Analysis Overview
SHA256
b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580
Threat Level: Shows suspicious behavior
The file b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:12
Reported
2024-11-13 20:14
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocTR\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTR\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPY\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocTR\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
"C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocTR\xdobsys.exe
C:\IntelprocTR\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | bb899895dc086b946535079615b0b558 |
| SHA1 | a7370f790e954929d740d12cd3f47140e2b29e5e |
| SHA256 | 45fe8e43e996dceb53fd70eeb1191e6ab6ba3e906b08b91479b8beb9aaa13471 |
| SHA512 | aa830945b206dfa4242f11619852516c61a03f6f362acf7754b3ad66124e34e591ac09cc34eef3e1fc52231dbdd8fa9f16cb2a6d2a99d33be24244e5f7307a8f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ca5d6a9470b6d5305d79fa33af8deb7c |
| SHA1 | 6384c27e3a8a5c9da9c6292e72d61a1eef5a87ed |
| SHA256 | 7f05b9340f9a0ccd9fafd7f67da610d792b7980413f15003588b66e2316b32be |
| SHA512 | 1583d62e172ee15bbffae15a40fbbaba25ad9c5b7da09526c90da2b58fa14258b60dfbb81abd6bf8f51e2252ed33712bf74e7038938aed160754383301276e87 |
C:\IntelprocTR\xdobsys.exe
| MD5 | 954651f7d00d3350594c12944fb2f9b0 |
| SHA1 | c5efe6c66b4ec6ffc2558f5452aca3bc836100cf |
| SHA256 | 7c1e922f41454239fe9b58c6f0642523def71218aace0f3ca0a10d75fcb32ff2 |
| SHA512 | 38ac7473fc933c8508eeb4949450b0b8e163bdb1db087ebd0d6e8770d8c20da7935cebbed815389e417f984d487fd4f84369dac169c2aec800001c9761088c43 |
C:\LabZPY\optidevec.exe
| MD5 | 95ad5aa58c62b771b1327e70d47ad40b |
| SHA1 | df42c055d2a39e205e849ebf838f8fc7d5020594 |
| SHA256 | b2baaed62f5a76863af5dc60c0cb415bc28ad2c599db3841793f2afadcfe0af8 |
| SHA512 | c6f418390b90758b048f847da8d1a89de7fd98e8b5b34a1b2da4cc2b2b78e2d164a651c129d7e54914a53740652ebfccf147a1805dc9d333f0ea631e9496fd28 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f791eb6af039cbe646b3cd54cc906bcd |
| SHA1 | 6f156bceff6747e652ed203e009724f0b87ed0cc |
| SHA256 | b34448bfa3fc25613666acf494e1e6469a4bb3b7c5da9bc67383d8f14859143b |
| SHA512 | 6116fbf29f9d4ae1e3ae7b396fcf0df8cb1856ad1bad18b7f25b7a100fc3269fd13dc488153ae56224f4127707f7705e7c9849cb06fc696695e282931d6628b5 |
C:\LabZPY\optidevec.exe
| MD5 | 2d3ad9db8a8a621130acb365546f89ce |
| SHA1 | 99c1811274afe910d71c8169aebe85ced123e0d7 |
| SHA256 | 5631889a0d0e354f2ce334eb3c064ef01e7276937a23eeae6b79e06aa25367cc |
| SHA512 | 8e6915f41544101a9c0f2d360d56c813f98ec9f69a7b9436c749a024078d3ce19ed3e0086e79517f1ddc7933688033a79761cc2b4f30be8905f818f7a3458269 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:12
Reported
2024-11-13 20:14
