Analysis Overview
SHA256
8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420
Threat Level: Shows suspicious behavior
The file 8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:54
Reported
2024-11-08 23:57
Platform
win7-20240903-en
Max time kernel
120s
Max time network
20s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\IntelprocQM\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQM\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQC\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocQM\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
"C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\IntelprocQM\xoptiec.exe
C:\IntelprocQM\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 2b2a1de9d63be333eb0655fa1907606d |
| SHA1 | 1bd5d48a480ff14085fa2b4ceefb9f6147ba6164 |
| SHA256 | 0269d2b05114f2b92436d974293b0656bfcf6ec5d5f9cb1ba76206d88a655bb2 |
| SHA512 | b7f3cb82e356da49ae0d3bcfe58f9b7ae46efebdc4c65dae0c2e17f3ea6cdacf44881686054bed33c355301c5a43d01d77b3279dde7dda835c34042617766976 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9595c1818b00bafb38949942e9a08cfa |
| SHA1 | e8d0614f42ff2868760a0101ed3d0c6e439c3709 |
| SHA256 | 6315a7c261c49e0e73276cf23a126806ca32112c2ad48653eb5cac4988343a96 |
| SHA512 | a774626e5c10f2d444d3c4f23032769124088e96ed8623b5c0a82e0f7ed16c97922d37b4077d57bfbe98bbd7174752610f75b67d758f193dbc4d93edc1ab4a30 |
C:\IntelprocQM\xoptiec.exe
| MD5 | b49076433c0bf84919c9872909ac9b4c |
| SHA1 | 62ccebdcdf26aab3095a02caf388459acba54554 |
| SHA256 | 047965653df12ad8344f021b1f08bcf8f2c1d61ab509d61b8d166ad7b0aabb99 |
| SHA512 | 13bf6e46756787aacb11302c4300040db7eb4fcb38e7f33accfd48dab2ec6ed3056a5caf7212b585485fd71396d534800f9bef245d814f3af4489df0ab3f07e7 |
C:\KaVBQC\boddevsys.exe
| MD5 | b1954ab3b29ab75b3c0afeda3ebf647a |
| SHA1 | 0fa156f8d5683da2ddd78471bc16a05c6ae92fa9 |
| SHA256 | 6b87c08dce5d7efc92b0dea47aacf0d55fefd496178a2945e9ad9e57aff9a689 |
| SHA512 | 232c3cb2ad961377c163512d1a2f74ef143f50499203c4e34860f6b6855aca60bf61293bc02a3299d2817a8109cde4bfb8862fdc3c3e5f8b1b507772375ed8a7 |
\IntelprocQM\xoptiec.exe
| MD5 | 60e2bcf071cccbdc8430c7cb146c47d0 |
| SHA1 | c1939317d3ed8ef67440ff821f74d1ded453021d |
| SHA256 | 1231066abc78ffa1f27f16c2aff8b9ce019bf17de2e068ac9a30677c44775e88 |
| SHA512 | 630f5dcfab9d96671692226d278a9818aabc1279fa68e03223e943c3a05544cfca2b27b4168816cb0a0911e9d61deaf9fb029da6d470421cf1dce6da208f29bc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b0a401153266c31081af6abec2cb5753 |
| SHA1 | b4d6a74df1473eca6e68be9de730900710cf52ac |
| SHA256 | 81f1580aed3d0608d1e5ca2e1d5736b54635b95bb0885f050fbe6c69fb5ffbae |
| SHA512 | d31c99b9de0bd9279d6968cdf7ac54e1e77dec382d2b5064d8de8d0d9093aa652f98fd9f823cb49b6d11a57a993570514a62cef24198628fb49658f758ffddcb |
C:\KaVBQC\boddevsys.exe
| MD5 | 6df3ea7cf1922861c300217ac30281e4 |
| SHA1 | 79aea208bfd51165575b102d8af637d3ba656f0a |
