Analysis Overview
SHA256
12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988b
Threat Level: Shows suspicious behavior
The file 12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:20
Reported
2024-11-10 01:22
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\SysDrvZX\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZX\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidP1\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZX\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
"C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\SysDrvZX\abodec.exe
C:\SysDrvZX\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | be3d274cfe12f814bcd7082cf593c23e |
| SHA1 | fc1f0a1ff23a6f1cd5855dd4dfcf988bd5ceba3d |
| SHA256 | 7af6faf1a811320922dc694af6a55c3d74dff694f166a79a1e45ac526d6f3aa0 |
| SHA512 | 4c98dfdc7d30bcf62bcbef10e3ed7ee50674e6194b2154b12e2173688310830defb5c79dd3c51c28acd969c882caa52dd77a8512537abdd32d2228bb8d9e0f4c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 339e058d85760ea128fb6c6e7c782b7e |
| SHA1 | 766cc330814964cdbeaf0cdc3a1bc39e0e6ab026 |
| SHA256 | 647cb98f6d720e6b1a6088281613874fae215d962b53b7211272b0ddb6701be1 |
| SHA512 | 30c9873ccc82d194efac702a5c5d3e79f2ef609b8d1f07482a0340d927ffba14bcfff6974cf94cf43b600614ffe80b5a4c5f27927f23c59919e763e382fedf6e |
C:\SysDrvZX\abodec.exe
| MD5 | 88c9807917b8fc1f18ae6cac69e12974 |
| SHA1 | 5780a2f721532a3d5572f879a8e362f8773af0f5 |
| SHA256 | fa789c3a884ba28d5503ff5f9ed8d6927a6422e995688c214636d8b99d515b3a |
| SHA512 | 801b6b5cf0a2be780c3057b9899825cffbf638414bb4da326f2ea8962baa57e51480e50b789df1ef4c166506f555e2752c93b48006b85e14af81a7f3a0206f02 |
C:\VidP1\dobasys.exe
| MD5 | 3fd8a40292597394b4b380f8c47ea0c9 |
| SHA1 | 4ab5d744b2a01845d956822bd7b7178ce691cae6 |
| SHA256 | be1e9e8480d31f2d9b756989299057c973fdd7b6b9e4ee7293157793de5a6543 |
| SHA512 | 2caf393b8c527da5c430035d8603762fb1c33418268b9be5254f3c5d3561bc2d384f82d3f1202e3988ebcf960723047f7cb3869e5ffae1e4f0fb034f91e53736 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1a8fe00cda1f4e0898495021ceeb2520 |
| SHA1 | e0a7cef9e576aad2abdc86c547668b3676078af4 |
| SHA256 | e5a0219a1ba82b9dc8c963d0876c9925762231037e9421df59771b3dd507ed92 |
| SHA512 | f62bd66b4817f808b3432ef6456a220b1aa348dd7e6755c150e135bc9dad963240b1990b802d794f9dd7b44354f9af7ddf06606cfad678802509ad64bc04574b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:20
Reported
2024-11-10 01:22
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocU3\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocU3\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHD\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocU3\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe
"C:\Users\Admin\AppData\Local\Temp\12891b0089742491be13c707f5021f2046dfa7cef441c6d3a7a692cb4545988bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocU3\devbodloc.exe
C:\IntelprocU3\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 6f2245941a8371be1ee4fcb96e5a2a7e |
| SHA1 | 1f919390c5ee7e77d688c72d803f6f0f55ece33e |
| SHA256 | 4046ef8c05f4af50ea5bb708f08b9cacf662195a2bb3771314651ce9007ac516 |
| SHA512 | 75f536b1ef87151250f977f2955a34390634f35c64171113d9937baffb2a565a2b3b4c6c1fa5aad8e0155f5304a18d85280585af577d7608a463c311c7e1210e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 01d1e67194782b6c2ea5ed3e0e661cc3 |
| SHA1 | 037bf6d4cbdd9eaf57ec40dbacefb71f5dbb60c3 |
| SHA256 | bf392157ec9eb269a6e0a429e046e4a2e49d7b7cdc73e5d1c9a7fbd66414eeb8 |
| SHA512 | 4b63df07fe5a6b45379d1125fb4e79d5c2956688f8c023339655518fb88fe168dccaaf158b92f28c40bd903f860ab2f650731655663e3150859b118cc09a27d4 |
C:\IntelprocU3\devbodloc.exe
| MD5 | ad0973545ad7a819117a5b73197f293f |
| SHA1 | cf2a5a414dae9a6b61a285a87ef47edbf846fa15 |
| SHA256 | 3b2eab8e166336d56f6dfd703a4d0b2940eefb6cdc723ae9267a1694eeff00fd |
| SHA512 | 96347c1506c1f8ed024bc7f8aa99b90025299be9cda9fcecab86df08dceda26a2aeb6be916422acff25e4a511d5fe8201b4095884e144ae9613e64828f0a9add |
C:\GalaxHD\optixsys.exe
| MD5 | 222773639d25f952cdaa0fbb0364aa0b |
| SHA1 | 9b051ea518b4bb198922e2244143223f1d0b1343 |
| SHA256 | f0d1241b4a022d29132236b5ca618329659cb8be5e2f0a17980df28d55d06fe5 |
| SHA512 | 4b45ced75c4bac6499501506e5111c2009064f9b3dccf78f8904a6deaba0e043955c2e3cde6e4d7ab10c0966121c64db451e9d76956047acd73911f7f3ba20b7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5f6ca4cc2b075e2b11e32a7ec71bc70e |
| SHA1 | 24951ab8f44063e25715bfd82118da5b7e4ec527 |
| SHA256 | aca13e89a56b65b3bc57ecddebbe305d3d50a80ffe4cecd58403a58202729d70 |
| SHA512 | efcc1cc37f1f4fea07c4de30d5a106a69b2e4a2d9a71e8ba105a5b8871add17943a48336d0ebbed661fc83ecfa65c7b0ba04060f40e0bd10e32ec7691ee35afd |
C:\GalaxHD\optixsys.exe
| MD5 | eb0c63ab1da6660e272d7b24027edf8a |
| SHA1 | ef879a9f53d98468ab200f4f4fdeba286d50c399 |
| SHA256 | 6ea25695a9aad32904703c66f8beada7524903e101092b29b376f2f7cce84be5 |
| SHA512 | a767c6dd453ad3f06291187328b241bf19123f2bdd9df15ba19e2e2b491ad90fda38d99de7a011ea0aa3b6ec5be7b07d0c4a40379a11377d182a1c26a87785eb |