Analysis Overview
SHA256
87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206
Threat Level: Shows suspicious behavior
The file 87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 15:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 15:58
Reported
2024-10-27 16:00
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\UserDotMF\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxLQ\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMF\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMF\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
"C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\UserDotMF\adobec.exe
C:\UserDotMF\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 1770dd3b001c55598f0d309a36d22016 |
| SHA1 | 3f74d6c04f83a4e01ceee3c8b8087e7cd7be66f1 |
| SHA256 | c333a3b88f2e6aaf0d152f565d7c1cec270373b9f52ea9a1546d9a5dd2ef4410 |
| SHA512 | f4d83c0dc2284fe942455d1ef7c7ba3d28395f5a654d8a7b422b68a4fad913d3827a0eeea505a9c593e55baa233e8a221c6a9b91abc86dc8f98873d8202d4e84 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a0c6dcc51b56622788643606a2d527de |
| SHA1 | 62cd38b62eaa37f614ed4f30b6331f426fba4d3e |
| SHA256 | 47ed11d16479b7712ad89717b941c5a12f5d5a9d6a1c0f922a6cd5e17ebf72e2 |
| SHA512 | fa6c36707f3ba78382dd6078747e24b2d7941e59dbcb0640abe15d1d8618b61469f1782663fe28029b372409fbb1b50c14b155de687ad103c2af6a36a65212e2 |
C:\UserDotMF\adobec.exe
| MD5 | 1847caeb026b2bf8d289901423efc9c7 |
| SHA1 | 677dd754a92e85b6aa9be35d144e627a1ab26558 |
| SHA256 | 8e9ea329f575ddff4bb741815e335e590cd0e18fa4ecb1e13f94765958c3f381 |
| SHA512 | 8e6ec98a250e6ccc3ed70b7fef284f448abb9938c5681bddb45a0b558a20ed0a0661dd3f8d29ab8d5b094c63b665aa12ebd8f9cc324c65b591e3bd539981251f |
C:\GalaxLQ\bodxsys.exe
| MD5 | 9e5c47ebf907fd49713d362401639607 |
| SHA1 | 7403795c61bdd015981490672424e91d407fcfbd |
| SHA256 | af365f05c0c1d759666fc1d08927c7b78c2e9a8560b24bac0ee3c0c971256006 |
| SHA512 | df426977779c648e91a20a45f4cd6b01ac02de17c3dcb3fa76c2a763244c71749e20cec94f5ee0eaa711f5e014b96a39bf099515b4f7fffd578787f58bf99818 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 67f2c8b48294bde9a7a4a1d94a9cf141 |
| SHA1 | fc991b3254d4ad05965b637361fb046595e35a9c |
| SHA256 | ecd9af44cd7bd720f072fb4f4bea588b756dee542575317911d4ee85de334041 |
| SHA512 | 358f8411f95aa19266d53d39cdec75794296fb5b256c3789916666b6ee622522da66b87a97b1813e6c23751837471f8093b14f054472b8a11b4baf7a9d0d41d7 |
C:\GalaxLQ\bodxsys.exe
| MD5 | ff03a214bde96015a9ab7317d09c70cf |
| SHA1 | 34c5b89483d53bd81c5ea0e3c06b8a7588446865 |
| SHA256 | 0d45847b7939b06e826f91d86bda77480f92c33c40f79ef00dd7379d36725240 |
| SHA512 | e43d9992a6a3961f55067947cb1acdbe145496e7cd2d772d590404e999dd0a32c0400f69f956f9d3804793418024d49321a8ed2937a1ac64f78603ce4944664b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 15:58
Reported
2024-10-27 16:00
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrvY1\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY1\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOA\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvY1\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe
"C:\Users\Admin\AppData\Local\Temp\87bf1e6b75b07847360d25c65c5527d7705868f1f5d2e7bf10eefbb2c51c0206N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrvY1\aoptiec.exe
C:\SysDrvY1\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 84385df35f433f968dba202aac3bfb9c |
| SHA1 | 48ac008afa97c1c975b4e8879c9e7fe0b084286b |
| SHA256 | 36f2e06d8c8a41b735039d44552da62c1a388f9f96b212ef342b899c1d8ec52f |
| SHA512 | 47393564ffb2a6c79c532173787d35e6420e9e61d03c828cf22ed1ae9b654b7705f498285b844f2df0c142cd2bb514993bfec8dbc4012776d73bb247f90c99b8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 395aed0919abbcedad21936d19aacc03 |
| SHA1 | 77d75bdf52c71dba2c6c5bb4cefff4a8e1995915 |
| SHA256 | a70ec56985027423d31c14828727e5ac6ec5b2dfd3f90a00272b9996ed1a9e30 |
| SHA512 | f5a20d38d4f8d808f5f2576dc101a6f40c0a81d7408f0fca2395318faec833bf29abff8749c245fd09f5e666fc99d9437c3070b4347193add46187e401c288af |
C:\SysDrvY1\aoptiec.exe
| MD5 | 63a0ef76826092fea4e01baf01c034cd |
| SHA1 | 7928773c93e5415d90fd843aab4e88e2aac63b3e |
| SHA256 | 352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a |
| SHA512 | b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c |
C:\SysDrvY1\aoptiec.exe
| MD5 | 40cc9d4f865603f9ec177ad0564b0953 |
| SHA1 | 8f0b1c9926c11ff57594cf7df55baa9e36d15df4 |
| SHA256 | acb6dd53722b28df637cfaceff11ca3340f96b102ce7e93837948a27ae6518fd |
| SHA512 | 61fe1375d49e52da0124ad25b03cf6ee9229a978337bd47c3e5644b6af7fe2180aa6470e920a0e8409c59e52bf238a7179b9fa4cca4be9c01d1a4fc8ba20b154 |
C:\MintOA\optiaec.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d259cd59da211a5963f7c7745cb9033e |
| SHA1 | 7fdb1c2fa136356e711bff75cf69608592c28474 |
| SHA256 | fe8890279e68e45d6c132ad93c473cf2608b33715324407da16ebcfc1fb0b6a0 |
| SHA512 | f536475d52e90f654e23d10a30bde3408a50afbf200d5325cd349aca1cd7a5fe7a455159b30071cbdb54e9935aa31f5269f8946c3d1a6c9e8a9bdc5e1bab9b51 |
C:\MintOA\optiaec.exe
| MD5 | 41ed2b6b4209e8da068fa53ac1207294 |
| SHA1 | fddd5326f0748153756c0148523e53509fafb47e |
| SHA256 | e97075c81f3c40e7a71d2763e5cfcbfca9ebea3c8b351ad6e054a999a5738133 |
| SHA512 | cb960323a40e20183cd5a0b8ea15dc5e7cfeb19bd09641b748a159be9b4901a8bfececf79437e0f2bae7a8c52335267327b57fa54a9e52d4049f653f647a360c |