Analysis Overview
SHA256
6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ff
Threat Level: Shows suspicious behavior
The file 6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:22
Reported
2024-11-09 22:24
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeVR\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeVR\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB6F\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeVR\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeVR\xoptiec.exe
C:\AdobeVR\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 1ac98686c25d9f3c9ac2ed826fdf1b9b |
| SHA1 | d947c020f3dd9feffea7f7487955ac548494a55e |
| SHA256 | 228204d6eff5fac80c026e3cddebe352edd33aaec2a47279805fe7f198581c89 |
| SHA512 | 7ec6a6a3117c481b5abbabd6f148ab587db1c9baa67ff7dd02929c379f438f110c3581ff1c4219df015dea39cbc0ec6dad8b31d76e4e9543054782583568ea43 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 05ec69ba5ae0a8d217c762e35de75606 |
| SHA1 | dcae221f4f5b13cafbe0806a700ca63d3f993875 |
| SHA256 | b2509ab34931061149e0569c6363608b019a8218b6de01d728a50689ef700df5 |
| SHA512 | 3bd3fa507b06785b0792eb1ea764a614719659a6225eea86080508a2e5952ef05d949de4234b173f2a639b89a509b20c949cda7a37e1a262a8e67e7672bae911 |
C:\AdobeVR\xoptiec.exe
| MD5 | ffc5d6fcc4066adf6bf1e89631522ffa |
| SHA1 | 6e747f56b2ee1d8227b717f6fec4792830b98087 |
| SHA256 | f333b03ff48ba246eb27a47e4203a4938197333adceeeb04c7278fbc20779fa3 |
| SHA512 | 15c478e45554881dc3afd5664c09c2a5cc6462de56f1bff0454900ad12d3e0ffdbe0923a7b5e39cc6f1aded82c57291cd7ad104d4a1acca438647a3c09c85bb2 |
C:\KaVB6F\bodxec.exe
| MD5 | f6cdc83b7b8cb2f9fabb05ac2fb91298 |
| SHA1 | c514c173940b24002c06e3a1b9cf3183dd60538b |
| SHA256 | 915e8eaf9b4727ed524a9fe50ed9a03d97d49886ab90bb3d9605feacb9f1dec3 |
| SHA512 | 0141c11abba72ec6d1b94d704cfd6fbe25cbfe93652390500e455a1a8d87c32a8f8a42f91f17772884eeeb48ddbf228d8b5ad5b8ce3a622ff9d7bf58abba4ab3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ebd011a96fd5aa8e4e854ee7ea97ddce |
| SHA1 | 606654b2b5029469b4246a94ac188e9bbbee0604 |
| SHA256 | f0cc27e10c75fce16e6e1a47abc8d559cd97bf202bd2f74f584f06b8160bb443 |
| SHA512 | 4f214638e2341c54bf1a9f5fe430079501175b8f37d38b1bc0731b69713f1b8aded6e5f764a7dee0f7886596518c66d3c676de1e69df792eff5f0f39e6083109 |
C:\KaVB6F\bodxec.exe
| MD5 | a0d93c62bfe22f0d8bda734267d7a2f7 |
| SHA1 | 70c59b518bc986cac81cc5a181db4b9635e024a1 |
| SHA256 | d05c38f14d0ac21cff9c82bdc5061b764c7223ab560a27b3bd4b0a207c76bb34 |
| SHA512 | 820e30e33691e8a251318199971155431c260c2b8731f29d2b5adb2c90f6c2fa6fe6300ca243d0e45c4f6c91370ef92a773264b361376dd44c2dca87f96f2a30 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:22
Reported