| SHA256 | b6ef9da2a90b10a5a951fa3c7b8b953965947000bad00ee7d9830b7b1d6fdaa1 |
| SHA512 | 52605efa6b6d1e6ed036837c55d4fb1c2758f6f8c3edaa0b66a9f29709176a7683bed1ec154a0f2e570636130e2c0c06608afdea86a4249443e900897a275a15 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:54
Reported
2024-11-08 23:56
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocGS\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocGS\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintVO\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocGS\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe
"C:\Users\Admin\AppData\Local\Temp\8350c8dd6c64c8a90bb3d99fa321c3beb1e8424fa682b4c9517c90dfddcca420N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocGS\xdobsys.exe
C:\IntelprocGS\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 9b7d628ef5b3f38127ce2e462729e5d1 |
| SHA1 | 0617c5f7643d3048cf16117ec0b3b47bc8669e93 |
| SHA256 | 3bcccc7c7be1c8a5d32bb3aebc7f48a6481a6bad7aa57739fc02013ae9154fa3 |
| SHA512 | 3167929c89a9c3384b69078e4f17f968e74fab712980f02e5c29c3815e78c2425af5ee157800342e65225905e0cff418877bb024c5e69b8bf58b07fa1a45a9e7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 10209582701a00f1eb4d6571a2d9c8a0 |
| SHA1 | 37b71138880a48e7b4fb1878806cda7a84e206ed |
| SHA256 | cc6c92045f3e5232fb6a423fa9f6081b1d890e5e685347d2f550af573cd2209c |
| SHA512 | 1ea37b95a99ab790f6dd2a4bce73ea9808f4b4bbfc8fc643591f221f4484c3286b0b22b857a513f66dac0fd39065a51369a25523bd7d8582b3d3e09a57fad6a4 |
C:\IntelprocGS\xdobsys.exe
| MD5 | 9e95124eb81fc87105580e24296ca3b3 |
| SHA1 | 1fd345bd07aa897c42bc53bce4c5c814887bcbea |
| SHA256 | c4bd95d77eacd936c1144f47b17b2090ebe66b86aea639a0b6ff2182b43de665 |
| SHA512 | 6dae7795a813a51a9e025e371e00146c12beb8045015f681def3d6d12b311f8a308336129f29f1a27610ad63ebbba68280fbda4703ca3053ceaf5c58afb68122 |
C:\MintVO\optidevsys.exe
| MD5 | 457e1cec4e1bee3daa3512fa0690f141 |
| SHA1 | 5466dbcdb228bc29ac8bbc229460fc0785710d75 |
| SHA256 | 70a1b2c6da72948115c96de89d932fda0b2ed738a28f73311b74f0ab7bf9f547 |
| SHA512 | 4cfb57aa80e3963dc71f3148f173585a2ee9c46eaef30f7dbc1b57e18fa4758f49c53f7a34090182de832e9b5a4b33e770bf0a2b8d54ebcaae993360300135ae |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cedb5fb349ceff525093d516e99e0e80 |
| SHA1 | d938e3768051e563fe5dc21854af479062790b0a |
| SHA256 | 8b2e49c7bfb8988a95a03c4f89b861867ef38ad64a5228c3b279aeb1641df1d8 |
| SHA512 | 43c9832f93f33e93574e5916b1553327b44647adbb271f409e680095677533e3325b270dab5aa44fd5b999c5acf4c2cb36e1f85b58c8550837e06ec781bdd7de |
C:\MintVO\optidevsys.exe
| MD5 | bd293b77377b9f08b4b5763a889a1324 |
| SHA1 | 1270f64634150c6853440db4aca88ebfb4c1250a |
| SHA256 | 6275c2cf8f4dce45fe2879bdfd9c4e91b7ca45cd0322cb69ee47d7403fdc66a4 |
| SHA512 | 4d033dbf941c444d86fbe9844bd1162c4bc540cb73203f70a810773eff952f69bbdcf3b04b1a5b8be3f420bd9045b320a76e349110326088729cf63c6536776f |