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\FilesUL\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUL\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB07\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesUL\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe
"C:\Users\Admin\AppData\Local\Temp\b4cba5e9d7c943d4aed8a05c7ac267a38c16734d264ba908bbb3b13d96541580.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\FilesUL\aoptiec.exe
C:\FilesUL\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 28e9e13f4a009efaef520317bb98e4fc |
| SHA1 | 97532e3fd2900bc7af9ecd2284da638e647f7b92 |
| SHA256 | 333fd3cc804da802b17d2c4724acc184ebf2b3655a477337bacbf8568ea429d0 |
| SHA512 | fdd21dad9bf469098f29c7618e093722a40dada508b772792a0ebc45c7bcffbdc3481488f5d93bac59fa14b3e8db6376a28751cc4437bb192e8597694c8a0c18 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6c1a38bb93468b29f2cc8c6b076c21a0 |
| SHA1 | ea438968973bd2b0e7ad2aacf18e745a1958a72b |
| SHA256 | c380ffa4e93d69e4046c307dc1dd271afc60f2c6d72f06d25050706369c2a37f |
| SHA512 | 42886f3d5e40e1280298c993d3f4a1573314762355ed8a7ed6f0a8fcf7961136628d2f9372149b4791b32e8a5f5df67c6950636a1c6e42c7e0946fab7d78b695 |
C:\FilesUL\aoptiec.exe
| MD5 | 3b2934fc5f72646178e1cfb228f34be3 |
| SHA1 | 8d21c5bb1b5b91d7b2f365a8022a24f8cc11bc0b |
| SHA256 | 4bd4492b50bcd8fd7e9918a1deec35b27346ddff5e8076cfaf248fa4875a710e |
| SHA512 | 215d48d0a6f75c488f09a6a13f7016b164abc32174c6a489d06444fc055cd6e43f3036cb332dfa54ada1bb5e3ddb943e1e906e78c4278ddb04db435d52d03eb1 |
C:\FilesUL\aoptiec.exe
| MD5 | 71be9bca5daa3d51d1341d612c6bd167 |
| SHA1 | fc392c685fabb3863aa438964133b63e9785ed17 |
| SHA256 | 9dd3d742345d9505f1dd763e6d640604edc2336fdeb0e82caf9d6698ebd392e5 |
| SHA512 | 60d8b207d15d3e6e38c729b8bf3aa76195af2f4586a4588ef9339dd5a48a379143e4ed6cd0e23328200ecb7e98145fadc635e322cadc726d0966e948dde4e05a |
C:\KaVB07\optixloc.exe
| MD5 | c61d0ad86e2a3e82cae13263250b420f |
| SHA1 | 71e6476222b91f9534276eb02d157ef8d5e6f09e |
| SHA256 | cd362e7cb93139dfa746d6e36563c4059d21859cfbbdc0666e4e4e05ca8d7b75 |
| SHA512 | 90f98739b69d71b284513f3aac67710f39232834d9bf9f127d23ec94b2fb6e83014be8c1b23d89ae42e9aa25a4aab46f4fba1537ac9297dc9f1e2a9ae624d9cd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a83dea9eefd5399f750954ffa4af86c7 |
| SHA1 | b4a7c4af8ff043b790c654d30d0fd1c87252a7e6 |
| SHA256 | 1b82c6f6ee3b182a8669cbef62166c277c4ceed8a2a03a52b2cc4ef1a5f6c500 |
| SHA512 | 24bb36b352d402a4aab6a962a9b28d2e46ac9feb70665ffeea0b7f86e54fb01b99fe465d4b52f05d2a1c78e005c9df3f0d454ad0616958cc5d624a70ce309bcf |
C:\KaVB07\optixloc.exe
| MD5 | c65046a9c650b86ea0ebf349a0b2d2a8 |
| SHA1 | 6f56c5320a3d58c809e97d4ec86ff10893ac9170 |
| SHA256 | a62dace441748002f25ded91fb7906af77eef1676af72ab54849c0683327ea4d |
| SHA512 | 79d8801507e55936cc244a7a25bf801154e1f2d5f98d57d76ffc57919b7f4f8adc47690664e2de7f95f678d296cfcd1df7c6acb75a01c6e599eb1dfda067a54a |