Analysis Overview
SHA256
424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d
Threat Level: Shows suspicious behavior
The file 424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:10
Reported
2024-11-13 20:12
Platform
win7-20240903-en
Max time kernel
119s
Max time network
21s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDot1Q\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1Q\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAD\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot1Q\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
"C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDot1Q\xoptisys.exe
C:\UserDot1Q\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | b0fee6ca163d5c9dd460f93d2590dccd |
| SHA1 | 66319e74df7229c1d9948ca5e73178b14029abe4 |
| SHA256 | 0e65b2d741e00f295de030998d8e08bc40d4388f3e591b8d28b3a7675b7464b3 |
| SHA512 | 41971aa1cce3ced02e44a3c1036690eb5bfd647d90a1a591cf1228951a80a20148cc469828689c977f8232e41f0b8781c7ecf9963d01e26233ba1c008bc1fec2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eae3d9304f30728a392b8f462ad11689 |
| SHA1 | e05b0d20656628648014cd8a5b9ccb8e311fa6f9 |
| SHA256 | 1081a2d6f89f72d77fcd4381ccc36b1196adf8a6074add3ae86d802bc2559ebd |
| SHA512 | 7dc0ac0b26d7e020519e594bb0b313976ea394510f2ba407253cce5aab786877e32273947f96c2794f53b4f7f6e34068489804226b5a6dda83534906be77f68d |
C:\UserDot1Q\xoptisys.exe
| MD5 | ab02a8e5957659c7b7627d9657d7f4c7 |
| SHA1 | 474c6da14c211a5dd8677ae3f956a369159c1c78 |
| SHA256 | 607aa8c0a3e0d76f8c7add7371368a7caf1eb63075ab56128a9ff0555aedb221 |
| SHA512 | c7367c39a099663b234b7da179967fe09fb5ecfacacab170ee658570a0b6fef670d98ce0481a217f75444371bfb2b1ef444ac680f479fce45f8bb452b633b9a5 |
C:\KaVBAD\optixec.exe
| MD5 | e2d32e683d19aa5bc48f0ef289f78fb2 |
| SHA1 | 3e3f7d2b2d553a13bdbbf96590a6950a7e42fbaf |
| SHA256 | 2923c82aed49ec45fd701ccddbbccc5ef961cd1ed9f188b5e8c87469cd68a265 |
| SHA512 | 3297d65f28abce7704b840928b56cd5eb0045c3207fe78c9f877ac469b6a847b65558430e4b1599c71ed43a165f545ed304fbe3b87c104b049d4291506633983 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 89b4850c6546ee34d9b92a669951c5aa |
| SHA1 | 91a94175ab3baff5e8be5611b6c8381035c0ad74 |
| SHA256 | f5134540c024542e32d8af7ab594a3a455d1ae9c72134860cfd075a1e94cf1eb |
| SHA512 | 4a1e21a97cfef57272a8427a0f4acd271424927a8de962cdb71425bc68c5c55515822e304d57e18963cbf767cc2cc0630517279f32189800b672c6d6f5751778 |
C:\KaVBAD\optixec.exe
| MD5 | aa404e81fdc4946ac80a30fbf1b10c14 |
| SHA1 | ed71e23df81576b945ef2f6e00f8f5b35f6a533b |
| SHA256 | 93b7a38f773796c870936ed5977333e42c13a41c33ba790d40d9ee15d294bd79 |
| SHA512 | 3e210cc458293feedc8e52a4502d6a1fa12b5f5987d3bcb5323174b27f832f654224255aed64448d908132cb1173f0557d9a2234ee5e6d9caa220da210ee1ef0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:10
Reported
2024-11-13 20:12
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrvPF\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPF\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKX\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvPF\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe
"C:\Users\Admin\AppData\Local\Temp\424f7269c6731e321a81ab00fb31b24b66a6ee2ebaf78c6b2cfd294617c9f02d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrvPF\aoptiec.exe
C:\SysDrvPF\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 5f8cf35d0a1bd3fc809198263e9cbc37 |
| SHA1 | 0c73f2ca5429189fd1f71d68302bbbac7e944709 |
| SHA256 | 03af1ecdf955906fcb3b3a8aac75857431419c6193c12c6107edf84752149030 |
| SHA512 | 1f17e4ca83f0755eda82bfade785836e2797b690083b3e5a0234700688988e2ae624345122c7840b1b08cbf60c7a4a93a804b64a45caf7600e972f77d8e6e0a7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1761073168f44ccd5dca8df7fed16b6f |
| SHA1 | dab49542349fbde04a67393418ccce9ab9121450 |
| SHA256 | f2228763ac78e0518187b83cd5e03d04bbbdb062aaf133f8297833443386112e |
| SHA512 | 4cfb9a3f507122e7dcde4e2f6cad21b2df3681a033eedf37cfa482115401fb07a0f461a0d89a53af7876e0fb619bb5904c6902cffdb3960c1beb9c66c28f98c2 |
C:\SysDrvPF\aoptiec.exe
| MD5 | 427207ebd81c4d7dd81ddb57cbdc84dd |
| SHA1 | d9fe2718a7c9352f5949b63ce4c35c67670b9768 |
| SHA256 | 4e0328cf1befc01047597ed2fef37cadd18683fc649e36cfe77580f07392ec05 |
| SHA512 | b45b76b29e878a821405614e207c1f4c0989fe39cf919f8b0779f072664ae8e6529567ffe3e58bf735b34c3038c330f87325d68768f40838102a16c67cf6c9aa |
C:\MintKX\dobaec.exe
| MD5 | b54ad1712658017f59a83d6d1f5c7102 |
| SHA1 | 693b2a2c290128462afa4dbad07370a4b95fe61b |
| SHA256 | de15ed69019f61fe8006d2b577be4f5afabcf04df07ad96a369c468dce1562ab |
| SHA512 | fc5c005e84068a70076403891227ce95a819b8d08002660cd7031ab8fb596cc01bc13d891e8913bd29721d21c82a57bec183bc8eeeaae1de3e92eb29fa8f184d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8c13cb6caed88915bcba112219bd7a36 |
| SHA1 | 53d5c92302680948ca402d18b092b639619e4340 |
| SHA256 | b3950863393afd298b9c85e0d11dab42485ce33824e359c63782b89b7ac44156 |
| SHA512 | 107bd85ae483f58dba0d251bed14f22c7d0454a5237ea3a8702e6104e92a395a56df05b23c8f8dc843a47fbb49aa629a0665cb803c6d6ebbf65d8c70d2685215 |
C:\MintKX\dobaec.exe
| MD5 | 116a1f0d2abd41d9560e0148f36289d4 |
| SHA1 | ced11fe4f937e239a4ffdd373f94d553bf1c089a |
| SHA256 | 0c386aada49c785f6f60a405e270feca7e6d422c95999dd4f7f7b1d228415cff |
| SHA512 | 2caf9ac43db0963e1484d166bc10945536c6271206c345032f759c27ede1cc161bfc2d7bbe9b6b7142de96b7e22865e5f0b5f8074e85cd03e1c19e397117b28a |