Analysis Overview
SHA256
5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047
Threat Level: Shows suspicious behavior
The file 5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:11
Reported
2024-10-26 00:13
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
107s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\FilesZN\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZN\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLQ\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesZN\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe
"C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\FilesZN\devdobsys.exe
C:\FilesZN\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | c19278d3cd5ab2c894d8933a91023564 |
| SHA1 | ba80ca4db1796f9cfac8886665912e75e0bd3f1a |
| SHA256 | 0775c15d49f1314721e5c99ad6cb3f8b49d3dc8d2056ba7599ae53bd3dc9397b |
| SHA512 | 424976a00f8a15bea0d567cfbe05499b384cabcc5c1a904e80c86432894e7104b1ab14de40ae965797142dee0554b16ae0fbd9ccc2f98e7253108344610d3630 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 451b742f22527569f1a94f7e4701877a |
| SHA1 | 5dc948c32efff96f8837f3959247bbc76cdd7557 |
| SHA256 | 79f9f6868936d891f429bda98be977dc2f9d60e1dd77d3df5118a78b41485597 |
| SHA512 | af05e82623970ed6ea2c3f08b452b56de140e17dcbd649cfe39e349c9b58007f0c729b6dc689bd1936dcb0960965a53f1ff2a2a71e5315ebc3f0d367f812176c |
C:\FilesZN\devdobsys.exe
| MD5 | f6bae41e369a9bcf80241313472bba06 |
| SHA1 | a38aa57263d1780c362fa5407e27f8e2453b1e25 |
| SHA256 | 9087ad53b8fe5678629e3e46e53c4a8b162e0c5566fd126586d3dbed5a3eeb16 |
| SHA512 | d64a11fb7d03ca679f4d6378bb41cce848c7d64a53dd8a91512218d9482980cfd42dd32a6c68feb4e590a377bf5ff9bcbd7814b4ea9a20f753a6a997dd9dd15e |
C:\FilesZN\devdobsys.exe
| MD5 | dc128f2de9afedca04aa9f42bbd053ac |
| SHA1 | 24ea35bd3619baead3b4b33e9dc351f70180501b |
| SHA256 | c83edded0b016c90fddf750c3ca3b75ca32a98ecdceb303bf89f1269734f6940 |
| SHA512 | a879215458ba922bccd88a7ce3cf8f4548ac65a5950c3ca65b6143ab96c0a01093627cbd3fe31c29bd340319652c28af548097ea096da749c0a039f8ba6b2000 |
C:\MintLQ\dobxec.exe
| MD5 | f71811ca286aa054a05377fbfe4308a5 |
| SHA1 | b4a1804662f151e759806874c2a0613ee20e97b4 |
| SHA256 | a0948ff9f98be1ea4b1c111c8804a300595e4345ad24aeeb34d29353ad02fe84 |
| SHA512 | 927de7696adf06406a07e6822bc64a3ce5e428d9598ee933619a16b89e0bf7f058dd2343a87928a4ee2de368447621f135e5f3cf5eb8e997f7bf02076ae7e278 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 93df6e7a765ce33b3705631320e62b19 |
| SHA1 | 5c06671ed78b8eabd8ccb0b4585788e20307186d |
| SHA256 | 6744fa69715af76268a1824bb2f498f9138b9a3881d697de9d05ed3254287a13 |
| SHA512 | 1a0c7632f7f3affc323a680609d00296445da00e9710fc23bb9d3e037d27b48f1f3eae16eb1ad27e8b8ba2b4b73320c72f05eb0053d1d9d4ec510a92c67309af |
C:\MintLQ\dobxec.exe
| MD5 | 5c1e72ec3fbbb0c8def503a58944492e |
| SHA1 | c6323dbf71d4176d3ba4bd5f1f5c84ae726a5465 |
