Analysis Overview
SHA256
a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04b
Threat Level: Shows suspicious behavior
The file a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:54
Reported
2024-11-08 14:56
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrv2P\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv2P\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQG\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv2P\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
"C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrv2P\devoptisys.exe
C:\SysDrv2P\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 1dff1f451476e3f9aebc190ae77f65d2 |
| SHA1 | 29376e1f6918b5d738eceb96b2a9d315ea5ff371 |
| SHA256 | 4867f15676cea68c8ca6ba8113a215c2092688c263077d3e9a6bb211aacf3dc2 |
| SHA512 | 777e6c3a7b138dc25b5d57760400bf4c81b0e75be1ed5dc3823787fd2eabf927c9ba482056114b78e1f68fc27bf935df4d246888b2494a5592fc504c0e28100f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | da257bfeeb38af3fc37155d3c1e465b0 |
| SHA1 | 13213c8afe982db6c9edd009873ca48c747de6f5 |
| SHA256 | 343e5e84610efb515a7a5e4d0bb2d61456e1ba25b10e27989ce20ae6e8fbeb78 |
| SHA512 | 308a3674471eca924b7592dcf40777e9b0fbf96ae54b52c60ed24962a29bc869b34145d3111e5e8681a648dfd7295692670597200344f9fc7225a789b9a07096 |
C:\SysDrv2P\devoptisys.exe
| MD5 | a4d61fa0d0ef10d83e911cbd09f8f9bb |
| SHA1 | 4445de2827595773d68acf1a6282be19c2bfbd5f |
| SHA256 | 8c6e61a563c505a916f881c5857a9133c1ffabd7108733cd8fe8d7f23a7af81e |
| SHA512 | 273574fead5d0878977c9c44d4e1ecc182880fd46ed72ed75e10492c03106bc1ac53e863e06bb99422137a8bec9d27998789c46c3963534b4d376cc6c9f8a9f1 |
C:\MintQG\bodxloc.exe
| MD5 | e22b211e4c3a14d8679472a91fa57309 |
| SHA1 | 2798d43cd1213b41d2e6c96440c86ca624783736 |
| SHA256 | c97755b61fffe077638a97f2535729a6299fa63706ad9a42962b163dd0f87710 |
| SHA512 | 0ceeebd90f81e754fc340a452c9336c163a1a7d08e5b6c5beb2b0ea70bab0ee212f5c6add386a536ea9ca112ddad919a9b392d133a17ece96acacb28478b2c9e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 706af30d638f1719b15fddce114bcd7d |
| SHA1 | a1a61a334e00ba6ca0c93899f1c83d35ac67742c |
| SHA256 | d00f1b2007caf8d4a8f299fca71aa990b7877c3a6eede409e3a0ac5ba60522bc |
| SHA512 | d1dbf1a901ba3634c5756b0878c1a9c5d64621801c4bfe8bb22408597967ab6e211d57b112d077ccdf30471c702bb208c2ccbc1600f3b5ae47d7fff1da27a8c1 |
C:\MintQG\bodxloc.exe
| MD5 | 189ed192d349acd2a83ddc2a288ceb1d |
| SHA1 | fb475a47f96cabbd115dc00105ae0edae7798f61 |
| SHA256 | 6af10c1ca9d8a216ce7d79fe510761f1a93cde6933519781e994bad49482fae8 |
| SHA512 | b3c43dc218b9223ed27d3980a6fe71213e12b6ff6ce52f4740d204256ec42f667bae4e33fca58a0a079ed9477306a2214641d2028bac427e193f75745185f9a1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:54
Reported
2024-11-08 14:56
