Analysis Overview
SHA256
4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931
Threat Level: Shows suspicious behavior
The file 4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:02
Reported
2024-11-09 22:04
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesCG\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCG\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCN\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesCG\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe
"C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesCG\devdobloc.exe
C:\FilesCG\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | d992d755de0952b0fa9457c6afff4d3e |
| SHA1 | 2e01818d5d4f558101297f4b2b39432902f8f00e |
| SHA256 | 0cf47cf5d5e891f0c8176741a269951e05e5e7677838db273e328d96abd37fe0 |
| SHA512 | 46f586c9797d6cffa47b1794efb9643e6fb95ec1b73aa23e893908896d1129f4617b5a20cb54da99f47878d8c2022162d4ac6e4810cf119af0ca17b7656b744f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 46649f7d137ea1272651e794ae263505 |
| SHA1 | c129e28125d2108470229e117b4e926e00944e29 |
| SHA256 | 637155536957ad22cd0e0c1c06abbe4f684602893fa853690d6efcb331c28d29 |
| SHA512 | b81da9859336e287ad4e279bbd19ea769864fdc604941688c6a82741a4d8745d78cd0a234a8f4afadf4bfcf8f882d826b6dd8d04dd6c3a9793bace52bc8bb850 |
C:\FilesCG\devdobloc.exe
| MD5 | be6bde58cb6cf4840bf2f369216e6ca8 |
| SHA1 | bebe32f42ee735ab61615b73aeafc8ee34bd033b |
| SHA256 | 3ad7f6033f2b1db728c3a4b5c97696b4937d8a8e6f48b2fc59fe0fe3b42b1125 |
| SHA512 | 2cac71141edb08665138751ac2e4c07afb181573db67b4fb52e2fcff3eb94639225e88eec03aefeddd29debf271a301297f474744cb4daf8107395735533d1ba |
C:\MintCN\bodasys.exe
| MD5 | 0cebda690acedcd8708e2d73686310b2 |
| SHA1 | baa042a62aaa3589189e017a98e78d0e86291ef0 |
| SHA256 | c795b15328c440a3f3ef5b2687014d1e5e7275b637f36211a925b408f5672829 |
| SHA512 | 248075e856e3875c8aeef8ca348d55b4cea351183b2c678c200c4238477bcf448f72dd4253ead0b6078c745d9242fadcac69e1c9d4961411b58d52672eed003d |
C:\FilesCG\devdobloc.exe
| MD5 | 0d76d90989d643dcd81af91cc63406aa |
| SHA1 | b7262850fdbb19f4aee58d43f27e216f58c14ff3 |
| SHA256 | 5bb957b4326fa1f77ad5bd2678f5bc92d400835b18f5efc36ddca481a1b0f4af |
| SHA512 | a0e0cdf37fa3fc22d07919b9d9d61c9ed9350a82cd7289b30b636e4899e66750131c38e63dda0680c0171b21074aed5dfc892376c34aba687badd73b3f562e76 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 60512cb5e016fa6804d55fa592eb6488 |
| SHA1 | 311b5667a034e0427085faa654b6111e7aa73314 |
| SHA256 | 08ff25f34d42d7cfe26d5e3369dfb54aeb99b3bfb15b3bd274f21590b24186ff |
| SHA512 | 5dca7f30b4de65010a41514c5b8adb432359de2a15e5d5fa0906e093a5a632537ed842646b44d3103b8d003a75beb2630ed515bf331ae5d84140ccb7df6a6fc3 |
C:\MintCN\bodasys.exe
| MD5 | 5ac64cd98c4d77f56a2348989bb6b4d4 |
| SHA1 | 4d86225e6c5aadeef732112607cbca831af90dfe |
| SHA256 | b54bab9100aee20d1089dbe2e8eafbbdc47897c2f7f14767f2f7e26a882829cd |
