Analysis Overview
SHA256
67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe
Threat Level: Shows suspicious behavior
The file 67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:11
Reported
2024-11-11 23:14
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeLY\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLY\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRU\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeLY\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
"C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeLY\xdobsys.exe
C:\AdobeLY\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 8187191e9cf58684a89c8ae94842c6e3 |
| SHA1 | 89c5d60bfbfda4aa26acfc4bc28c288f7875d6cc |
| SHA256 | d218e41e086c465e1a1ba18dce49929c064f1748c7836adcfbe8a76eaa7efbd7 |
| SHA512 | 35d997e0de54c4913939a11b6ed4ccbf9f1059a59f48d47e45858a6b298a0e5c1f5f7bdb5909e44d8de2b8bb32ce6c4a2432e124f403982639c516f680e5d50f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e761304cbd60bbcd692dd7d7f5dc2634 |
| SHA1 | 81287d927e1095d683c151d4fe8a2463cabeeff6 |
| SHA256 | 5a303610386a82c6bba0f70967ede2f03b35527bbf5e35f449da34290f06f219 |
| SHA512 | fa8db3b8c995866b72c914eb62da17afaf175df14cc1c58ded828d886dcd021f16279de3c14d70fa237470b4407c9ade317e5712340c28a6e3434d78e47ce886 |
C:\AdobeLY\xdobsys.exe
| MD5 | 10e6df3619bbbd1a2464d5000a56fbb5 |
| SHA1 | 9080f324c059847c04fbc434d62d8ab2e06140a9 |
| SHA256 | e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559 |
| SHA512 | 9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff |
C:\KaVBRU\boddevloc.exe
| MD5 | 0bff6a8bffb6b865fbe4908d666b07ee |
| SHA1 | 5e176ff62c86ebbdaab5e545079308f50395f3f6 |
| SHA256 | 1eb6a2dfe3b351441008aee76bdb1d3a3300807adc21d0dad4766ded0fe17855 |
| SHA512 | 6a6d353a1d440a17b0b10022744e48ce835c6b0a92b97224dff9d7f00f6e0a619ae3c0ecaeb891c68baa42a686e14df25712d05c5893b56d84075279e3cf1a2e |
\AdobeLY\xdobsys.exe
| MD5 | 3b3e70f8f17bd6d0cb900dc7cf6a95e2 |
| SHA1 | d0c6f8710d067a717aa28770a00b51f568a406e5 |
| SHA256 | 91d67129d201a76a55b983ecd427a999b091ce4e615b8dc2169917e648dcfcf5 |
| SHA512 | 4e8c4c88011d53ceedc26ea04a94abd50b2c67a49ab5b60c826b50a09d86b856fb379a23f69e7274da0e51a18181a4d68d4225ab6f6961ca96b15bdfbb46b863 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1eb93465e67d9e83063cebfb39299343 |
| SHA1 | 177f56f2065cbb02d4ccecf6afb031116f4501b3 |
| SHA256 | 7d499b47d6ea8bae64e5fda7ced238b89ca61f0fd4dab6716194060faa8cf0e5 |
| SHA512 | a7c2ef207175d67f55b8217432ea5d8dcb5583c7716a5c398810a323438e27f8c14355450c405a715812393de83321e53656da0633e88fcc5b61c33d27a6583b |
C:\KaVBRU\boddevloc.exe
| MD5 | b5b522feeb98d018a0726b259322835a |
| SHA1 | d71081e65329944182b60b9443f24be45c7c6d50 |
| SHA256 | 56ffaa2f1b523e7b125e495f6106d9ed7c56eadf2488b2022976075188047389 |
| SHA512 | b8649bc9de4bcb3d66c4c40f1c3c34768c1d563338763fd44405568623765bd7ca8450097910c8742fefcc9d31bf24555f3f07b5aae7ab9be5f9e081329023af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:11
Reported
2024-11-11 23:14
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\Files9M\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9M\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGD\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files9M\adobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe
"C:\Users\Admin\AppData\Local\Temp\67ae7cf0cc202e2443f2b0034dac63bb5cb9ac41292594f92d56c7a15d045efe.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\Files9M\adobloc.exe
C:\Files9M\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 1983324de22177c05c175fc86f8a2d0d |
| SHA1 | b12c52b998cf474df4e0ec53bbea83c0e64cb218 |
| SHA256 | 8e289fea78dda9dad5d2813de8fce5b2e1961b0f728524302abefd8ef6a21e51 |
| SHA512 | 622c8c2e54bb719085d87644b9aac75619a2d3ba09688fcb1aa968c63749f876690cd16ede7f23fa930a3c559aeab5e221b8e24cda639ab9177fd46ad599a068 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4b901f056344704ee8e7a3590ebc8ebd |
| SHA1 | 828272ab43014917c56241cfe560b1f042af4813 |
| SHA256 | 865e244b3665ead5657c2e9d9c27ef4916de7590fe968386a0384f1dd97aa6d5 |
| SHA512 | 245fea705bc8ed2a6567d779fbccceb8ca2bfef5c5f32bcf97feaa0c8ebd5e57ea17d6c58d4c35dea0a7c95148e73dcc07ddc9905d6d7fd918f2fa954ed964c5 |
C:\Files9M\adobloc.exe
| MD5 | 274e5585aedfe98896b8ed6e3dac0e64 |
| SHA1 | bf56fdadcbf15e2f9d58281be1a7b944995409c2 |
| SHA256 | 71aa807c7a8eec222df62231c87998670ceabb67389c69a00c719afe43c73820 |
| SHA512 | 9c115d495cb8387fc243a8e67ecfed31e15f0169137a68e00f36cff634a53498726e69506869f26c8f19bfcdd4d0af175278f386cd7a43eec0634af9f9bff45f |
C:\MintGD\bodasys.exe
| MD5 | 3f55fb9ab7829db24a822ce85b240c3a |
| SHA1 | 76428855a95a89dd8aec0283bd6790ab906bd0cf |
| SHA256 | d725e6769caf1273e0fa565bd3db86f57854765b5c830f7ee8d296e4c22d7a84 |
| SHA512 | 7f8a1deb30088733f9b47dd9e38158862e4dc1c1adbe53230df2e87d22145b775973fda86948fb180045d184eee9ae3ff8d4a08fe401bc30404a476b38582265 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d44362fe379f3f635404cb8887cbde71 |
| SHA1 | 411dffa57b1f9f85a6283c8a55b4508499dc53bf |
| SHA256 | 89680c99b1c3de936b5aa03bf1afc2cfebbc795644f03f11dee64e7a6ec943af |
| SHA512 | 6524dd4c853b09eac7d83b4471cd50937ba03c9da886b8dd541e3ba00e819e3b2ffbb523bf520f2247ce7f6b7e4672fffbdc82400e76838f064b04e95eca9f54 |
C:\MintGD\bodasys.exe
| MD5 | 1a5c7f172ad273d235d0f868c1be4c37 |
| SHA1 | ecc8f1f0e52cde30a4e5f429c11eead50b17a6ce |
| SHA256 | 369a68a29f50b1ee76751e6e9c3e86e735524f4a52ca9dfa6419f494ed745d27 |
| SHA512 | bdbe641bc4577789f78056b34915f1fe5d1f9d9b84bcb36150c4c681a3006ab234966d8fc056fdb37d531151dd1bc5862590fb249426bfcbe82d124c22d361d8 |