Analysis Overview
SHA256
f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d
Threat Level: Shows suspicious behavior
The file f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:37
Reported
2024-06-03 05:40
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocPC\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPC\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZL3\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
"C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocPC\devbodec.exe
C:\IntelprocPC\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | f4119ce62573f7bbcb0c8addcae774e0 |
| SHA1 | 5c44e843da3d4a96889a2a8abdddf46a261883a6 |
| SHA256 | 3dfc0d1fedc84cc95e2ab82faaf29cd5629cd6e257bde6a4e0eca18c418ae827 |
| SHA512 | 02481c55a807729af45ca919fff74558de9c07200a73a9e1b65711d8cd125a7f154852ada64ef799361fccd2132ccc63e1d8917995719d3bbb4be6dedd904a9a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 731615a8ffefabe1fe4a5cde7a04b729 |
| SHA1 | a6cf7d0517e2e7ecb2dad5673a5edfa7d15aac7b |
| SHA256 | 0082e24907aab61d01028e118116f9ba543a5216cfbd29ff5863d50489ff2ead |
| SHA512 | dddb4dff10558959c0174769ca57d41d2a896f13d8dae79e07afe6c0984df1936340ce39a7363794d28b6dc2a930a7bf2d9dac4a40ea6e212be5a93296e8fd78 |
C:\IntelprocPC\devbodec.exe
| MD5 | db8b90a1e2c680d6b4903dd6a427762b |
| SHA1 | c86f9629fd3e2f7d0b7e60a1a51c9127e6f45180 |
| SHA256 | e6f555a5ab87dbb7cd8e28d0c86e4025337860d3a261fbf08e01855e95d0c63c |
| SHA512 | 451d06cc93032b1beba273789eaad617760ae0daf6e1c44c005857d168bb55b99a0d03385154b78de07083ee91c4da48ac65c92f9fd09e60821a5c95dc18771d |
C:\LabZL3\optidevloc.exe
| MD5 | b61f1c7ad73efe910c92dd7a7c9a7a0e |
| SHA1 | da9ddf3e1877afc7efd9c8d203fc7f7be3458ddd |
| SHA256 | b362504c75e4817110ee35bd9d522710e988aa3feb5cfb08054cbe0cfa6e45f0 |
| SHA512 | 224073e4b1011e45541352166fffbcb47dc06282baa16dc5279ee78e858f642e1495bf79dc1ee547b1db3adc2c1a1fbb08ea75a50ef49d2a238000e931ebc155 |
\IntelprocPC\devbodec.exe
| MD5 | 4c1347ab26ea24322b08b6b85bfe2bbc |
| SHA1 | b11ab69a08d49798e428837af666b3ee52a35b2f |
| SHA256 | 300debed46c8f798b67aa9b0f26f16907873a1105c21a2106e7b95c40ee23155 |
| SHA512 | 54f1663196dd1388d9259848e6ae9ed80800ac99c1445890ca9a54a5c63499e7ed215ecac8910fbccc13c6210619e6bdaf99bf462db6dc2710bb2c0898f114ea |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 672bf2510a2e4fa4267fa8fb0f010fe4 |
| SHA1 | dc0f9af00f2edda6201473d80d5edf271229b553 |
| SHA256 | 6e0dbbcea7b51301b40cc8d7807a6a014235bfffb3669e833e18f71b5bffc269 |
| SHA512 | 9994705291061efe651a68e0441883130a0356fb6493faca98f9feb40b636d226d97ed51ca9a5a3b274a5e2f1d3468e29a7a0a7d4e75b2eeb7f1f70760c01920 |
C:\LabZL3\optidevloc.exe
| MD5 | b85ef880820ad2f02706b10170e533fb |
| SHA1 | 71378239fb161e35c8f79d7a951d7d09d4f45b33 |