| SHA512 | 687d6680e240e56e856e9942eba5e6871c3051fb3c27bfd902db5d2cdd28754404e70c60cc744333ce96a99cb81d1f0099646d4d87f0e684638ee48efadcff86 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:02
Reported
2024-11-09 22:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvLK\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2I\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvLK\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvLK\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe
"C:\Users\Admin\AppData\Local\Temp\4ba454ea22a61c96e0c9d33372987cb8823f4ec7cb572f353a0b20499f020931.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\SysDrvLK\devoptisys.exe
C:\SysDrvLK\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 603252f3d91946beab61f19a862511e8 |
| SHA1 | 50e36aecb1a8c8f8c0eb918c4873d53b9f0b4d66 |
| SHA256 | 006f36a43288eadeceb5549adc9212f2cf95a7ad7767a2136a507caeda728425 |
| SHA512 | 45bc69c2e0277bf4a22dcdf7554623b9f7fbb67643dc7fd6cc1c410b4ed9669a3856abafb0012653cecce6f776ab8c1a7a8e277133a092441dc797e27b6f17f6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f0224344c4fade5eef28d83a3a6ce2bb |
| SHA1 | a391ada393d44c4dfd271a112cbe5d9270451f6b |
| SHA256 | 9d4358df4c1101f06703eb6bef418bcee45cbb1ff25f94209b1507e0730c61aa |
| SHA512 | 11705e06560e4e68c826b30c14526c2b9e4bec5a944f6776b53b3ddbb46f4cef14e8fa488913f17b315dc16ce6c22e0ab32e73cfac23104f37ebc2d26386244a |
C:\SysDrvLK\devoptisys.exe
| MD5 | bae5eb085a9f023b8d36e2a083933bdd |
| SHA1 | c8f3b383d6ce74e8606027a03db4b0ae08c513b1 |
| SHA256 | b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab |
| SHA512 | 93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3 |
C:\SysDrvLK\devoptisys.exe
| MD5 | 2e751198c559db3f10f733a4656f8abb |
| SHA1 | 2cfe1dd0eae29b34236d910e94bc1012c83e18d6 |
| SHA256 | 7e233fb636794c2a7f813c1f264b459a59e3c974e247516d4c4adf39786ae7a5 |
| SHA512 | 1dac981a8153a7cc2f6a7fd4a416eaa0d395ecc2d8767b712c047086822b90276e59bb89493bf4b35c1307fa9e41cac7b355235ddec931ea096d67e336f1e0f8 |
C:\KaVB2I\optidevec.exe
| MD5 | ff7166e1b9a00c35b4fc3c2539c05db8 |
| SHA1 | 42551c1cde374da0029750fa2ba964a5e2ee6d27 |
| SHA256 | ff4690ef3e3036bf484e504c5566c045b7ac22d816f16992101fee229c5073e3 |
| SHA512 | 0e3e4c014e8fbbd5b79687f439bdcfb1554496956423926f67402da0d37e65f9588f9fb076a2bd45408ad530edbcf47341d80ecc573473437f0cf43dd6937c9d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aa9039d06d012d054a8ff79781680746 |
| SHA1 | 41ae01f53cb0a9a3042a3bcabf8a66bb2179afdb |
| SHA256 | 570856df237cbceac68bafc02ea6b8c06bf6491471fcc98e36d7894daf64734f |
| SHA512 | e3de74c3098ae959106ff02b23142c8d4be378298e2fc6072de2b0753b054df35554031b13be2bed94764b515e96ebc338ab77627a723a2b28400a8a3d5a4eaa |
C:\KaVB2I\optidevec.exe
| MD5 | 2ba112c2e09b29348f8a0c918fbd805c |
| SHA1 | 8541f98ad243face9eb3e29f3fe11bebbfc1b9bf |
| SHA256 | 129f89598e54d2e3a5b7f132c06dfd8479c8258b68b8719604435a502745992e |
| SHA512 | bba2dd2262f55021bae0a3db44f9a2d5ebe02a8164ae4fc1a7d0ae26532359e81314a87109209a4be549511209910e018c5dd65c42f1608ef2e5fbbfc19e9119 |