Analysis Overview
SHA256
3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8
Threat Level: Shows suspicious behavior
The file 3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:34
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\FilesS1\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesS1\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOD\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesS1\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe
"C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\FilesS1\adobsys.exe
C:\FilesS1\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | b29f1811c39586b3bc241937ec166236 |
| SHA1 | 8a03e58d8df5ad468559a0190567cf5dfcf4b0b3 |
| SHA256 | fee1ba995e3ea08d4c625a981bfc5f208834cfa1efb02aad0e7ec1cf959286c1 |
| SHA512 | 70f3d079734483b596f5076b01e6850e53c00347727a6e0bb06f1e0cae89f53479e1080c1473193d24f52aa2459a7253b4490b48dbb5f5eb68ccf11ae88d9f10 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ab8085d8e43750b56c972130a437d2d4 |
| SHA1 | 325e05a71ad744a741083c1b0b82488327d520ba |
| SHA256 | db61cb107a6abf943f00f90b7493d199b93bae430732b2d83f68957c6ed9a795 |
| SHA512 | 63e6ddaca692240a2fe2771be6a6099fc218f3ac86530c7106f51a31d03b9e5931f2f3b1e81158c272725fca8636a31254b5bea2d0a7a888e7c66104d92d3232 |
C:\FilesS1\adobsys.exe
| MD5 | 2b21bfb2f1ea8724fccfdee2ab1c43f9 |
| SHA1 | 55369f931aff9c1c0ebaf0a57e0cce7cf368bbd3 |
| SHA256 | 1eba66ef7aca60f9feb8eca1886dc35d811cccbf5fbf044dcc000deddb27898b |
| SHA512 | e2987450d111f6d95313f495a38409c7d71ea8efeaa07b18d8b17d263917f5c77d396e59deb7bfc857aeeb8cab0e7701635a175b8f4091fe6921b07163e32b6c |
C:\FilesS1\adobsys.exe
| MD5 | 7cfae1ec273eb92c930b0c0cb6050a72 |
| SHA1 | f5c6fa61e973f8b9be0d98c993de3752f9d61d43 |
| SHA256 | 76da7d8abe03e020c328d61859975f38f1a4bd32e5036244284c0ee5e47c9676 |
| SHA512 | 3e39e3e874c9900c074616f7d2a2dcde4f1e4229e6bfedc367afa9cf806229b2965cb51e888981df18105111886724997fc536ed66a9cac0579619d5c53c7a9c |
C:\MintOD\dobxloc.exe
| MD5 | 70fd605160cdac79ffb2b6a87eb09fa8 |
| SHA1 | 4ab73525709bc12685f4054c35a369728461fd8c |
| SHA256 | c316e45945607cca41404fdcf6eff5a04f663fe048e0581fd755010104aa5aed |
| SHA512 | f10968d256e7b5070a2fac2e5f4e224b4d3aae84ff2bc5f788f762b248fd405e9f61bbb89fdb8f63de2432ddec59865c87be199b046d2b117f5015a1d319c6f5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 16c2b63e2e88e2b222d6ce7567c0881e |
| SHA1 | ecf168d1a507ebbe246e5ad91a23053ee81e32bc |
| SHA256 | 2506101e4c52d0dc38e34bb20074f969decb04639685803878c62b80161c5bd1 |
| SHA512 | 6cf5a58000008ce4ae5d63ea50efe6e9a84614a9883c2c7fb439d863166b1dd9189d65dd0733d9e17287e7d6bd472356ab6f2291d106e6b74eade7848812f41b |
C:\MintOD\dobxloc.exe
| MD5 | 6000ed94b68eeee3141bb8983501e203 |
| SHA1 | 94651a0aeabedd8ae59e56a17e9a57fa8842e728 |
| SHA256 | 900fcb3c2f696ee4da46a2b953642e5e8f38877a6a36ae67a8cf359bf3f64e70 |
