Analysis Overview
SHA256
5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8
Threat Level: Shows suspicious behavior
The file 5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:38
Reported
2024-10-26 05:40
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDotPY\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPY\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7P\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPY\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe
"C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDotPY\devoptisys.exe
C:\UserDotPY\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 9ed0fa5b8eca8c97b9d396be9de6497f |
| SHA1 | f4e69d82b222a0ff5fd08c6974673c25c4126d70 |
| SHA256 | 88a3bfc755ef10efc1c6b36a608a0fea4c5db4cbf457e4383995c59d9e71ca3c |
| SHA512 | 9ad4e09c943bcb9da452efd4391885a8af22745cd61b93522677c14bbeb81af51f3fdb8b3bdf9b98a2d079c4d906cbfa5b3578d3a486c76dc6c08460f13a34a4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cc3254f5e16b5760491f3de8b1007d22 |
| SHA1 | dabf9cfcea90bb81bf675e8c7b2662994e455f23 |
| SHA256 | af2c967a781718d3f0feae47e06c022e927174f6f60a10f2cdd3bb24a899036a |
| SHA512 | 23ede66f53353edb071f3177d2cc92f6d73aac1097011297188393681e6c15a77d790eb1e002fb6abcbc5d4e94bd8247376810efb6aeef3bda07ab46dc2e4930 |
C:\UserDotPY\devoptisys.exe
| MD5 | 446ca7edec1f23f135a1345f314d476c |
| SHA1 | 7e73da29d4d6462b9a38bda95a58603f618e5979 |
| SHA256 | ddeef0ce8fcac9d1e552d293b48063bd99cc2af585dd70996684a92b30bf9dec |
| SHA512 | 192e8604453d2a36a4a772a4dcd69c8884086d8e9388977406eabe8142eedff7eb73cfe6cb5b2208dcc88ea1e9524de4952cdb713eb9bbbe34e702f3c7d50777 |
C:\LabZ7P\bodaec.exe
| MD5 | 922f7d04abb1dd95e067e17438a11192 |
| SHA1 | ad14fa8d9b1d33d1d192b0ef33333bcf00ddbacd |
| SHA256 | f113b214644f47f485e434eaaa55545cbc7e2e4e656da0fb862b92d4bfff69eb |
| SHA512 | b952787770a76551310b16b1e0f61f2513b65780993f0b7399e472283fc9db7f1f3e012eebdd0867619c71c832c29c1d8c7e47a1f7d215e1cdfd9d58d973597c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6753663750514c01133d7435769011a4 |
| SHA1 | cee3e002c921fc9b5e0953b1fbffb9923f0c15cd |
| SHA256 | 90060fa5261802ae0dffb180c266046b1e8533330498f8a4beb0cdc0da2a306b |
| SHA512 | 74ab7c045051ab2eea0a9a62145541774186a67be29ba372a6e84ad8eb006e86de17461e9d5add458017f625a9e1df1dca34089eb961701253ced72c815de0df |
C:\LabZ7P\bodaec.exe
| MD5 | 718749767743d0fe975dd7eb0cc98b0d |
| SHA1 | 86a6adfc1686b76a238d02524946df6339da252b |
| SHA256 | 967d8cbcc050e58ff0bd623afd83d6970b564883a27ac35d500e852d4e1c7cf0 |
| SHA512 | b42c1dd7fc8e56ed205c55a60b023ed08a1089724752d285b504c2f4e57af1b9bcd573bc044293358638a5afaeadbbf997c91d2809898afb8927a472a7e215d6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:38
Reported
2024-10-26 05:40
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocKV\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8A\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKV\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKV\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe
"C:\Users\Admin\AppData\Local\Temp\5190b3e7fae94b1ea0e7836bd328a6fde1dc116b8bb8de4f8c27c2f05e1ebba8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocKV\abodsys.exe
C:\IntelprocKV\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 374d42f17a5d8aa6e918680e99596b55 |
| SHA1 | b9571de6848480410d56c0eb3cb5635493c550a2 |
| SHA256 | 141154af64aaaa01558b26619ebad4b93363acfe7f844eb7edafff274687500b |
| SHA512 | ca943abe89f27dab172a048fe353a32d6efd30f75cd131a7fa4f12c013721b6894e702e0dd1a66c2d326327af6d2bacd10c560fa633df2ea47f2ee9d78e6ca65 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 922e56fa1f8aca5825c8383a95fe46fc |
| SHA1 | fbade143cd5add571b83e4d37a0985ee0c3f2b2c |
| SHA256 | 7da454dc82b1320f893be57e2e2b8168e84b55443a44d549dc11a1dcdf72bc26 |
| SHA512 | e365a5cc6522199343094fb47f3d89abe1478d2773208fb757bbcfa76f3e3172dbc01459aa6f83086f7b03d1a3f8cc78f6d9409fbb5a5d73b2b60c04e3e26a07 |
C:\IntelprocKV\abodsys.exe
| MD5 | 6fae926e2d7526e28e2098a25f5cda0c |
| SHA1 | ec2ffbdbc1ac06895ef5a388af630dfa2288462c |
| SHA256 | 248821b681bb1c2baf459efba6b4f86e6556ead4ada495486f0f42f05dee9c8f |
| SHA512 | 10c1d3be46445f3bf6421130f0dda6a82e2b2f930c96f508410fd5d141ce3836bc8e610eb04b10b2c762587e4b9cf7973e85fff49b5283a20e64947388b95a97 |
C:\LabZ8A\optidevloc.exe
| MD5 | c0063d3cbea3fa393951c5ab68942581 |
| SHA1 | bac00de10d44e1787272fe3cb9a61bbd9bdf1efa |
| SHA256 | 59dccbd4c6abe3bfec6dcd1ae34b215521225988502ceadde70d524c6755f3cf |
| SHA512 | 6d45f70c6e8f96030c85b03add98ae90342374222ce46f9032c539616cba52a5ddb75175d31197d7d7d3f9fc38ef690502c35cb0fadf485801cd2cf7586210e1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fe52437da7618e652cb3ed94411049d9 |
| SHA1 | 7c4266624a102f0fe75bdf659ccb14505e9e88d8 |
| SHA256 | 694a0871a6694b403435baf32ac123b15863c04c31981144080a9531cda74689 |
| SHA512 | eb033f49565772e45350cadb9a45ea44964c32816433288edb30a93a1c04ed628b2d5a8d890dd06f38a53aa5c853d5a4f209f6fe23f64cf6b87be22b6d5b7347 |
C:\LabZ8A\optidevloc.exe
| MD5 | ffd385161dd45bda8f3e205adc6b4471 |
| SHA1 | 173c7fa836495fb4d098dd8d8a8bd32a98d3dbd0 |
| SHA256 | 0d9b088cee44f70cf2ad1930e184cb57a1e724fff8a2cdb73e988e1c64dcc8f3 |
| SHA512 | 4a554c12b58fd17892a527d6ec56a811682b515cb721a614e074c3bf94931b01cf30741664967cd40307a876925849b3bc4b034093c9ea2125c1ab250b5150e8 |