
C:\FilesR3\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | aa5957fd4dda14be6cd7279cdefb49c6 |
| SHA1 | 6b042eb4072db2e6d92bbfbcd51cd775684b1e1b |
| SHA256 | fd563068e0cf2122dadc65b8950670c9852a1bf8b40dadefe59055c128ff7fcd |
| SHA512 | dd69b273bba57b26419de8d7ad92040d98703dfad8560e204ccff1963634ec4f889b205392e519c429c3dd5cf681cd2a08c90bcf5a066c155783eafba7b038a8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c23d1d86c248b156c55e54b4a49c6542 |
| SHA1 | 2d451ba9173c1f14512a11a8394f5f6e51227b7e |
| SHA256 | e81a48de77590d17a5947d010ecc8c620f5fad1f67cd108c4b6ee70a9e1dfba3 |
| SHA512 | ac29886624b6603dd91035533a4e89c71cb5d53f8f9c1401556c8deb6e4c9bb4320678d2e7011013c1fc312a8bcc177cbd01d287f79ba2c8019f85f32388baf6 |
C:\FilesR3\xoptiloc.exe
| MD5 | 94a84a81c40233294670e3c044c0ddcc |
| SHA1 | f5a63a5f262db4c9b8ecb807692cd43b9e5ea37f |
| SHA256 | 6a5defae2c43fe2c60dbe9e108287030ab99947c84eab6569e62566df237d4da |
| SHA512 | f39367e868049f5796be8459ce945691bdb92425b1657ce62aeece013b72a456aeab9d20c206e12b32ffcceefafc3bda6ac28e027846bf23bac7281306691974 |
C:\Vid0G\dobdevec.exe
| MD5 | 38c6cf3246405b92f7770b7dafb3884f |
| SHA1 | ff31db2aeb9315c12ba5cea0e95fda8006295f80 |
| SHA256 | 79803192c0668caa114f969bbfaba0c73a69276220f6f869897b8d610e2b3170 |
| SHA512 | 6c183541b7b4ca410a706d518254e0b333b326fcf9b30bf0e2334e5cc9650f9908a97fc5d1777734a4929dca60365a3ae70a1f64433b7453bbd368704f0c4b85 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4a5b362dd82ef873942d5aee8c5caea6 |
| SHA1 | e7dbf040b93fab5916aeec0ee4c64b40d72958b9 |
| SHA256 | 925dd931721c6c457303638389d2ac7baac9d8ae8ac137fbd38c7259200c490d |
| SHA512 | 4dfee0637832e32ef8dd87f81f401d580781fc382c03cbfb1b47745138648564cf869ce5db2238f9fbfdf3ccba9201e3b3150064971fff65aafe3a0b83a31c79 |
C:\Vid0G\dobdevec.exe
| MD5 | 0dec7b60fe94670c6083b86b6412b7ee |
| SHA1 | 9b866a5fd59efabae794f91f359590f3c83b5299 |
| SHA256 | e885c5c011a2360ec7cc53457989e358d09233e0a9a6f7fbb1d5687f157e5dac |
| SHA512 | 49b93d3737afde7c66a9ded421bcb7a849f572ee984a450637515c4aa843afa996bd65bcdb5ad99f8622e9761f1a5ea4e60f8bd959c2360e3db94c77c4f36026 |