| SHA256 | ebaa8885c2fb9f1bac994dd2d6ceef5649f3a1cddaf86dcf14aa8fdf4698234f |
| SHA512 | c41b1355f0f3ada6c9b63d43c9334101c62d69cfe91404304a1184e28c256fe0c96118c6ff0534ca7152e4c568a4e29fe7ff6dab7db149d72ce72db8b84fd2b1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:11
Reported
2024-10-26 00:13
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDot52\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot52\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintG2\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot52\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe
"C:\Users\Admin\AppData\Local\Temp\5330d9e0ab2305292ee31a106a85b2824095681bb2eadc1a0bc0ff8b68860047N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDot52\devoptiec.exe
C:\UserDot52\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 82708288ed80584b265cc6b498816a39 |
| SHA1 | 0a7547b85a59bd5d0cf813ba643dbb12d6eadc5b |
| SHA256 | f4b5ff6a2e1b94b1b9fe8069962ca6edc7b67b3d067c904febf5c625cf0fb4e0 |
| SHA512 | c4487fed1700c263e0e311fb78d87e36674e0a1f91509111fef2452c490014d14e16e802c66fdeebd2e11096ee6e2c2db8ad5a79835fbbb0adecbd5fd43e2475 |
C:\UserDot52\devoptiec.exe
| MD5 | 75a16712b3202f9d38a90abac9bdc1f5 |
| SHA1 | e9ddf326ee8e3bb15a6097a26573b19323fe4a60 |
| SHA256 | 3c142784bab133e0f73405d5aead2c75401ac1e3a1135d35c351a2da85e774f7 |
| SHA512 | 4845e60e70e221f88156d0fa5ce5136e7fa3dead1dd58b63120cbb00b5d33925c20af4ccf4bb723e31f592a5226d757d11a14b482cf412a82aa26ff1ac8bcc7c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1a431f5f41cb90ec4be9d1c73727606d |
| SHA1 | 1cd2eb8fe123ef7765758040a0f43499289d8a50 |
| SHA256 | f36def2a9ff9a58880680a52d644578c2c20436ae4a817151cda0339840e9358 |
| SHA512 | 52662bda062e6826eccc22ae18c13c711ce09c96949d7af1cf4e49fc0e92607f8ba2d06d62aa294a8ead5a5d043129f07cd595cfd5b7caae6ad8b7cb33fb2ed3 |
C:\MintG2\optidevsys.exe
| MD5 | 2d2cc2ae227b8b9d06a5887d81c80c3d |
| SHA1 | 5cae418854bfc76647f971fcda8c20d1ffa76f7d |
| SHA256 | b7be88e2a24b4da994f07ca4ccf84f6eb5555a2fd990ead9a70040c6c5681d62 |
| SHA512 | ca3f76aba447188affc353b7f68fb838376b384bdaffc2629676efa887af34d3a7bc4f94d2a5ba8b2ef3fc6f54f1f596ef25285b722e40ac8b6cc2410b111a2f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eaab3ba517af76d91c89043f0143181d |
| SHA1 | 7bfa83c32525a8c71f044be6d77bc33678f10b0f |
| SHA256 | 8725f24fb739b0285084e70c1f6945ba1b0a0ef1afed4e0057b31e58f681c2df |
| SHA512 | 841a5fda6d06991a3eb0b94ac7af50e32eda5ed83d3678571b07abb273b6cba55f3cfc7ef78b30121eb10d11a2bcfb42e0c0d7e301ef2bf5a5e1f4bfa54d9630 |
C:\MintG2\optidevsys.exe
| MD5 | 640f7b2ac26336229373f2ecd8f1e3a8 |
| SHA1 | 8cfce73dd133747809bae24c696a802d971ad6df |
| SHA256 | 66baea018715e78994053487d660febeba43540f4d76ae24735f7587954117d3 |
| SHA512 | ef4e20d859152927a79e4664f7e94555cb4816cfc7746d897db81ec06b07015e8e8d2d096446d27e9cdc3935f8a9e520a00b2f9582f31ffd83a9c36f0ca33267 |