Analysis Overview
SHA256
ca5af6f50665a4c1144ceb697f95cfee6eaf1b03a76f21064c36470003d771d6
Threat Level: Shows suspicious behavior
The file 3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:09
Reported
2024-11-13 20:11
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDotIW\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLM\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIW\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotIW\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
"C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDotIW\xdobec.exe
C:\UserDotIW\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | a376742f860268ba51ae459def55e9dd |
| SHA1 | 71846821276caf2c4727b977b175e6c9171316be |
| SHA256 | 826a5e143e9fb935433bec19f6bf0f0f725616f4970e0f54be027e3bb7bee7e6 |
| SHA512 | 7911d4997c7da40c0c084c11dff54c834d238b1a3c7c533e63952f18bb34ef1619bbd056579be2dbb47905891f201cd0399137aa6a33708e4c586f9181b55c97 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 39f18f5510fb6cfe6d2099195b43436a |
| SHA1 | 4b6c8bc46469c66731d3acd030ead0120659b50a |
| SHA256 | 0a38a41c2661cacfe266bc1f6dc3fdaac1ee6698018420f085c83398ca58822c |
| SHA512 | 1fdfb7f749d0c80989b6abbd5015b70000b5fe29d83cb686b43ada78aa382a23ac4487485f15365249cc6c11888a436bf5e30f476d8a88ee01bdc2da3ac71186 |
C:\UserDotIW\xdobec.exe
| MD5 | e1f8d75f1a41ab978480738be4a27ee1 |
| SHA1 | 6927beeecd4b16dc315811a7bf5407d69a9a6bf0 |
| SHA256 | 0a1d71c370f0cf644bd33af8a409ade1eabdf33175acc0c0295d26942ec45a73 |
| SHA512 | d8932b5dacfbed00215f376f11d2193aeb642a7e670e76b251ed45eb71e10f0c30d1e66e1425d531ed714be52e83e62fe0398c037b8bdb8e542ac1d3736c20ea |
C:\LabZLM\boddevec.exe
| MD5 | edc71393ea857991b959f692211394cc |
| SHA1 | c58739ecd6dbd58b503883e8173da967fe0e3c60 |
| SHA256 | 19bdd01583ea0db1065ee3f9313b1ae83b1d827c27ba191c992bd02802a64cac |
| SHA512 | 8eaf2e70948678238a0f98264d018ff7ce497a0699d92568f6a2220c59a3d56f88b6a4fdc19907e65b033b3aa1fb000823bcf6c899423955dbd5a76445b36de8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bc783d705b44889b999137bf5278189e |
| SHA1 | 32f2d83e70c2168d3e9dc72d7ca6b4272ed163f7 |
| SHA256 | 7e56f496b8367e4caa130f842a5c32f361e9a3737057893bab2a9fb4572279b2 |
| SHA512 | 755c5d1ec32f0a7468e33e45f0cbb84417534e66e0663d7a1ce8f8202e32a5630a405514f0c20f0d4f91eb2db2349d0f0fe1b2ed2040b48a5ffae33e2bf500af |
C:\LabZLM\boddevec.exe
| MD5 | b778f2984d61340954f51bd23758bd63 |
| SHA1 | 46ddd67c78e22c022482adcb173afe7c81876387 |
| SHA256 | b2a36646a0220c6892734d66d4e411165f6407f4e9c047278f4d141be7a00722 |
| SHA512 | 2555f289e51e213806faa1544b8dcc2768ac29a5469ef84ad6e240c1ab3130a542f1beed35a7536183c0b020a7ce54b5ccb43a4b641539107235b81bca4537cc |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:09
Reported
2024-11-13 20:11
Platform
win7-20241010-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\SysDrv2J\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2J\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1V\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv2J\aoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe
"C:\Users\Admin\AppData\Local\Temp\3a1b6779338a1a4acdbd567bffb8e6d17a963718a9abe755abb0b38d6dc8c063N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\SysDrv2J\aoptisys.exe
C:\SysDrv2J\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 9c94533ae032fd646311252353c91daa |
| SHA1 | ebf91d45be5a67ffa1903db87dd63a6a92c0034b |
| SHA256 | 566028637531f5310da6438f38f6120553d9f59434867f6fc744550fb6b14b04 |
| SHA512 | 8d15e8a40ffb3b266bc54c61a7922c38824b576065acefb777df35d91a80b77eea604ac39aa8d3a79c5495def79c1cb08abadd92a6a3107d57f527fb02a2691e |
C:\SysDrv2J\aoptisys.exe
| MD5 | 30d227bffd6aebc404e3e74e3510b5b3 |
| SHA1 | 87e089d047f1adc0a2dd7e80f7b42e6eeb723123 |
| SHA256 | 89b702f0e5d209f9c09fd6acf5b97f39816334fb0a1ea83e017135bf17fa2943 |
| SHA512 | 3bbdf6a93a47ce54f2a95bbafb458192aa670b7da4b2566968f2cc5196ff0e44e61469945ded6bbbbb37decfee3a9c868aaafab81e1ce10283384568421fe324 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1f984fd0a33175ab72dc11e84c15abf7 |
| SHA1 | 7788533226b9d987100bc2801b92ea2347fe6f6d |
| SHA256 | 0eecbe0503b085b1898e3668969eebcdb51232b9f97feafb9425d3ad308e3d6f |
| SHA512 | ea4dcf409ba7a49e1ecea02ba17ca48bdd62b0ae6bc531e2ef95e7db48ff7c6d2a710bd85abfcd0cc63110cffd17bc3bc28dce227ae0120ed221d94448f9b815 |
C:\KaVB1V\optixec.exe
| MD5 | 41a859b522d7396e1ad37d0d1c9dcd3b |
| SHA1 | e9f5fe604ae42bac640b9b7f0b8bfa671be9defc |
| SHA256 | 05027195ccea46753d93e98bdb54b99995b2523b51beb3bfda1aa8e09a1b0d7e |
| SHA512 | 291b3ba14a74f8571bcf9cc964d5bf4fee5d8519333f2662e26e5465f0014e763355cf4b2a12bf88acd871f026b550d49881274626a433d6ec329211e5128ba8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 09db33ed3167f28ba24747b8a38f3f86 |
| SHA1 | 7f550fbc0c31d015f8249f2dafecf16defa48bcd |
| SHA256 | 32c72b5ec84cab6f074f80769c9979dc20c13e70d4851d152239dffe4e910c80 |
| SHA512 | 13f0a9e96b65c0ddd643a3e7e148ce6e9d3bb490e2e54d4e72641b011166c59db9fa8ef99cda216985de961949038130a5d9d54e2ecde795f7c54f49960a3b5e |
C:\KaVB1V\optixec.exe
| MD5 | 993a5add60c8491dee9679bbbd9c175b |
| SHA1 | 45d2eec8226980602a5b7afd1719390bdc1d615d |
| SHA256 | 898fc8f546838bfc03dde3b5cd7fd990e118be7c4ba3228b13d265c91176a491 |
| SHA512 | 0b758d23aca3df241a38e331bd4c1db1199f7f96362cedddde9503920136786dd45ecdba08b26ca062d5d60d2dec9c4f2e8d275a8953d04b6aeec516a5a8955b |