Analysis Overview
SHA256
1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9a
Threat Level: Shows suspicious behavior
The file 1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:06
Reported
2024-11-09 22:08
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\Files01\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files01\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidS5\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files01\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe
"C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\Files01\xbodsys.exe
C:\Files01\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 02e8a22cf37d54aa52483d59d6eabe40 |
| SHA1 | 5c715f99831079dd0c27790e5b31bbd61ea3637d |
| SHA256 | 8f7368c264e123267daab31647472c6563bfc45c6cf29a1fab680907b06c5c14 |
| SHA512 | 4b82cfebf146b520e1be8885d7e5bdade1fb8030673406b3af8b95b9045232d876d4c87755713de87bc8222efd0ba0fae155a3eb0bfd584967bc1f627be67374 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d721110fcc9cdf8a8bac727344e39f7c |
| SHA1 | 2a5c7ca57a8c56672177064eb0b0250c90699398 |
| SHA256 | 274de624e793139f392b7d52f24e5d8ddd135cd8083090c04e1909b03bab0753 |
| SHA512 | 3387b0a6e457fc92d24e0b7b1d8c5dd8a3e4d9993823034a9c94ca8bab75c34573ff379474dcf665ec52cfb9b5d4e90f49895da7387b0e58afc85f00d66b2c41 |
C:\Files01\xbodsys.exe
| MD5 | 2d33be7a420576714e1204080a6685b0 |
| SHA1 | fb335239766fe56d30ff597041118f4ddb8986a3 |
| SHA256 | 6a7a64538d84cb232e0e6cdc38ed920b351277cd713f6eae04e934f087f6d293 |
| SHA512 | feec4bd1ce6d9d80dc36f00047e24e521705a132f779a808ed6164ff25fcac7892e8ed1a2359121da9f89f2875e17fa644877df551af2e0b0b3edb3c9478ec22 |
C:\VidS5\dobxsys.exe
| MD5 | 39b734a7a139dacf34dacd93527f3ee4 |
| SHA1 | 27eb10af3bdfd80984dc5dd7231a1e67e311236c |
| SHA256 | 1353d67e6f03e62b0a9fc459030229efc1271be2ac07ce27b8d73b2db8dd7501 |
| SHA512 | 7f8235cfbaed1753d0e810f2839c542ae06ae2b0cf11393358a88124f2305a65aad3c984152adac5fd7328d9b06282e4e89dbd5fe93ff9b0770238ccc5fa3794 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 39217b255bfa9bae30e8ff9a71cc79f4 |
| SHA1 | 3239a52d11dabe91fe95aa35d687e0340eaf6750 |
| SHA256 | 4faad83630b7e4860ef1c8025cda8eae10ddc82322e085b807aa97351b472df5 |
| SHA512 | ff4c5ff432e05fc54c5af8b381edb5c8b21011d277a2052e1fc2f43350d125b51e74ba8d30eba9c44474607befe7d948073386754f5199e09e19473750d78cbe |
C:\VidS5\dobxsys.exe
| MD5 | 11d6dfd6231414df210a3d9b1deab71c |
| SHA1 | 78fe0c7155fc5717dd7a66853221bc133941896d |
| SHA256 | 449297d0914a796ef31dee360879bfea63fe446132e1a743ea9a6588496210a2 |
| SHA512 | 2e284ada3c71614ea769def6e6f17b7cd748f086fc8cab07e4c0735e1f3db5ec37067188a3b5c74f3bfac0dccc6acb49a32b43ac306961029bd0bdf5111175a6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:06
Reported
2024-11-09 22:08
