Analysis Overview
SHA256
f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5
Threat Level: Shows suspicious behavior
The file f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:12
Reported
2024-11-13 20:14
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\SysDrvIE\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4H\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIE\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvIE\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
"C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\SysDrvIE\xdobsys.exe
C:\SysDrvIE\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 64ef65325db8b46385924af1bef098bf |
| SHA1 | fb4dc6511423502585a7e1420380272e61691173 |
| SHA256 | 00a9ae0505eac77d67e0be555346cc357a88e74097ede3becb65bce0ba7cee66 |
| SHA512 | 4cfaa25bd58f8cc83cfd586c8d89341adb493c35fe9fbabb2a14a8750388ee9e7e4225000edcb5d0ada2fcbeba0ce849d17b02045148c55a9d4409b90fa0ec7a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c7bb447f15b5e99ea6e58dfd2cbbb0de |
| SHA1 | 6eede5977dcba1bc9836d8129977770a96544240 |
| SHA256 | 83bf919010cfa84fe90206407e71d682a5735cd86eaf9ff9202ea28a2f30fdad |
| SHA512 | 47c33d1a6eba2b4fff2e00f7e47524a5946de54f98a094424e4efeed4890c94d618985adf0ade96735b1d5698cdd6f6520e23bf180b0dcddbbeafdce40be7c4b |
C:\SysDrvIE\xdobsys.exe
| MD5 | 20ec6effd447fb35f7db816f8c616148 |
| SHA1 | c8c9edd9f30b93dc161fc035c69b57e7af305dce |
| SHA256 | 43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7 |
| SHA512 | 6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf |
C:\KaVB4H\optidevsys.exe
| MD5 | 5229a911794802f5b3224f6297e859f2 |
| SHA1 | 408b664f7a19a1a4b414d9fcd5cee33ceea44d88 |
| SHA256 | ea5adf6f963a1204f4230aeb4709036364c39e05988dfed934aeaca70580168a |
| SHA512 | 79546ef9c775affeb000484c4ec1377a7520407682cd12e3c963ca4a5249306ba77dc451d2548a045207bd140e99c177b17e74b7e82353973c5590f964fd3e35 |
\SysDrvIE\xdobsys.exe
| MD5 | 9f075bb7210d96f1baecef4dd5410b2d |
| SHA1 | d3fee560085540ce4c7120c48ca886d9954ad606 |
| SHA256 | 03076c81317e05fd6815878f086f754d6b0855610660e584c2866ca886206a22 |
| SHA512 | 8da20e5dddc9ff7f9d8be77ca38e8d05b226a006ccea44e28e88dbaec000e9a07a8449c731ad390a2322ab412c8b9101ac8c0742ba742ba0fbf1955a2fc7000f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 809ccf47b1d8466b08b8c682210db16f |
| SHA1 | 51dd1a370a73493938aefc3a7f11ddac6d4c50d2 |
| SHA256 | 7b34046294ba1f4054ec42ca4f33bc5387760ef820dcc90bc5799dea487d102e |
| SHA512 | e44ec54b73697ea4bdf0dee66ab6c7eed959476ff907ac1f464f5d22e7c8276790e20c74f6dbb9bfaa7448dd38d35b5b9dcb21628c842596f11073718445de37 |
C:\KaVB4H\optidevsys.exe
| MD5 | 866eb830de02190aea863a2d3b9f1b3d |
| SHA1 | 04d53ceef236e5adc1e8745d1e8d3d839fe5f12b |
| SHA256 | f599bf3f3ea87c7a3256a107cb2b6553639fee002a1375f478404273bbd15f71 |
| SHA512 | 726dfbd80917eba3099217e01f70d2c0787191f79a61e784d5340cdd734dad9603fc5e0b63419b810051a985c56647c4f9aad857b375b310168da5d8a2ff3c42 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:12
