Analysis Overview
SHA256
f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ff
Threat Level: Shows suspicious behavior
The file f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:27
Reported
2024-10-25 21:29
Platform
win7-20241010-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\UserDotYX\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5X\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYX\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotYX\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
"C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\UserDotYX\devdobec.exe
C:\UserDotYX\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 934574242c25e2446a10cb1d3973e1f7 |
| SHA1 | 696be70b5ec63477fb5b6813e7edb7e380255973 |
| SHA256 | 2261dad52094e7b22e478df5c11b10c3f04ff61feddae9ec7a5884a2d85fa040 |
| SHA512 | ae581e8e86870e23d254b7f259e0bd59831eda2623bbf47349f07823f49acb60c8c33829d29931768d69fc3dfc0cb4e9340fbba94b23c6fa19d92736d868161d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 229a9aae67ed96bde7b376cbbbcc525e |
| SHA1 | d3c7efed210f6949a1a97b563a30619609d0cef8 |
| SHA256 | d3fe96ce0f141df33a93d89e47d288956276db8ea9fdb10eecf92420327673b0 |
| SHA512 | df4232d9a76aabeab88590d07fc811acf277a7878069ce3fdeaebabc8c8260180f0e4af233606f6289173929e8ded83b1f06030db5c449e8be231930c6d6e8a6 |
C:\UserDotYX\devdobec.exe
| MD5 | 336d95096173c02300720281d64640e3 |
| SHA1 | 9e70cb9ab25606aa5fcaaee6114f449eec88c06f |
| SHA256 | 7921f4d8c826874379eb118dfe2a15c0f594a1d9df994a49663cba7e5c3f9a43 |
| SHA512 | 7daf43d65efb0635d02e369276878b2e0dece49a1b31f0ed3eaf996bde30db91608e8169e4c35a4d202f7364e63b2fc63e32e86f78510ac0d7ad38775aa56048 |
C:\Mint5X\bodxloc.exe
| MD5 | 3c57d65c03c0fad2a857a883ee67ffc6 |
| SHA1 | ecf424d17d54acd81639c58864096264e2711cae |
| SHA256 | d3538bc7be796bb9d59cc378cb3e0340bf7cb814f48524e1222c5a002f690e5c |
| SHA512 | 4997b6e68ed78676587725273624fbc0aff6e7d4bbf964a07340c4866adc70c2a32e6fd29a259bcccb60cc93b0b4f80d092de8b0f953d8d343aadbb51ca18e52 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 44a78171a94eba63e3ea131349b127ff |
| SHA1 | bc7459f15eaa26f9064d70cdede9b18525cb26f8 |
| SHA256 | 26d97b481a3cfeebde363d9227dc31e961240e35ae6f777ba744a3fb292c30d1 |
| SHA512 | bf44304a8eddc33b4f4950682d848c9936efc3483aa1d0d1814a0733e17106a41ced6619df64737e0614f76816352759a3fcfa1f4443c260578d78c9e5302099 |
C:\Mint5X\bodxloc.exe
| MD5 | bd90b6926f8ff2d3bbba1a7c4afaad50 |
| SHA1 | f4b3c2095723c762caf470fbc288336d6061d1a0 |
| SHA256 | 46db6e4659ea7313160d1e0dfca15fbe95c00a84a6b60d8bd78faf0671b5002c |
| SHA512 | c2782b99d280602887e04272a11890a24af9962a05b381e76a4402404c483020e434ceeb07fb01287ff9ac1fc0b6e6d281fbf3dbce1277219bfa33c5f42116f2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:27
Reported
2024-10-25 21:29
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvTL\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTL\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHV\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvTL\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe
"C:\Users\Admin\AppData\Local\Temp\f3583f67d8687f8a0565eae2e32170454b4d10b8c22f3175131e3929dae3d3ffN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvTL\devoptiloc.exe
C:\SysDrvTL\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 6151b63351e789812ebe21ca2083af69 |
| SHA1 | 3cfa92d064c9492ab2c07a09d741b3ad10e2fbd9 |
| SHA256 | e6fda5cf79b9e2a81767584668eee0afb8ce65b5b340beb7fca94e244784c9b9 |
| SHA512 | 01e2d54b0e9a3ab658ab4e08994ae086076bcfe3de48ebb3453d5ada2edb8dd50877a8108a05961ed559fc20fde651c0b108b4d9f0c6f2bb67d68f41a2b5bc3f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7f30ac06e8bec73fd277f605c2d19c9b |
| SHA1 | 70249f190dc1ff24a3d0ea1823756ff8d21b4fb7 |
| SHA256 | 7ac2ffb93ba4aa27a0b2ba702d383d9945882b144fe7c6b4279ca66772aa5f5a |
| SHA512 | 11d071ef911da18fe630321cb59d5b4809709afefddb96432eb613832ade61afcde1db258156ef6e73dbe3a8d4408d09967a5f11e5d19d3635ed9fb60e3f58d1 |
C:\SysDrvTL\devoptiloc.exe
| MD5 | 83ee5b915c241317909f9abf1c9b51f2 |
| SHA1 | d2b56ae66eab05480ca753329f372c6d1cdac3de |
| SHA256 | 555052993bb40114ce46e1cdfacfc6293bde1115d44182fb9a2a1ca48925c631 |
| SHA512 | 3dc189129d816d5b56631150abc376cc2e1b1f95aa236e34de8c029cfd9ae18025a34e766a0230efeb81dde2093734d19385ec71711dcca86e3627a1b91f15bc |
C:\GalaxHV\dobdevec.exe
| MD5 | 3fd4c3dbbcba724f05f38d3192563496 |
| SHA1 | 8964c6091f5f5e451169caa7a8244f4233c51068 |
| SHA256 | 39ad0278d6b15d0b4c77cb002f8410c0ec707f351cce5ec260008e0d2125efc8 |
| SHA512 | 44225384427f4655fe5cfd58c52bece792d6ae2e1c023f5202183f2d2ad4cf973f89d47cd84c6d3911c674be849b733e0fb11d8c8f3dce64d46d166b33f67722 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 20be682eaf1079762e5994180acbd9e5 |
| SHA1 | b3e4059b5f59bf7f1869dafcfdf6063c53cc69a5 |
| SHA256 | b18b882a5a9993494ef9b76c32df4c4fc8dda307b71710fd76f7f15b29580515 |
| SHA512 | 0d239649283ec7719dfb70626ad0751ce2a3588c3a6469a6a5b7f238e90bbb22b15dfb18cc83b385e2675a71d8058a649055c353c63650a0fc221abe5725eb10 |
C:\GalaxHV\dobdevec.exe
| MD5 | 569ebc9db4bfc247870badce5302fe52 |
| SHA1 | bb4c098d1c135d694d378e48bc0832a24a3c6571 |
| SHA256 | 5859bf38bc478e447885c029f6d7c6ec5f1b08dda0bfe03d4f71d9e1f054b7f1 |
| SHA512 | 5ff2865e22f04773e350b56ec7c5a5c0591f884501284e6150da0b11ef2c47c50f0a9a64a433c19773fa84a75e9d12e8b2f78cf8de430ca5276806d7189b8eff |