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrvGH\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGH\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax4X\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvGH\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe
"C:\Users\Admin\AppData\Local\Temp\a9fcd8d7c19e719cc0653144ad8147c720d20e75f6b0e92bfd982fdd4ff9b04bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrvGH\abodloc.exe
C:\SysDrvGH\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 4f637034ec1cd5d6b73e5dba437f19c9 |
| SHA1 | 8bee46bf82a5fc0b4bec40b7df6be7ff21d70ee8 |
| SHA256 | fa3ebf440896d17da7d752981b3a35e25743cc23ff6af0aa0110e910a7db3228 |
| SHA512 | 8e0003c1a092b2eb0cd4b14540562b79b4ff712ed7af48c94554940319b1ced7e32213f0c29b5097d745b267c6c8f69ce1b7b9e96896a8c48c4020be650b2696 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0bf4cb912a4f3618779c191cbb09f27c |
| SHA1 | 5cc6bc4d62c7d77351c72af511f5796612f8844f |
| SHA256 | 1a0ed9056f11065774b2228374024f4ebf090bc6c96d2467468448f678646679 |
| SHA512 | b1fb21ffe8bc246afad039c2e895a52d4b7ea9e6fea36b7307ccd30430c71f1bc3b6c6b70d2947f31ce1e7f0031d74643b38daabe14716b7aca1f6b2644c786c |
C:\SysDrvGH\abodloc.exe
| MD5 | 49af68b42b3107ac792422c10fe0b74f |
| SHA1 | 5fc398ad18774ec4495f063f018f4db58862dbe8 |
| SHA256 | 83a7f31b8578e7a00a994f3dbe8e71747a382cf0e351c7d7fa0610dded8976c4 |
| SHA512 | 89a91aafb5af39699748f6b84a6bc5db955d5f5d4474447893b829c9fed9377a791c01483bbd890bff4c7e24d20a7a372137094dd20fe9de5c9057a61f4a37dc |
C:\SysDrvGH\abodloc.exe
| MD5 | 5071982951112da534f4bd261d07d4b0 |
| SHA1 | 30d4985f1ca3dac846ed574f2eb3c038a8827a83 |
| SHA256 | 2ed1e4634893387959339cfc1e817f2a2a5d1a310f1e60a154de15916bc77926 |
| SHA512 | 4af81d6186eb3685d63465fc2830af6455f009729dc8361d5176f3db0cadee7da133999852242ecc2a55a5c5d0b12c44da14da052e237004f073684a2724e57d |
C:\Galax4X\optiasys.exe
| MD5 | 2532ba332214a67467b903e638299475 |
| SHA1 | 435f13f7c1d6d66241fe6c9271d84e29b63a6aed |
| SHA256 | 90778c6f6b73765e81c517607f05d82ac7a92ce96ceb96a6b3a804d9dba0e50f |
| SHA512 | 02636831644121e8282c1d04aa0168054f053dd2de8b3eb1f34679e88209c9599fcf541bc34bf11a4af07dfd2a7adf59b013d918a7cf7869d3bad9e84d0a7e13 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 99a20c320060b654a7d4715587b77b23 |
| SHA1 | c7a29c481f392da50a08a658bb5a413b1ceca8c9 |
| SHA256 | 3fc0aee7a5816dfa745bcbf5cadbe9aa8c3b45d4951357ed93059be57412c637 |
| SHA512 | e81ab6bc12c02499ec376cf9f289b7cfc9ba1812acbb3873fe3c5bec5e52a7ff9ded5cf247cc23738db04e5122167f04b461fc1ff52fcd6adb11bc0471a111ef |
C:\Galax4X\optiasys.exe
| MD5 | 6c82f3650b5cf30235cb253b707db74f |
| SHA1 | 1e0626c3f9eb03ed891c183ab4544c32f040141a |
| SHA256 | c09521a0e53e51c05e8e940294f9fc4d50d4e81771d8705921e53221047f1ec5 |
| SHA512 | c65ba5fbf68b2a38770c7e078cbf9d5dfbabc4d5f57162a44c81f6aa55fc7bbfd3626add3caa6ccb2ccb8aecfc19ff3c202585940e6552c0c0f91f4221d5bbfd |