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\AdobeW1\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeW1\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintES\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeW1\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe
"C:\Users\Admin\AppData\Local\Temp\1dfc57969b0ee7e38d8d45c02080416f6c75383365f98a4ad20e723154c1ba9aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\AdobeW1\xdobloc.exe
C:\AdobeW1\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | e62ea06dd9a81b894927cabd093d2ce4 |
| SHA1 | 5f578521d4fed65fc69aba03ad76ba9816c3bf9c |
| SHA256 | 0ee5aee642d68410895938fbc39c8ac1c8f46ad967e5d624dc141f77d74936eb |
| SHA512 | f33faad7d67cb1d2feb1586c76042aeb60ba53d7c25537a11b8572cff4b20272389b3fdf26df6a0a95c4bb51a90e36699ddb79d2fd9eefdcb87313088bc7f81e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b7d5f52f011504fe7109b750ff1da893 |
| SHA1 | b602a4e53578de78b218b93cf77d2552fefc0bdc |
| SHA256 | ef99edc7f8cd9c7b705b21d36fdf82248b7c63f96c02cce3791b5e3b40cbd4c7 |
| SHA512 | 804c8ca7ccd96d6eae0c2eace8b2cd5e1747b15ca3c7d83cb77006e625f9c35dd2209f33a525d94219bcf0988931642763927ae3e7a1c18b354dae998e241fc0 |
C:\AdobeW1\xdobloc.exe
| MD5 | 394a89d4003d6708bf40dafdb1ab59be |
| SHA1 | ec99b63f26ff89eca5e0642871d143d4a87ac45a |
| SHA256 | 53c75bc58b1536ce9da373878563014eaa27f5f668b649dfb87780897b51c92c |
| SHA512 | 20e5770c019c80d4ae627ef12a6ecbf49af82c4b8899d1e0f63d460984eabd26bdafe7d26f60c39d75d10f987108c14e7e936bce37f57e35b289006aa47504ee |
C:\AdobeW1\xdobloc.exe
| MD5 | 3c998c3820741e526e721abaaf3f8282 |
| SHA1 | 431c7a547bbcf1e94cffaaebc86d081c48359036 |
| SHA256 | 5cb9db49e7e0886c9be9f623ae58d50db5e9561863d1ab21239191277b03b853 |
| SHA512 | 6909c1b1fa9f3f83929256b8b8cc275c1da1e5d61f31a74e3db51d34e13bea682afd8d05e7cd8c003e0991416677cb25ea20dbb704aae50a4351110b0b7cfcdf |
C:\MintES\optiasys.exe
| MD5 | a0de3fb85c9c9c36fe3d73767e8d8c13 |
| SHA1 | a073cc0eb786a2de864ee6e8e14d7e6ffdf182c8 |
| SHA256 | c1ba9fa1b8d941edad6b66cf29b41fd3f067806c847c53476c773f7e51cbaf00 |
| SHA512 | 3fcc4e8f45cacc8931572c890dd0517517e17d7befcba16486ce16f2dc93e4e89847ed1c91c832410825a466d9605e1bad28fcf2b35dec93f8dbe49af4c9d60f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8fdc4123960a12b6fea125af0d1c0def |
| SHA1 | 587103f7a4a416e7c0a9b09e820c3580918e119b |
| SHA256 | b371cf8210365334354707ed51d3a5cf5f5078a3302b1073b5484a84c18ccace |
| SHA512 | dfa477b55a9d2512dd80dc25dc51eca7b396dc58c184904a58c82da3325a7c71f36eacd1459df7f020796cbcd351771f018089353635e0f4d22d037e72fd606a |
C:\MintES\optiasys.exe
| MD5 | 4220921147b98a4fd70e2b03a6f2e284 |
| SHA1 | 4d24aa2e7fd06949468a755e49b69cd354d1bebc |
| SHA256 | 904d14abbbe8df28282f373dc042f1d3ddedd6de5d167a0c450e09e28a7d4cb2 |
| SHA512 | a75b4547889392a0b2a04a5c63fc5169b2008cce34a3e977203da71294368992c15bd91e77918894f6fcc0125dab7a52bd8865fab106648ffd97a3960afa64b0 |