Analysis Overview
SHA256
2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f
Threat Level: Shows suspicious behavior
The file 2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 20:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 20:29
Reported
2024-06-06 20:37
Platform
win7-20240221-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\FilesHE\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHE\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZSD\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
"C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\FilesHE\xdobsys.exe
C:\FilesHE\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 25636731376fccc8b8992e8215b9c823 |
| SHA1 | e12812761938ebe1ba7db6f3b3f138f969df92f7 |
| SHA256 | 74c9de95453d374e0701e07c6a396ce4f89174d1046c90104fa51e9181721b44 |
| SHA512 | 2f5095cc121fb1b71d9102bdb177443f4067ec7d9b9de865387c388e87db1b6efbbf362302567142389bf9c530b7856366f4d176698b7c8ea05f971216de415d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0e0023155685f24775b075491b8a142c |
| SHA1 | 0c504c627013fdbb406bb9b3900cd580aa7282f4 |
| SHA256 | 884f606c8d089a07250b090097eaa195d77ae286a8a28192cc2edb85e7338dd1 |
| SHA512 | 860740fb9d0d61f4690f77fbadf15b880000a6ab721c6ea07d6533cb2003c6bc5501deb4ddfa41b92a7a281b9b4651a401db6905226e65e7544f6dc69e2ff845 |
C:\FilesHE\xdobsys.exe
| MD5 | 3cf2aa331d966bbc7e900a4aa0da4eb5 |
| SHA1 | 6060ff46a29f94679c9debc34ba57c1ffb347f8e |
| SHA256 | c4eafbe13ffded41e79dc520f215d130a610b1315d055f9d9695c08cb2a01344 |
| SHA512 | a994f99e3e879769a681263828cc20061448aec55f44774f94090b0c633644addf83f1c5737dfa3e39b2b00b542e82332d71b218064c388803d354ce799b0c10 |
C:\LabZSD\dobxsys.exe
| MD5 | 3ab20eb04bf117d293b2b173b46cf421 |
| SHA1 | 13a279dd3a6f32f3748559331aad834ea5833d29 |
| SHA256 | c7cd79839d9d579fad658ed96ef2ed26c8ead00bdb5c12a0fa1568500e283c99 |
| SHA512 | a234a14e4fa93d8e22d21f967213edd4ab658e0dc58041ac8221bbbc47e621c1a8714916598f1a160b565b12644c3b94dc4a775a53d30a4b1280c8504785ce4a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c73491ecb6955ef78e3649e30046eee7 |
| SHA1 | abd61f8cec8deba33164bd7250e21f2b11d2b991 |
| SHA256 | c95fe04a2d15fd3b6620f720a2c51cb3a4114372c933921dcedf3915c8f94dc6 |
| SHA512 | b2056c7c8a37c9d9aafe0767fe7cd0def0ec7a1164ea60a5c11dcf8b3fba40251e71374353d8638f00c404b97ab989108b3b87c629a1355f2b820e5945ee7980 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 20:29
Reported
2024-06-06 20:36
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\FilesDF\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesDF\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBT1\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe
"C:\Users\Admin\AppData\Local\Temp\2a5f41fdea12b930af2eafdd9f20ff56b15423f77e0a2f02145856dbef7b003f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\FilesDF\devbodsys.exe
C:\FilesDF\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | f226324fef5c8a829e14c9190ee5925a |
| SHA1 | 6fb65aec2773479b7c53956c072a791d648a770c |
