Analysis Overview
SHA256
7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2f
Threat Level: Shows suspicious behavior
The file 7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:52
Reported
2024-11-08 12:54
Platform
win7-20241010-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocFR\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFR\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0P\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocFR\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
"C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocFR\devoptiec.exe
C:\IntelprocFR\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 7f7870aa35e3095cf0835790003e7dbc |
| SHA1 | be42d64437632ef111a7f1ea841a7f40a66cb098 |
| SHA256 | 810c66dbe5ef06cc7733f1eca7696b10d6327fd97a62f9e91a4f8ed7126285b4 |
| SHA512 | 150ea4102b2ee42b8fd0af8afbfbca76eecfd5bc9ff4de756f158c773ed0f8259352475d12041d3cd3d2cc1397b3ccc191f61647cbc0765988c01a9582fe5d36 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2af9834abb621af6fdbdf68e26cc8302 |
| SHA1 | c272d094acb16e32330b4528359940f9923b166c |
| SHA256 | 13c3f75d28565188f11d5c9581fc9358dff8ee90e7789f126c4819c8899ed74a |
| SHA512 | 933f78aed13fae3b40774cf904be1211f066a86eef1d4879b7693072b1bd08d460dde3904be9fd5d731ac459461579364471fe3c788140c8c1627069fa318be1 |
C:\IntelprocFR\devoptiec.exe
| MD5 | eca65871c84668c45b86f5299cd60f1c |
| SHA1 | 44e543f5b6f5e5ba5836d4694bb4a978878aaa24 |
| SHA256 | f6fee2726577c41da6302e02f2c23e2d9ad33af47b6a2b8235cf671f290fb83f |
| SHA512 | ea241e6e5294b687687e0748bbba40a4beefbfb9cb45be12c15a5c5b66132c5657d7374f60f64c057fe20c52043cc8ad29ba99cd07f18c0c58659618665238a2 |
C:\Vid0P\bodxsys.exe
| MD5 | 5807a4828b5293bc637199ddadf141bb |
| SHA1 | f886f611f3c7e6d4dc5e07ecf116db49d33e727b |
| SHA256 | 326a16681e27a370b76dd67b52fad91d912cc1fc43ba7d04a8aac6c34ac0592f |
| SHA512 | 64c2bc0e9210a4eef522e283fbbb4b343a6aca6b1140a2cf2c68f1e99c44361e953604d9f5bd23961320590fd9e0b19876f9fafd3f7f07ffee7926c010205e74 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b243b9748d727fc4ac90146572c6da20 |
| SHA1 | 417f2d085d2ea4575d46ba3cf708114f25d8bb7f |
| SHA256 | 9b71d4f1ee98c2b4aba18df3e18ce5c4c2388f2a603e95ebf883edff7e07eb53 |
| SHA512 | a00d2f8faa2028643997c28d4a7b971157ed66074553775f82502b207338e61d88835269941cd3b4e0f28af1e3580450adc18413dca0f20278670a39dcb93a96 |
C:\Vid0P\bodxsys.exe
| MD5 | b933d3f889f8aee7383a66e5ff269e1c |
| SHA1 | b5e2659797d41bb0af958ca1da1d07f844cd37a6 |
| SHA256 | 6151e93ad8ea8ea8088a687422c029bfdaead567147c2f6ccc3ca0f61f80eb7a |
| SHA512 | 882165e4f3a815395595ae99013ed411fbe4b34698b22f405dab21375115dacf0e5335a9b45cef426686589064ffdce9c9201c88c02d4646278d05c8b79ffd0d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:52
Reported
2024-11-08 12:54
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Files4L\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files4L\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6W\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files4L\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe
"C:\Users\Admin\AppData\Local\Temp\7e88986f9ced27b65f4a360a6ffdb82f8c38701b71686e677631816efe434a2fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Files4L\xbodec.exe
C:\Files4L\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 7553c1e5bea01a916c1ad0f70918b82c |
| SHA1 | e606f6e17d32542452b76520bc017c8c50554ca5 |
| SHA256 | 92b431922676a7ae1f21d85a15805f963ec798a6a69fd7fa39add2e117a387cc |
| SHA512 | 8b30879b4983651ba6267dcdf88d152b4741db5bb26feb496c5a63d4f478947ffb036f699a8802955412b47667933fdcabaeac2a1a70ecc481182c6371376ffc |
C:\Files4L\xbodec.exe
| MD5 | 3274fb7b1e41af62f5e1599fe37975bc |
| SHA1 | edb4cef9f85e9f2da43cdf7ed7da32acf0966791 |
| SHA256 | 16293dbd4aca13eae316c035ac521dc1e8b56ae2eab0add4f857e1b6252e2c92 |
| SHA512 | 1e82dbda15b85b1ec2750fb528dee396dfdf037ab58eebad2a1b08fb77fb9d63643e0f9637b94e78aa8ca1197ed7a0da8a9cea286767db5f81800854d7fa5f65 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7ce02e981e1405b6511c95f11a5c9515 |
| SHA1 | b1bc2c9bfcc89ce7a2f1a37e9d32ca410ec72962 |
| SHA256 | 2669f8b48e8e65651a37d3274859d7c15245e2ff57c591202da30e27263a1f79 |
| SHA512 | 6c591376e0dd8365615522e3f77727d5f004f9b5508e7d00555c85a66d849dc850ae86f109cab14338db7f74c2adc989dae4d35b5f6611747fff9766eefb10a1 |
C:\KaVB6W\dobasys.exe
| MD5 | 5d02be3d7fa3783754a6a2a261804e0d |
| SHA1 | 8816b8fc938856924030544a394a1f4349c31eda |
| SHA256 | 8a549cf241ed5c0f1590e134906735461218856cbc5d5a59f9a82d038f33f4ef |
| SHA512 | 18a6dd1c8e7cfba70edd0507cb49de504247d3f40952d4a91081aecf9a3c297b071d44430ec44ddd0296b6bb794d2096fe8898bc346582d51a7a7b1f46ddb35e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b649e013f0a558a09cf03599172d0731 |
| SHA1 | 1fd7a9df0fe2aeb3b22d9a0c96967d89f254db89 |
| SHA256 | 38cf65c2d026a8ad26657aa7b487466c4f0b33c04d0d61f3a6cac8a1db947b63 |
| SHA512 | 9ddae270f4de77e0c314f6c0e1525e59016068024b2eee38df52b3393d44202bceb483a4e69e54e5a9cbc28050fe3840df5637aec5f08520c57ba973eb8140ea |
C:\KaVB6W\dobasys.exe
| MD5 | 8061bf712d9a838fd6dc7b1418e16377 |
| SHA1 | a55109db63df11e56306f4e26a51656ac532fd43 |
| SHA256 | b239ffc41b459f36a0f56fa3a57061e32adb4d09fbcb92ef6e30386e387ae9f4 |
| SHA512 | 33a4b8edcee731d4c6e726e7298ce94a10cdbdb116b422c8476fff894fef2379ca44f111134bff736a15962e7c329bc3dd74302da26c46cae0e00685b50ffc23 |