Analysis Overview
SHA256
2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a
Threat Level: Shows suspicious behavior
The file 2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:54
Reported
2024-11-13 19:56
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvR0\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvR0\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUC\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvR0\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
"C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrvR0\aoptiloc.exe
C:\SysDrvR0\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 7bfec6ffb4e828c6d6569c5aebe8e051 |
| SHA1 | 42da3e10761bb302f8b37c5fce2a0ca3e020894f |
| SHA256 | fd3d3a0c246e0621cbd3e386a21ebb63c527f4d6bae12a8ff591f05f6af71250 |
| SHA512 | 6d49cff24e3be9f62d1c4f5b5f4ca5e2667aa05e605b911f5c9f76e4a8e43be38dc5f9003166204fab8717689dd21ef75995e8d737ccd96499f21f477ea62870 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0fd92370e8cab9a507021b5e37a021cf |
| SHA1 | 67f90597dae96199e296c323898352656d832d5b |
| SHA256 | 5eee7510d599d1720bbfd6b4e14584a0506953135d671bbfcad005e727b0e8d3 |
| SHA512 | b326993f773a73c1f72bf54dce3f81cf5cda7795031cfc4d56959a454ad31e25f02c4a9fa37eb34f54143edaf3f5ad7e77bc8cc81c9e643b8325792b553251d3 |
C:\SysDrvR0\aoptiloc.exe
| MD5 | b82cf5ef1a9bb77cd939e5252c8a3927 |
| SHA1 | f6b9c2ef5f4b86c2e375b29e617b8e0491714409 |
| SHA256 | ff5f8b65cbf5f778c46297c1266c73bb54f7fc285a617f3e97c0454b095f5683 |
| SHA512 | 84f120453a349c75a46c77f78325820b23fa9cb54664d2f50da27279b6dea254e224701fe7cc0a3ee44af2bd9cff3df1d7622f91fe76bb3e52ab93d4b36f40ec |
C:\LabZUC\optiaec.exe
| MD5 | ba8d652673efefb2772947175c02ecfb |
| SHA1 | 280235c6483bc25a4bcea7f95f563ba689a5b6ef |
| SHA256 | edee520cd53161b96e1d06d22fd1958fbddcb42cd5f3c867fb34a55e2b9afc1c |
| SHA512 | 19cf3e8771b967670d69fb425bdba24f78bf3688d567af5d77b7e9f102e267cf723d2fd97f17bfb7181175c01489500937caf3f6d6a8c3d855b0c36eef9946fa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ad2a637b5cc24f5d8a60e20bf11c50a6 |
| SHA1 | 2a26bd3d15c102b366d1ac46a8f659ed66ff0e54 |
| SHA256 | b3783c7003ae429cbb3d7689f1ab0f37e07b492b06b571120716d9eceec1f40b |
| SHA512 | 4a06a5b897796e75a554b8e17304d18c66010f2a53a80217a38d869172cf0ac842ad8f73375d66dcd643eb7a74d28cb34333c90d9ffa1fabf7b9f738f48da477 |
C:\LabZUC\optiaec.exe
| MD5 | 2c5dbbfd8027436f1c2b0edb423575ef |
| SHA1 | 14a53006f64982c97ceccd79954752e9cb20efa6 |
| SHA256 | 7912213c3308f0ad7b710eccfcf4eb92b066110a272507268584ba8ab124a43a |
| SHA512 | 10a8a473f1032f28bfbc2a3aef752b51ad0274fca9dbc7247875a20d60565af9359815b8a0a8c83e70f329f418b94f3761997a8c1f1b2d2af4047204da431848 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:54
Reported
2024-11-13 19:56
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\Adobe4Q\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4Q\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHP\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe4Q\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe
"C:\Users\Admin\AppData\Local\Temp\2a673d30e232cb5471e762726c8c16c9e3564821194160731fc6be1136d1bf1a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\Adobe4Q\xdobloc.exe
C:\Adobe4Q\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 8aeaa476dff1b058d2a6f3f82b5423a3 |
| SHA1 | 73962357c1162f68e8481f4e68f078bed751fdaa |
| SHA256 | b7e4e1dfa63a16b372fb313e4415124ac7604be3a0c37e958ce07a6b8865135b |
| SHA512 | be6f3a6d527983510b63b3db3cc08da112179ed2855f66be4fb2a3505ad660bd95f85cf5de4b3c42b83eddfa43ebe25ea1ccebe644353def873f44dba51f967a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 08b07645d48a0cb700fbf6117f1bb989 |
| SHA1 | b83db46de1dbb4a3ed1d571dc16d84247ea2be17 |
| SHA256 | ba86b4c4e5d4ce05e44354309d1ed31c0ae724682a161856310fb399a20422a4 |
| SHA512 | b014aaedc0444c0b2d13022dcf8881f5042bdda434768a02b6c440472aabac30139642cc50b2a1722b89838de65d88ae710fb8f13ee243c5aec0f128d22dcb62 |
C:\Adobe4Q\xdobloc.exe
| MD5 | 3e5523ab2df6156c90e4f3f0bb84e1c0 |
| SHA1 | 8885021008b119f6a17fc817320fca3bd45ece9c |
| SHA256 | 3027099fb3fae256d1ad8c916b253f88fde3d107057cfa2ac674a595a529e4d8 |
| SHA512 | 3cabb60cc74ee1f7ecb8dc4167965514a4d72dbb5e376385736f6873bd86c5ea9da821fe79d9ae9b41929fa200b0c99652d1a4a1d4b07ca047486fdeb3eb5d81 |
C:\LabZHP\bodaec.exe
| MD5 | 86377bd8c5909830c0e98079420c9876 |
| SHA1 | 83104f268671b4f26978f7cbd4b73e50c8573a3f |
| SHA256 | 4f9fb3eb84276ebd74ee9dceee4402a06e5a9eeb7c40194cd214710fc4e426db |
| SHA512 | 12032b96a1c9cf59eb03af13f6ceebf60f06efd44af1529e0cfbb5de3828adf123cbac551b879229113bf4d3c50fccc27bbef4694ea68d29bcb9f16c2da8a443 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4b582fbb28a479608e8be68bdec97a7f |
| SHA1 | da116f16c2d24c63be2a0a040444f9ed42115559 |
| SHA256 | f9300a24dacde446f7ea7480be488825d15c1738e4688cc5d3d87a4e5f833356 |
| SHA512 | 5a22815fc448f81285962740cab1ad72e73a9db39ebb1369469fa1214a6df6707c664c21a4d59c50985e12eec59e3d988cd383240915393731648c99616a6129 |
C:\LabZHP\bodaec.exe
| MD5 | b141eb981c5764914cb73b3fbf553710 |
| SHA1 | 8e86a1ae2f0d5ce2ad3f1b1288e4ff99fdda0467 |
| SHA256 | dbfaf9d88416ade5bc02c7cbab360cbecad52705faf5d877d3d9ef52c140fb75 |
| SHA512 | 3b5396b63291a79680e06d1ae531fca59c073a96541e5bb462198ef09af0a8f61d4dffd380ddccfbdd8efdfbea2a0a5de12883fd101ab9b0355b893dd9a6ab17 |