Analysis Overview
SHA256
87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7e
Threat Level: Shows suspicious behavior
The file 87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 13:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 13:19
Reported
2024-11-08 13:21
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\FilesST\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesST\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZU8\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesST\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
"C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\FilesST\xdobsys.exe
C:\FilesST\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 71485ebd8baf7e0eb7f066df8f11fe47 |
| SHA1 | e70c04950fd61da353ed71d7b1065f36f33f9ad9 |
| SHA256 | f09b19fb5390b22eb7583f607ae486e20e6a60c5d6aba9a979bddb11c1a68f50 |
| SHA512 | 7542a60df75405cd63346fd3c4c6f74c6338597bb8c535bc3a5e1563940a1d044b8c8abfc0e14a96af686c8b710c3488eb436fd9467f76f15d60857fc11b616e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b4e7397d11ef9b276fc9fbe4981b0d0f |
| SHA1 | 9206a7eaf9925e9d8a9a7a50ba52360832f22ed6 |
| SHA256 | 7fe07a660f36206439fc23209cb9a764514ff4a95a0408b73944acab01f3a0f2 |
| SHA512 | 7698c0a23a91391daefafacd1aaec681c0f03f624d36edac644ff93df2384301cd527ccb3ae17c6dc82685b855d8c295f18914609ae9b6a6ba4a010ce0266ec9 |
C:\FilesST\xdobsys.exe
| MD5 | 57467fe6f28eb201dddd5b499cb84dc1 |
| SHA1 | 08423378e6472b45dd31b91dccbeb7ee0fa33436 |
| SHA256 | 9e652e2637dc24ad0de34fa174b696b72cd8b1db7dcc2f7cb951c236a1e00a49 |
| SHA512 | e9d062ff31bdd43fa92e07be296025eadbee42447fd1b858fb1c205a34c3811ac4c9ca2b721abd176e1c598926c19c79622609fb47a93d467827b83938fd5927 |
C:\LabZU8\optixloc.exe
| MD5 | d91acec1223ae3e357d0d3bf201dee2e |
| SHA1 | 480b97964222800d9f0f189fe5c3b2b532546f2c |
| SHA256 | 227df1469d59232fb904772f3a639b055f62b55dc5bef66a19da7d59ce2590f5 |
| SHA512 | 0c5b95eebc590719575ecb88e501cbbc0b965709ba5b5b75d11a86e9ece008f32115218932f74ad38f64fb6af5de105ed74738106909992bf7b47f85ca4ca8d8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6919fb1c5518a212545be20dc3f8cb68 |
| SHA1 | 6b56462b7bc271339afe0213d4786d026e983886 |
| SHA256 | 8497793f8a4fcc012052dd3cf88b21ce0c44fe17435da34fbe08693f5e1b0a7b |
| SHA512 | 7b0f6166c93d34d4a4894909b4518c9312501eaa23c09f72df745885fb3307362486ed27ffd362d98d7d82ad0f2ede60e94b69d8b2bd1dc052e4250ba5de2b0e |
C:\LabZU8\optixloc.exe
| MD5 | 72d601f2fa9e27d323e69e170217db2b |
| SHA1 | 11e34cf6d8553a0a4767012b33f700040f331561 |
| SHA256 | b6b0a4a7a5d52e840c2040230413242c3b0e2ee70a743de8a9682a2997636507 |
| SHA512 | 53aeb0143518f1a8dd34e654e0aa23815ae44d793c33066b8b07796f3ebe9f91ceb11ba8e52a6a92ad139caf012a25394ba424347329510e2287186b21c07ecc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 13:19
Reported
2024-11-08 13:21
