Analysis Overview
SHA256
903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2
Threat Level: Shows suspicious behavior
The file 903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:55
Reported
2024-11-08 14:57
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\AdobeIV\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeIV\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUB\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeIV\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
"C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\AdobeIV\devoptisys.exe
C:\AdobeIV\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 6c3461d59d1f2a5cbf7800e4ca89dcd9 |
| SHA1 | 6dcd57c37cdf26f9b85dfdb57207630013357d16 |
| SHA256 | 3fcdd79cf22920ee8a9ce2bdc92a06a31a90ef21a5c3c1f959b7027aa17d1012 |
| SHA512 | 0e43deeb7359c2db59a7dd8188b78e1859681257a2fe4d21aa2a425566727eaedab9c603519e8daf0db1838b75d0c1aa97de59e48cf3da1cc65c281104e5c9aa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ec6ecfb263758fbcbeb0484672d5f031 |
| SHA1 | 76eb3e632bfc54b86cff94ddde740efd1f4d7dce |
| SHA256 | 784d239366191eed102166e80a76161cb37851d4f3fbab348512185ae6167a11 |
| SHA512 | e5769bdc751bb1dc2e4f60337e1bd71d7de7da05a491d85cc4f05b2647f0f23c8bbe770341df69712627886ec8ef80a76f9f138c0df4ab438b03993c6614130c |
C:\LabZUB\boddevec.exe
| MD5 | ea923709029506384eeed6487dd94693 |
| SHA1 | b903e8f89756800565601cff6604f4ff30b35a95 |
| SHA256 | 48fc3b0483cb5b62868b64fae977437c520d11850e348979e3bd35933de300dd |
| SHA512 | b550a2d76d23f899bd53d6aad2226a26c745c1252a927889b993ae32230d344aa4c99d0961bbd4985935a349e1e6d5a4698702709c6f11d6c6ebf28273f165d1 |
C:\AdobeIV\devoptisys.exe
| MD5 | 29bf8fc3e6e2d614243161c3116ad274 |
| SHA1 | 7f3dd9afc7162f48bdbaa3046295347bc4e7396b |
| SHA256 | 53edf98b135e63d364bf544564bf4dba4eb912646b2cab4b39be579b7b54730f |
| SHA512 | f8b2c1b827d6c4520dc8f33555c7270e1db4771859448a2edbcdf2ea0182217ed24a80e24abc1260861534399552351202c21a805f0bcecb78fbcdf1ec361ffa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b99e25411fca632210976f10c4ce7907 |
| SHA1 | da3a5bc108233c66d97c1c5772c31f88af08c1b9 |
| SHA256 | 69931423601356d1233f7968783da97deaf5e260e83ec6187c2096a03ad1115f |
| SHA512 | 355030f8b02cb348633333da5b80a50b4f9a2902cee04a84da74f82be2bdcbfa118384437383e3125ed7aa19ce51794acecfd29a69cb8295aa8664131a6165b0 |
C:\LabZUB\boddevec.exe
| MD5 | e5eb85b7044afc2ed168ce80edb144de |
| SHA1 | 308e729893d39fce8d8c3cbe8e2fd4e6d48957d9 |
| SHA256 | 83cbcc80b74d2dc8d7e76877c805de95189f960e750ce3295060d6efe16fd94c |
| SHA512 | fd9340449b9bcf7218c05203e4ee78a85375ec4632a50d477c6e104fa2e870127be2caf4a7426430588b0d321d36ca7216e7f1d84128ee5e711ae8e21938d355 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:55
Reported
2024-11-08 14:57