| SHA256 | aa6ae7c96b8893a0c5bc7b8557ea1a3262d6ec6cbb7fe1049bc7a7bb19e09661 |
| SHA512 | 6538e42b761bde05883732f4f4f706bc3275a4d7bc3b72a68feaf5614fcc56f533adbac2c8bf4b5a0790beb7c4315a8fb0cd95fb85e7a6135eb3c2e2ecf59644 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | fa276c3d1d5ac43b61751c9099104d23 |
| SHA1 | ce5a9d4d236fcf4e932d69470d1c95bbf1bcfc05 |
| SHA256 | f26a82fa9cb5762be9dd7d6cfad70e2ad63ae0cc3162eb4661356ad414463849 |
| SHA512 | 22525f0452338af3505679cbc5aa23e1d5c929aa5fd0f4ffcc869e8818b74d2326d1405121b9b35ce6adbb367df849e194c7e14cc04b94ddf56ebcc2be8c98a2 |
C:\FilesDF\devbodsys.exe
| MD5 | 34bd8ff991b1427aa83cc59b77d0487f |
| SHA1 | 1775fb0e77f2b1b201917c49e409123372df9167 |
| SHA256 | 8403bbb0bac4da664de516bbb70dba1484985a13d35a0b02c2b798b94ccd1eec |
| SHA512 | 5ad1d34933d6a9cead5a8c6dade3c65e64d2de098018614533d08a57b36f862dedf6faf5cdbf1678c96c8a779ddd2da5af6f25798fda1194686676872e35721e |
C:\FilesDF\devbodsys.exe
| MD5 | 61205a52d1fb2275d3f613443da4ed2a |
| SHA1 | b6a4f3195351894f640735d0747f69001cc78020 |
| SHA256 | c0dea8a712ac781bdbeadb7f0aa55d69fb7356f72e91e6437a618c940e70580f |
| SHA512 | 231a7f118e5f500be9f42d0aae8c695b8fe6f66c9716c77f19cf2f20c55d14ecba65fa96503e6321378841a5a3dc86dd4683247c189df7bf45c02934a3db09f2 |
C:\KaVBT1\optixec.exe
| MD5 | 4a1954c42e46fcbf028a233566c49b48 |
| SHA1 | 922ef9f8c6ec04beb20197d07fba488824282fdf |
| SHA256 | 1f076754fd46cca75df8075712d1e3b6b29e5d1839d34a86ef0e69051e8bdafc |
| SHA512 | 69e456380f64b9b3c4a06fc41900b2b041ba898a747f88ffaa0388fb5a3a6402eb3745505837451dc69bc490311098c8e08bdb534e76ef74596f3de17a73a057 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7085bbdbc603720c906d00421dccc9ba |
| SHA1 | 5bce15027fd96422971c7ad6ee9336ceaf6e7d38 |
| SHA256 | d1d37ca20167d2ac77c888dedc9e9fbd8eae286b8556b63c73e21cb7287e5000 |
| SHA512 | 1dac416c542f73e95946bbd8cb90abb0cbdefd0f26cb0fe5df2571c76164c13e28227bc86048610a3356b44a8fb4f677a9b961fec0f907e13cabce1278ae1620 |
C:\FilesDF\devbodsys.exe
| MD5 | a56fae15a80787a59c9bedf0106062cc |
| SHA1 | bbdd030ffa6b1dfbda5043b91c6c830234920d11 |
| SHA256 | 1c2fee2f7e854c3626515734dd151bad7ba8ed6f41f80ddf163ef7f879061a04 |
| SHA512 | a75b176e5c66bfb5750cf74c1303bb1f1e4fbfb8c03206aa2d9c92defc7ea12d3f83e6ca1c4dc52fae15bf7d1b0fa7ea4b2f79399783d136f52c750cc8a8e568 |
C:\KaVBT1\optixec.exe
| MD5 | a778504b8233a4b8ea8eb044d4df2fda |
| SHA1 | 6334e92e24c34f04c82a3f267e48475c0ce56126 |
| SHA256 | 44b912a70ebc6be994e4cdbfc57c7ee19280dd8572279999b308ea1e9c3f8276 |
| SHA512 | 0f1b70794b94df3e7c8e1e653809b9f38c0db4d6bb5cc4d0433d91c1f26640633490f7a6e1b735e637bde5dd47374b8aaf070b0b3601c63db8dbd8b25a023e68 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b123e6132ea5745d9059626c6b00ba09 |
| SHA1 | 4d2b7adb6236521efed53b4aa9f8288790fc785a |
| SHA256 | 8aaae82b17f930d33426ed5b5f8e82557a3a0587a8b0c0e47aa98e28eab070a4 |
| SHA512 | 398ac883e90d176ef67defa2609bb7fb205b11c6c6a9d079ff49d27aaed341342b9ffa9bb622a5a7826a1ba675b192dbffddf70f8ad3da3e0f5439c6eb8746d5 |