| SHA256 | 824b6d312a2dde817fb21948332f4b59c54118a25d0c2deb5bfc92aa1a9daa78 |
| SHA512 | f430b5b60b9ef1cf4efe9787c7b0f161b12f4212956a065e1f0b6a07907600fe307c8323482f6e6d85953fe9576ba09e3b9876d9c27e916f7ee62a9c3665a6d3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:37
Reported
2024-06-03 05:40
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrvBU\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvBU\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZL7\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe
"C:\Users\Admin\AppData\Local\Temp\f672a1c5203b9137cfec8e78ef7297ec97ed8b1bcb09371582248086323d8a6d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrvBU\xbodsys.exe
C:\SysDrvBU\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 63a53346ade424b350b8a3717b6c5dc2 |
| SHA1 | 3406862b0a70790d24a5e4f7dce43978c801cfc2 |
| SHA256 | 7c4624d694381a6d0fd0adf31d45647ea686b25e6537959040545d8663501144 |
| SHA512 | b29029352250cc559971f6f4405dc905a8a82f15705599e19866f389fdb656178d318bc4c6da42f8a58a83e0641b2f87637bbedbd35b874cb597a5843540781d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f8f94075521cd80bcd51f9e46611ffe3 |
| SHA1 | af95178df36995b9869c99ceda32abe44ea2d457 |
| SHA256 | 01c559c4d8fe414161578d72dae07c482464637e6bc651b786cf9a45e7fa17f4 |
| SHA512 | 29782b35c5bda9b14e2ee81dd12536f4119a24f1f71f557591f1f3eba1388d6b8d9b45fafb2291c9352f2ad27325120df249e10fef643ed7751e58c57730d207 |
C:\SysDrvBU\xbodsys.exe
| MD5 | 5fbfb37b60da244c4efb7559d05838c5 |
| SHA1 | 651061a69c867a5af865246e08fb15f480b2eb68 |
| SHA256 | f742fc1f369f1f02f139f5f6e54ab3f8295cf92e596bafec35954a2872211840 |
| SHA512 | e2c035807d6d3f43ed6b52beb29a0f8e1eae1af18ba40687b1a5bdaa974a0963f2f92a5e59ee914ec308a580eb97a13a34a122dab7370c9a801ff649309a9ee2 |
C:\LabZL7\dobdevec.exe
| MD5 | aaedede3a7463fa055564ae81c88e0a8 |
| SHA1 | 556409add98d921214941a55e8b2f3a72bc149a2 |
| SHA256 | 16786a2674e82e8f5c636ba81b790bf38c0ecf0e85bd1b56dd6633f49f014d91 |
| SHA512 | 2ff7b8514fdeef78d38d173341e0a71ec2e50c1e7e0659f584b9c676085f9d31ffb512ef9ee771eb192cff46cddc3c9f1aeb0557bb9c9a6033756ddff51c48e7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ce74f1e5a22ea516df4089613662b67b |
| SHA1 | 7024a03246353610ef48f10fe0b0e7952d874dfd |
| SHA256 | be4d5dc07824c8187b05fe0439a27e0025b2d605b7b7a0ba73aa4b1f47f5d3ea |
| SHA512 | 3e0e9edbaa8507aaf610b5b3c5b052ebbc560d9f78e97714c9e618567f7f62fa56c5a795c3c22e0083d2fce20a8dc842fc19cdc6051024bba2e8ecd4c1ef9533 |
C:\LabZL7\dobdevec.exe
| MD5 | 0aa5a815675b6a9a7f0f0b5b21c3abd9 |
| SHA1 | fac6efb6eb6204d09544375f2c35c78819e7b128 |
| SHA256 | d83adab733e1f2267839b343014b77db170fdf18f4bc6e59942a73cb87764917 |
| SHA512 | fb46bcdfae47f4997a0a49b91178add4a2c4ff75fde5f1107dde44d176a2454ffc9a871bcbd60b73eb0a8121e5f7128b51d18241f4be8b0a44a80cb4fa527f49 |