Analysis Overview
SHA256
1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9
Threat Level: Shows suspicious behavior
The file 1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:14
Reported
2024-11-13 20:17
Platform
win7-20241010-en
Max time kernel
148s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocZQ\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZQ\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1W\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocZQ\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
"C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocZQ\devoptiec.exe
C:\IntelprocZQ\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 8f1e9de96c1219157e0431d9599ab12a |
| SHA1 | 481ebdae5a19af96444a87d74e6271cf59562e55 |
| SHA256 | 892ff00d904d74e1ce6559490f13f96fa083d47ce4afbf53284280d8e8999aaa |
| SHA512 | e293c839f348a86e0519fc5754392e09975c777b36faa91909ea21a0198dbc4e8cc27b4472fd820ed06257eb2a6f9b8bec4574080bc235ca708476c9195ab338 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f710e34dd97758bbdce76a2b03d8b7a9 |
| SHA1 | e187da72496cdaa0fab77a8c740126043150d160 |
| SHA256 | fb99c6377723ece8e80323dd8c332cc9bd95f5fbcad79ff942f4d20ae6ff4ca1 |
| SHA512 | dccfb1407a92bb561b7e5b4629e79860cb3070a187d142352f60c3a16d2ffa9849c459746ecf8c4790fb51e4f29dd30143b20555defd81973d48fa9de38a9db0 |
C:\IntelprocZQ\devoptiec.exe
| MD5 | 8bf8c8e540374475e3ff732ac8c095d8 |
| SHA1 | 497718bc3776a43b81ef22f656e6928d3081fd79 |
| SHA256 | 60883b09d984cda9ec2e80cdadada4a829666cf07615e7ecbc5bdbbf36792157 |
| SHA512 | 4602f1cf357f57aaf37a80612795fabe2dc4a922da94f4d940a69a75bdfb95c3e461071bfeef295dffa141162338b4764676b49e111b99e566cd6404bfafa705 |
C:\KaVB1W\optixec.exe
| MD5 | ef3754dfd01bf4b955e522320016c6a8 |
| SHA1 | e290267cdef42c5c4832cae29aa05aa971666ff9 |
| SHA256 | 6a7da90c4051be1a50a8bfbf4e8076a06ff8441bce1668808e3ff9ff27ee77ed |
| SHA512 | 22a75ad862f9f7e65a8cc1902ba4e0d54cdfaeed7e6c2df6831bea889150da7baef20d93a374679f7bb1eeefaa8fbd7577434e2d39d2e3137508ec8582153571 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8c0fda7c6deb4134d8a0f008f9c66d84 |
| SHA1 | 29659b8d7e7b7f2e2442fd03b43889b7aef7acc1 |
| SHA256 | 7adf01d23a38c06f39bb2ad590895afed4c7eef7484f8a22ec30bf96a20d861b |
| SHA512 | 8cd560c7871ff38cc2ef85aabad779d463d0a1fc6114ac47d7f97e6439cb50e181bc97514e02fdebeea3d33968ffee74c6643c14832d42a65022d6786a25e484 |
C:\KaVB1W\optixec.exe
| MD5 | 9519395de39a83a57618c8c2b18cebad |
| SHA1 | 34f4e343110ea87ec435ccf0bfb328463c60f45e |
| SHA256 | 831a040de2183f32157a7427ac44cd46a14c4ca577e8d2d3b79aae2f439bbeee |
| SHA512 | a2e6721a3881ccffde870a98b6ad0fb09f4f23ef4516387ce4febcf9133be49aa45fa7c4f0bc7329c71db752cb7e49c079f86b025b7666a288fa6ed26efc032c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:14
Reported
2024-11-13 20:17
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDotGJ\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGJ\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIC\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotGJ\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe
"C:\Users\Admin\AppData\Local\Temp\1c12f4d840b9b48b1186f87b6516e1f79cc5e96b5bf8e0588c0360045d2fb1f9.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDotGJ\devbodsys.exe
C:\UserDotGJ\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 84ab2679b1da9553e934e211351ae3c9 |
| SHA1 | 7d10d9d7dd582927b94a9acc12d9a80a5312930f |
| SHA256 | 1200dd851566f46690619cccd65e9815fd78ccab207b314b274d5e6783dd6f0a |
| SHA512 | b3bb7d92b5d23baa5b35b742a8c3c86881c29bb7f0be2cb7d6a3ee0d9ad4b2f7a502c3c8e135323006a64d43c94c48205bc465ad426b15d21f1d96f65a1b3ebb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 36ecb1482118ed347200afdd2c176c82 |
| SHA1 | a258677f646952c46d7b290552dac1136d0b1946 |
| SHA256 | f7a3b9d4173a63a7e3548bbada1f6e0d8ee0d3e854fee081dbe818eca918dbfc |
| SHA512 | b687d0a395a1574a29b59e8440c591cd16b77f002bdec4dc51314a854b9e6c701011cfae149f7203caaf2a6dbaa922cdf0949d549f3a7b6f492ff9bba72af249 |
C:\UserDotGJ\devbodsys.exe
| MD5 | 6eaa0b3e6df5fae1a4830f97554f7216 |
| SHA1 | f803bb3f8edc4df48804f957d7bee5f292a70f05 |
| SHA256 | 1a4680bb649a0c6f4cc027f85764f4248bcebc6c2740a40e9bed87aebcb9b04c |
| SHA512 | 086ebb230b7ad962417a5b5cf39461d7446b0e1a81d386edd481d5b9d781b135c391d21bb8dce696ba77c696428a5ef56a4938510447f32533eb00be9dd494cd |
C:\LabZIC\optixec.exe
| MD5 | 82f4a3df3b0023a10afc05a824e253e3 |
| SHA1 | ac1f5ea0bb724e8454fc771803d7339fb311d5ce |
| SHA256 | 7a48eb63ff6c42d8c25d40189980d2da6c1e983c4b1c3dada5322b54d52a0669 |
| SHA512 | 563c290fee630bda98e7a7d3768f378bdc0d08c6ff0ff58039d2f67db8597c8fa43a0c03192d4f92205f1f2b1af310bf23ef73322a10c43f96ca8b1984788ed9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f3ae5e4fa0cbdfe09ac923f774bae350 |
| SHA1 | d5bdc0bbe063ad9158db37179a5a9e26f3252d02 |
| SHA256 | 43dee65e974e0297e409911debabf485fc08abb507ec60e387e2c8c7d7c1fc5e |
| SHA512 | 809a9f0d8ef6a52b8930b50898a01ad2cc6b46da708bec4ecb572e8bd282fdbda426406ccae970fe44f8f1c8f366791a99515a863dec009c883750a46c4784d1 |
C:\LabZIC\optixec.exe
| MD5 | b8e08065f0c3614033929164807a4705 |
| SHA1 | dd151f161b4debfa7b88b58d1e323a342bdc6ded |
| SHA256 | 7564caec69d94c20d4cf4ab6707de7eccfc86fa93a2df26fdea1bdf31314d2dc |
| SHA512 | fa36ae28c6e6473461a5a757b7636313a9bb67fee1053c1e60d607695fa06f8be7d1057d3cf85779aa97da4bf781b8e0b9d0100e3c7205f095afe5838486c308 |