Analysis Overview
SHA256
1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98
Threat Level: Shows suspicious behavior
The file 1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:11
Reported
2024-11-13 20:13
Platform
win7-20240729-en
Max time kernel
149s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocZV\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZV\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintM7\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocZV\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocZV\xoptiec.exe
C:\IntelprocZV\xoptiec.exe
Network
Files
C:\IntelprocZV\xoptiec.exe
| MD5 | afc6e9e67e2c0ee9bdafd320169bbd01 |
| SHA1 | b01ba196499b619a5aa566ae95cd8ea2bf43dc8f |
| SHA256 | fef3c17437a21241fb0f6d93af4ad942ea3a5d3ddfd61eb0bc615a1413b6778d |
| SHA512 | b259450e5bc0a5495ea304bdadd457b1a6803e79714310353eb0ec8221faf1a6c5635e5ff1c5348288a3beb1574bcb4deb6d8e304e15761e758345e0fc36f18f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9ce1a4e927e43fc3c509f486a2452889 |
| SHA1 | 03f3e3d6789be4f027f092ea23f4bdd17384f11c |
| SHA256 | 589eb4cc2e39c411a415f619e54078791d405d1f8d73b35d3142c124f4856e2f |
| SHA512 | a813f7f8a142383f0d826e89a0530c92028517691d961fa813c60e5338770ae323662fb6c48b9ba4e306ba16ff116b18ddf1478071c395ffbe2fca8ca972881d |
C:\MintM7\bodxloc.exe
| MD5 | 8915f75343ebf76f45889099de3a956f |
| SHA1 | bc0a5ab8d1618503e4aff46d192831918e6f87da |
| SHA256 | 2fc11407081529204f54d3548c777dd9c2da7312a65e0772c0ebfb9f1ff6ad2f |
| SHA512 | ebae7dd948948ce41b41f5c5849adee2d446b7ec8d100e1bcbd86eb0208b93e9523b6ac8d09ddd2f84b7a582fd5c1397837de4e9a7bbcd732d8796d0f3f68284 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | f41c106dde71e666e4443019bc70b2dc |
| SHA1 | 59ec15e42004025517a3f684e2dc4d444144182a |
| SHA256 | 7758eacd14586ad40943e8058f4b86f22d4843ce1a2898272793d9333061ff42 |
| SHA512 | 8a933d4405197928a099c7db0b9cb09150a68f2b9b806a41f1b52b4e73ac4fac45513aaac9fc46d07acd8c5751f6ef9a802f6b660ecea636163ee13b53839037 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f4ee47fbb0c12b0829c7a35d5029f774 |
| SHA1 | 2dfdf0c2d8bb0160f62036399396eaceddc0b0ac |
| SHA256 | ded3058e91cf40541546812be10e270bf63d8a17d965325ee226af95a181f47a |
| SHA512 | 58f98eb7861e0bfcb8d5b1e773608343cf62a32ba32d479d1f5323934a94c0850031ce9cd289b6363c99e684da5cb2d786df9f59d42a5f589f08616a99a47367 |
C:\MintM7\bodxloc.exe
| MD5 | d53aa90606c8163a2f41cc99b7e93921 |
| SHA1 | d1a6e6e8b4eae4b92603d53ffd37a0aa989c13b0 |
| SHA256 | f74c2d08bb2ff5f1b1e94d9af917490669f96d2eb2c5ccb8d7ca033771c35dcd |
| SHA512 | 661e9049504528f12d68d8085d38cb9159e13b5c7d1d84da07ea79535bc62d0f6f36a4c3d6a2613648d97f48307d83e98da5267212ddb556d942572c8a461519 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:11
Reported
2024-11-13 20:13
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDotX1\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotX1\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZBT\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotX1\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe
"C:\Users\Admin\AppData\Local\Temp\1a766fc3f6d44af8581aa81fefb941f7c90359dbce17ae6f9f435657fab9da98.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDotX1\xoptiec.exe
C:\UserDotX1\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | a6c18a0429c022b001abe9a30e91d826 |
| SHA1 | 496923baf87d7b33dd0b7f6bc3a7d11ea6d14545 |
| SHA256 | b6846b96bd3ad0fbde43c42c34cdb4363fd12a1a737c562d32824152179da0a9 |
| SHA512 | 5dbfa438af4135bac12a6695c9e1cddbe5e4662fe576e4427e75308a0b2d3b1453c7938a076a5e021a7ecd50e0b2e62b1c171aebff6a936989bb7214f3d590e9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 885a5960605a1d7053c6134191643cfb |
| SHA1 | 569a1be0eda07b3629683be036523a554b7a989d |
| SHA256 | 2fefd288cca9819f6a3f570af80b227b271bcfa50b298e08cf5110a2ca145a0d |
| SHA512 | ed84d15674385bf798199422b3dd7e26c93f87806db9c3b379a64c4c224c84035eb921ab37a6f604d35e5e8acb3038d5c15660dcabeb90b80a720ad9861e69d3 |
C:\UserDotX1\xoptiec.exe
| MD5 | 13913dda2d22ae3855967e28e905dd4e |
| SHA1 | 467910f29dcc8ad22f18f8edc6177e1926fa9b68 |
| SHA256 | 5e913e0a886e3268f247c8f3ddebe7e074bdef466da488775a30eb8bdf233748 |
| SHA512 | 3c1ba249d07fd8f30d6471d7e81e4fadb850b41bcddb38fe2984efc66c051fadb4b5734fa12d8e0af8f9b5d6b7bf85dca9c1ea76378fb6fe61d2baf86b5e9206 |
C:\LabZBT\optixec.exe
| MD5 | 3e90888723ef6453ef311c2cca51961a |
| SHA1 | 934ffcab17d793714237465cd0c7aa54d61b40dc |
| SHA256 | 80c21d1bb45390d3aed6f889b99a12f8c56b791f1b4ec1fa35d0146076b88fab |
| SHA512 | 3c796cc66ec2fe1912c351fc67425497682a3eb39da585ca001bba14791933194d050cee9b80c407f83fc5c386bdc6508bc0dbb198ef16401dca3258ac229e2e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 794e353a0ccf79f7a8e532fe7eebe60e |
| SHA1 | 260ba0cec60050a56c527c04c7c48e6f0c0fb315 |
| SHA256 | d089546a734f66ab113b0abc42e10f954775722a4b0046d045a812104ed2929d |
| SHA512 | 83c5a06a7117e409533d2e5eadf7d2823884fb34efb2433ced8e33971a4435d4e2af02a7878fe395ac3ec572ea98328bdb8999b61d376b08c530420d5b0c59b7 |
C:\LabZBT\optixec.exe
| MD5 | 432c3b0fedc10012d22702bb73fd808a |
| SHA1 | c31a75b9658ffd6eeda112176cf54bf4c654fbac |
| SHA256 | d5cc060fe7c1019c0c3e627ac5166e0de80ae565c537e988cacabebda5a5c06d |
| SHA512 | 3175929d1fd3b28a809a049e7937f40fb2aec7046b3d08d8b2235b2926808adfce193d45d67654a08a71eb58b67deb4fd162bc76431c634db6e2ee5619da31a6 |