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\FilesNL\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesNL\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidU6\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesNL\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe
"C:\Users\Admin\AppData\Local\Temp\903d73da9c11190677a00afa9f8eaaa59d54412da2564dc76a95b66e61f036b2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\FilesNL\xoptiloc.exe
C:\FilesNL\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 545b4e2b8168f568a09f70802199f973 |
| SHA1 | 1e8cf0cdadf58899fa70b52a3e65d59f95a311fd |
| SHA256 | 50c4544e7c871f4fcb0ae0664a15181228e1fc6bc24ea454cd5f344ad7b50071 |
| SHA512 | 9b0b37ad2e9911862c0c8c729cd579cfbe137b6bd7d6019656e1c9d27297de03a4e89f7af7c510c66bf6501731811ac7ed5c40433b520952b751d0247d0bf22d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c74fb3a991fd102e060e77e577dc81e9 |
| SHA1 | 6335d37e0a29a829857e5e8d1dab86af2a8fb84f |
| SHA256 | 4c88590da3c9e1b5ce7565a36cac4d84733b4818eaeeb4d4bc304549370c00d1 |
| SHA512 | b776cec75889ec198fc2d020610e4733a2e02a61050f7265a7f78ad2023f7f304175e9996db6b504612acc096832cf0cc20a2ee2f76edd039b0bdff98f4a23b8 |
C:\FilesNL\xoptiloc.exe
| MD5 | 0c37397b47114374bdd7ad8594cc8fe1 |
| SHA1 | a86079c98c981c451ec16907c975fbdb8a6bbeb4 |
| SHA256 | d8b51b73d769c3e5c4ef4b9fd0aa2ab6dffa94c7052000c5a78b097f838181ad |
| SHA512 | b42528c0d6f59c3e22f9bad43466c39abdc9522537bc602e6108ea84e4cbedf76bae8b784422855dc0fbe17b91f2eb304d429ffc34bb50b9ce94ce9a45644daa |
C:\FilesNL\xoptiloc.exe
| MD5 | 5f252da07a36719ab18dea8cb16c574c |
| SHA1 | e7c73527fc9e0b9f531fe5dbe99fdbded64922cb |
| SHA256 | 59606b46f7f781e6ee7aaaaa67f3db175d49c22c42d67ddacf4e161490b72f81 |
| SHA512 | 8ad0b54474ee59967189a308d5ee83ef3eb095cdae3af4418153df03ebe272cb421bef74f20656c63cee75d6f378e656a962312c7bd4ac56da19e2c42c18197b |
C:\VidU6\dobxec.exe
| MD5 | bb94a8f4c6ce037c252d618bdaa4278b |
| SHA1 | f662b48d7ee0eafe1ffb25f4bb3217ecec4c8d0e |
| SHA256 | cf82e9f0c408cd75e3212d21345d497ed766c2d751540d08cc0e2269f43dd99b |
| SHA512 | 05040bbeaef17161a9ea6f91dae81e2c5d3673131fbfe9beed5bae01d8d275a4e090fcea146aed241c836a459a225c242e53fa056e813717fc10587ec8260a76 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d450c5278e69370596539fbb52f1d92 |
| SHA1 | efadf7292de97b659a3a2c25cea75b8a79ab7600 |
| SHA256 | 03c9228c5d513f561a9147a638fd9c792739a1db1c609955add33d60a3b2ce33 |
| SHA512 | 1474e2bef270af34e1afab5b7f5611bc32f19a8e422b6498afa8f7cb844233a0e33ab1522500012a34a543ecdb8f2313d9292b65349e50f2e5d7391d54f32f81 |
C:\VidU6\dobxec.exe
| MD5 | 6a0a448d3560f24d8c673b1f9d7d658d |
| SHA1 | cbb1d3cb537df84fda783a2ef8282974e6465520 |
| SHA256 | 250e9f1db4ffb2a3b6d6f846fb9b1ee15421ceb0525090b1d346b43dacbc4c01 |
| SHA512 | a40cb9f14f2c8785d7c3826fa0cf4b36226af759c6a469847da4180906d07d0bb27513034623964d7e79db7e5e1f9a2159f430110863a807087570bc9acbc6c7 |