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\AdobeE4\xdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE4\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNG\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeE4\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe
"C:\Users\Admin\AppData\Local\Temp\87533e56591ddaa8feb5845fbe8f2d40c9bb58d28862b7356c31466533a9dc7eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\AdobeE4\xdobsys.exe
C:\AdobeE4\xdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 21c8429f4521e0cfe01f1eb67e9017f4 |
| SHA1 | 9215e6e30faf7acc9b2a354371b7d658417e8cfc |
| SHA256 | e2db10aba2ee0815bc60bbd54d9cdcbf599202b86ddbf089c8ffc2b204bf4936 |
| SHA512 | ee9cb6c2ee4f01ec54570a31e4497ec2a647a6be3193707e382cc3243bf8b3e4b64ceb20cf8602bc095ecefe72cd1bdbbc059fba3af6c22f1e93807a9071bb77 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 980efc9f74bb529f762cb3fb90d03644 |
| SHA1 | 0bbf8584cf6b2a9e26792b1c90ab05e69049ed0d |
| SHA256 | 596671ff7e69be370b3dd34a49411861b8b34911db5b57015d7765120d80d809 |
| SHA512 | 5ebfc10ce89f96512cab9fa3840f8302765b2a18534e2de0282439fa20eb025f29d5d60ec73ab6fe4c62db2a2e97a0014974da0922fcf2758870b9a253692286 |
C:\AdobeE4\xdobsys.exe
| MD5 | 141fbb4f200db924e182b31df937dfc1 |
| SHA1 | b9e778f1dfc9c7abed56a94a7d55f19c31ce049a |
| SHA256 | 930d4d6dc926b819e0023b980aeb726d7facbc647d9331a1db73d84a4da411df |
| SHA512 | dc620aecdfb5242dc09900c8bb73cb01c9451e4cfa0dd5cd9ed4d4fb8189d5e219545099b2571316c121216740ae4c229dfdaf65c1050d2e5c4ab2d39592618d |
C:\AdobeE4\xdobsys.exe
| MD5 | ea2070c0b2b2c3741fa083bd651dae76 |
| SHA1 | 52c66c3a6fd4b135ae861fb29a0853b7be6fc47a |
| SHA256 | 2cd35a85ccce0fe694aec806169b60bc06354a9fa0523ae766b43b1d7c18b9b7 |
| SHA512 | 7b1a1735bfe7b8a4432997a80d2e32e8b8e74d5200624e2eac32de0d265d7a58126eb40073d8c9fbe7d01d325b414be3534cee6520e71a3938463a666975b1cd |
C:\MintNG\dobaec.exe
| MD5 | 5d7c52949a65f525baa7c871a4755c89 |
| SHA1 | 3749205b8babafed57ebe0244de922cc0d918db5 |
| SHA256 | 522640076b4946a999cb2d5624f029688fec4ce6ad8222d83b7a3dca858cb9e5 |
| SHA512 | 422ce3e477614957e621741184a4e2a998686c0739667419220b62bd7ab125d7da533d7b2dcbc69b334598b92566f2d181009df8d84c14bcf93c315e091c96d0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c7ffb16836cb698bb60b2d9dccdb51c5 |
| SHA1 | d1d293d7c28bd33ce02b26692556a52de979e376 |
| SHA256 | 6229c9808003ed478b4374cdb0bf0293c358e1d17dc3b557d4cc8ca2840c9414 |
| SHA512 | 5cffa016fa494b246f0fbbd510ee2fb8323d7cf111ca768fa6f452b18adf885d59cb72ecef0166f40eaecbec0ac0e5c52c0d3672ce6d4d5b594d026d88ac2afc |
C:\MintNG\dobaec.exe
| MD5 | 0e0c92fb52ac15ef34204fbb95a38468 |
| SHA1 | 063ce6e25197dc1d11eb52caab37e6e7b3455afa |
| SHA256 | eac90185a0f5816328da27e75a62bd773b24977ebc39c2c9f1d8f1f1c89769d2 |
| SHA512 | 04247c473552384847a32f9cd54104cc69749a2a191bb83275968f921ae9d5ed0b337f209931d54c538bcded3c3f00de16f2a858ac0ccaa54991263bdd0f139a |