2024-11-09 22:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDotJ6\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT0\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ6\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotJ6\devoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe
"C:\Users\Admin\AppData\Local\Temp\6664c2b4793fd6a6fe46e9a4358b551b98cbaa988e42ff80ff4dccf6c71652ffN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDotJ6\devoptiec.exe
C:\UserDotJ6\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 851e07c78a7ce4502537a9d70d5589b1 |
| SHA1 | adaf3d3b146cbe9c70a0057ff4d6bdd16e115d72 |
| SHA256 | aa0ab3109739c9ddb325195ac92800aa72e8c0a236b1904094db3b656d257901 |
| SHA512 | ef7c12a1c7dcf69ec11d5fc19167672d4ac5667ffa7a32254e7e86947c03a131daf3c672b051c2d44d5cdcbbaaeefb255c347b07d6737218e9102385fe6f2d2b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4f74f283b716bd69e7d3d29dfc64fd48 |
| SHA1 | 0e9ab656bdeb3894615c9f60f3d5d0a59f421ca3 |
| SHA256 | b9d266740c7d3b5c6d39e6187ca6609fecb5b1f0b0b056c28ae5df5ae24d8c66 |
| SHA512 | 26aac9e3df045904daa4ae590f4500d45784b73478a4e2ddb32c954aa00a7d1590488a03ee9926da0c9b922d291dc19a1c9d08f0fcae0eac4a7326b682cb509c |
C:\UserDotJ6\devoptiec.exe
| MD5 | 0b3f97bd1d3f58c8cbd4c18840bdd73e |
| SHA1 | 2c4350cfe89924b1b93ea6302f0f7c01bdd6c56c |
| SHA256 | 414af5c0b280a502f70ca3452029069161b1e06ab191d6e6960a42e1f0f8a4dd |
| SHA512 | 2974e4f10224f839f6fd052313cda4ca47067c3d6990205117d9ffc0344f0f4585770d37cecea5c4dd6106416d3d72a97726587bc28b005d6b7f75443027f0eb |
C:\UserDotJ6\devoptiec.exe
| MD5 | dc0e6f1a84e2c7c12fc716eb9030c8a4 |
| SHA1 | 5cc2206705d7eb613729e5ed6c3b7bd495c0cd12 |
| SHA256 | aa99df64c13a406fd8f01cdae452d3d12cb76d3821a3eff01a060e3b15944ed2 |
| SHA512 | a99f148a285cd6b572310eb4141917b615dd57f4dcc1e56f9942ae75b8c2ffdae860267fae9a877a4a94dbf16ce29dc0017ca95ab3456c6ffa8eb468114c7e21 |
C:\MintT0\bodxsys.exe
| MD5 | e1497a96257006caa28d9c50361ca0e9 |
| SHA1 | c6a9707192a47a7b8dc5e3daaba59fde6d853689 |
| SHA256 | e864959d0aac81ac1a02f0a0749d0cfd71b8e006a6789819f72c649aac78ed48 |
| SHA512 | 893c8a4e110b9cb3efc35368f90b57e7ee2b9dd7f132d787dcd3ca537bd6d794b545606eb662142e26aa7211cf94614611da746c2797fcd90ff2ea5bd6aaf177 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 17d9436f564aef253fe8e831a9156832 |
| SHA1 | a67299de03e0842cb77aefdab20bb5f8a91c76e4 |
| SHA256 | c5770df1d673d3d36977ad36d345b7a56ae26efd6b08221a154041adb6cc4fa4 |
| SHA512 | a0e9705af92c518a9e3885167e90c46b7da6ec33738ad445b72f76a5965844fb52aede2f19f019f42353d21db34b35ad2fd1b9965c7b655187b4b708484ee363 |
C:\MintT0\bodxsys.exe
| MD5 | 196a3addf52a73e1a2eb99adc0ed2163 |
| SHA1 | 0d5bf224e5db9029151778760116ef351510362d |
| SHA256 | faf53b27747c764b966ca9ebf81208f8711ee4d5436266bc066520369a3c7136 |
| SHA512 | 350670b16037df5f9b8d20264a366aef1a78142ba254435ffbe764b55ec0028ec90443864205bd2a1f7ad33c4cad87a590aa3530185b4024ab29f59a0c480854 |