Reported
2024-11-13 20:14
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\Adobe9Q\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9Q\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4E\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe9Q\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe
"C:\Users\Admin\AppData\Local\Temp\f965b28e4fac70faee370fb8172211b9dc9042f23056accd32e9c6f0ffeb99b5.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\Adobe9Q\xoptiec.exe
C:\Adobe9Q\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 831c60f40ed81ec59f8ed88c91f64df9 |
| SHA1 | 27be2d1cf06e52caf2742d637c3ca59f20e3d660 |
| SHA256 | b5b7742fb1ac139cd5643f73ad543daf96f91e457f9c263bea659e5597b086c1 |
| SHA512 | d9fc08e6765aa31fedd9f2bf9c4dfc25b01f59f97df42bcaab5916b493a34ac733fc856e6963343b95f3fcab280284080a2eb3c3b065f3c2ad34d93da868e4f5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f50c83727f57cf8fcc3e4fcf58866024 |
| SHA1 | b30e5ce42fe07a4d1b62f857df823e3991a641de |
| SHA256 | d78a686c16a5524cad1a274efb953971e4997eb3dbf403ad3a7ad5c858991bfd |
| SHA512 | dd72551d4cb34bbde3309c2a385a67a2a6af85e7c3c785e338553356a609f08e61db5a25108276c39c4d1e48de3c2c4cf70296a9a9c2c962d2001db01681a12a |
C:\Adobe9Q\xoptiec.exe
| MD5 | adc6ebf169b2e7595c7f3d17d6e632fc |
| SHA1 | 01a43b9ac810020d85bcb2427ac996c1ffe0506b |
| SHA256 | d8f7c9d239c73fd9277299a33f8b8f8dfee85af3934ff2e4eaf6756137c25d96 |
| SHA512 | 92063efb14969f07edaedfc959764b6ed8741dde367fff74adb32ac3677c8eb3005eb0a517237de98c77f76a2fa76ff0bb9b95f497ff7ec0bc8315efe71cd700 |
C:\Adobe9Q\xoptiec.exe
| MD5 | efa9ef7c86dcea37dec00950513e1c69 |
| SHA1 | a48e659c7c3d9684023609b78aa5be1356bf818b |
| SHA256 | 9443841c89a34c9d3e9cf34c9acc7eaea199b3103fa19b24a79ba840f5cada03 |
| SHA512 | 209ed267fbffbd3ab7033ad1f632f55d56ff547419dd1d076dc4ee772d7bea949441d4bd8e6f750b50455b0129a5bb985add6af5fa6d7f6a05571ba7c06a08b7 |
C:\Mint4E\bodaec.exe
| MD5 | 8803a5b4e8c1cc005317d66276f59b0b |
| SHA1 | da7a4c2088cdd86cdc9422fc889b84459c6b0967 |
| SHA256 | 321049426c502347162908ef552de288adbeb3343e72cc7d69ca634f07068f28 |
| SHA512 | 11ca36e233186d93d3911822ae51caf69cea3a776b9a8c08d125251d249350bd3b89a360cf5975ddf1ba9213176442492d74458caf8f6fdec5e19c8e0c6a20c0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d4df9bff94d201ef91de24e4ae699ff3 |
| SHA1 | 8d487c0aeffc53e24c8c2ee742e7d571595acaf1 |
| SHA256 | d505df219df310b23e3e2f014f59a128c5c30eb714c73387b0d5b741e5eecce2 |
| SHA512 | a1ef66ff8922bea2564d1861f520919ee99b35f0e7b696c88f65dcb9b06da037c686a0af2f1e30c5edc5b06d9b3fa7efd9165ebd65d8fba0e50ba8d0cd9962a1 |
C:\Mint4E\bodaec.exe
| MD5 | 9394db8b2e8247758dffe606c57eb9ac |
| SHA1 | bb28b7a3d9ecc8d69d82152904ff36bb243987b9 |
| SHA256 | 3c671c5358f2eb7c0c0887974be9d5266501dc5fe74e20a8156d8f2448c483fa |
| SHA512 | 35893cc8fddbd2c967009b13d0451e3576c10aabedb683a2574d9e470df0680e11c133853c8d5aef1cc0b6bd04368ae10d72273deaf27102ba985f4a77e86fe2 |