| SHA512 | ef662f3e528610106f3f4a48cb54bd84d5238331ab6ee7cb541074846e5750a7306cd486f486fc456bde8cbb63b326fc88b4795a91955743352b395cd4621705 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:31
Reported
2024-10-27 21:36
Platform
win7-20240903-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrvZ7\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ7\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxP3\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZ7\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe
"C:\Users\Admin\AppData\Local\Temp\3088ccbc2cd6a84367b6e7bb342279e1726b6bd7415c1becba45eacb3e7052f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrvZ7\devoptisys.exe
C:\SysDrvZ7\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 92c98b53152df2a64ac1cd293ed492c7 |
| SHA1 | 2d5e1c54128213ed1f7cfe0927a4b78914e8ffb8 |
| SHA256 | 597db72d27b9fe9e1be72ca75d40297dabeba728c1fa5d9a3a633e15ac23751c |
| SHA512 | e204f1bdce93ab389ad2b6a82c0af7bc4dd0d5bb49e901bb1276ee03d500309b2f3af77c2a2b9d401128400f7aab193e06fe8cae817d91e2eda4fb7955fc7bd8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f589946926e0adefa3491f2a05d3e3da |
| SHA1 | 83f49dbfb48781419f813c6c196084db03de0c4e |
| SHA256 | cc3b577027860b2b163b0cc7a4d8c7697b0bc256b31dd7f288dd983fc8c246fe |
| SHA512 | 6d6b87e4ad48cfd101d6b9692acaeebd415aad01169ad8ae7d0c288074f88c78b8367bc2ac977cc517806a56a93ba9ad74d4e4059ed743edaa007d72eab20d27 |
C:\SysDrvZ7\devoptisys.exe
| MD5 | ab238a250c6c00c7df378d1cff74d03b |
| SHA1 | 20388be205aedc7b92d5b9f61ce755d253c2f099 |
| SHA256 | 4736a3787f755063c4241cfa5b0e81c24c86829e65140d94172057bbb83810f5 |
| SHA512 | c6792fd7994e855c8f3442b183e32e44975ae3c53c116e6f3b21c960ccce89aa163af4de63c513407f5eaba1f5886e68b7ce4f330351f60700b0ed7c98ccf884 |
C:\GalaxP3\optixsys.exe
| MD5 | 7fc2bc0a45fabf50155fbd6f2aed6f49 |
| SHA1 | 566759cab8e2d4ebc70f0527283974f1b60e8f21 |
| SHA256 | bb8306c6c2d68fddf514fdb0fed5430c159a8011769bcd53e76d6d119530cf14 |
| SHA512 | 430521e54b22184f5a8d3b12cd727b36d9f4fa02bffba68eb3c87181b26bfbd7e8a47ce2f4a0d4b5226dd5eec4d3f9b07c33d19a5c8e26c35c2761d5b91a4bb4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6d57009a1b66151a65aa7c56f7377f2c |
| SHA1 | 765f777df68cc1a217b07e09e86288b7324f7c53 |
| SHA256 | cb356d5339d046d3bb2737a20b6ff1d56378efe7d740302fc3d61be5d787c266 |
| SHA512 | a89a5d7b81e8ce2b707a5e76cde3f6a3d6851cbc63bafec1e61f57a4b355305b879bebf2298dc54e9128dc63900d0b0b04200670aa934750c1fd7d48aa360ccc |
C:\GalaxP3\optixsys.exe
| MD5 | 6eed3a834754743e8dcc3d28a76e3b54 |
| SHA1 | d6e236fc8a0d612ad6d6e4a8a6b81dd017b5447b |
| SHA256 | e699b3d9f85e82e01c272f368e488dbcf4787617516281b0a72984758e845e4a |
| SHA512 | 8d810e46ee37d62bc508635e89a6224e760dcbfc10ed16dfa9021055abf65cc58318221d4a1390f9b73cca5bf7cb9e7eeb27dc0aa80c175ba1e6948dec5edbb9 |