Analysis Overview
SHA256
8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823f
Threat Level: Shows suspicious behavior
The file 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:58
Reported
2024-11-11 23:00
Platform
win7-20241023-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\IntelprocW9\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW9\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKX\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocW9\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
"C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\IntelprocW9\xoptiec.exe
C:\IntelprocW9\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | a91dd70e068653a5bca35736775ddd97 |
| SHA1 | d8c3cfc54fcb6979133a4a56e88741cfd701b2ae |
| SHA256 | 8d79855e91f051a6dc0dc2ca4474f6c3b0d42061a9d892d626e2a112adc8b4fb |
| SHA512 | 9cadeeb7619c80eb5686b910c94e229ba16507eb4052749c3b172c0f717355e6f09a9387ca68dcebdb8038e4f551ca0c2f39ed6599d33d4ec13f794608f55208 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6d5f30b803628c2a1a971408fa78378f |
| SHA1 | f6035e1680d6bf09b2f17967c78b003db73ebfe0 |
| SHA256 | 7c95a2217ea8488351cf7d52d151bd6fad167fef47da0d6a4e218ae5a889def0 |
| SHA512 | 68e0bd54a762946964a647539a216690d32ce2b7dca0f1ed4770070550640cc4221461009293fedff9183e3a947ce0bb896cf097ea4de586ac59928432df4432 |
C:\IntelprocW9\xoptiec.exe
| MD5 | e533b20f19695e5552170bdd69b85771 |
| SHA1 | 298d8975b6ebe39846c49d79f054deb502abbda8 |
| SHA256 | e9f7f7dab03d46466b898c8dc68d2bac0ebf7d871ffa560cc000a6329eb593ad |
| SHA512 | ee6af73bb7490c22205ea5080344ca90a6c07eec537cdda98e6516d8fe9fbef9908fda9c9728741a38443bffd61c41b6334d24c51b97a4f08ccebed5099fea1c |
C:\GalaxKX\bodxec.exe
| MD5 | 9fb4fcfed5df47333511f6ff321a1e3a |
| SHA1 | 6abd3fa3fb17770f0e2df3a500569857217d70ab |
| SHA256 | b7fb271cc53f9789bd54ade05ecdf4525e7f677a9c2b0280d1890bf34e86db5a |
| SHA512 | 3bed07fb3b06f4af64d65f5cb9fa7d3211de5a4149cb109227d95649b32c20df1adc181894c569343ed51724e7afecf85363ca972e6c9d825bbafa352dc3744d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f0322d49211dd3301cb67b88029594fc |
| SHA1 | cba9599d99f4bfcd3b63f6d3387169e0fac98a80 |
| SHA256 | e4dac26e2504ccd837088e187f5e18f7ec1a0b680bcec3819468972d840bc7fe |
| SHA512 | 2218f84c617ed3558e1eac673419dc399d14268dc67b26b2b87c0d50e78ffd186e639919c67af6c21d77b4ae783bc0d5cf6e7c01f9190a786e6b3e73cb728ad5 |
C:\GalaxKX\bodxec.exe
| MD5 | 9066f9da2f6e14f558228b695e72cbf2 |
| SHA1 | 91038a2a5cdbee686253b1163db1462b67afdc3e |
| SHA256 | afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4 |
| SHA512 | 41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:58
Reported
2024-11-11 23:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\Adobe3Z\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe3Z\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidT8\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe3Z\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
"C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\Adobe3Z\adobloc.exe
C:\Adobe3Z\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 86c4f01180028704f1c5a9470f356552 |
| SHA1 | a523edf7789463e509a58e35b700a2375fc3f425 |
| SHA256 | 5dfbdc4843a991ab1ede3bd4bc23cffaba8becc0d9bf6f6e4e6a8a80db437fb3 |
| SHA512 | 08d303e20c76246635a343cf9df17de01b1b4c5219b02c636b30b934db7658168b4f390fdb8f732f10900fcf26a802fc5f8e3598ffd06e97251e80d21d216c69 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 58fb11b5f050ef11db6049686b32450d |
| SHA1 | 5098a26155acf7baf54ba3a188704c93c6c59570 |
| SHA256 | bdfe63dba1e0b3dfe8c024d07524c52265f33a2fdf13ed29d63df33e197cd71c |
| SHA512 | 85ae1aac819580fc4de5806cc9c9cd6b15906a911935bb3a493de0b6cda0963792a49e3e704b10683be7a8a200ba5d7241e288996f09f0534ce5206063926882 |
C:\Adobe3Z\adobloc.exe
| MD5 | 838e707fb5e4f816b0c784b9c7cc3de6 |
| SHA1 | c9b80d395abfac45e636abda99b1676456e01cf9 |
| SHA256 | b9cc4189c484e7eb3127c48b8ff3481c97d414012d31b31737003294dd6b5b14 |
| SHA512 | 40091a6ed33d4e80faefd1d0c2f5114f1914b02c43fa3e92d31d67696f83c5bef23a19d8f01b2f8fa1009c893e770777f37187a112a17769887aadd077dd95ee |
C:\VidT8\dobaloc.exe
| MD5 | f67875ba4796683f4cee41b943da23b8 |
| SHA1 | ea01d0133be069525c05cba3435f9d687d3d4f36 |
| SHA256 | 9f10d28da9d7e5f7005e9ea0b67262c0601e12c0de44f54086765593be2b4953 |
| SHA512 | aeffc3ec1902ff17ab47622e88c27e554d0c410f1828c2d64b18e442853828e153d4b6f4512a1bef63a709e5f2461d212a1105ddb89e65b1e7aadc82e7855d2c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d8dcd725e2f78b02fef756a5c0d6482e |
| SHA1 | d8125c0e9f8b53c7e7094fe11e382c5f0c662842 |
| SHA256 | a4e60670029a919e38fe240f5722209b1687596f3a42a9697af7869f60fadf7f |
| SHA512 | 28ff1d5117437a62a89c096219f2de508a410cde0537267815281459ca5af4cd63740dae0c8e3972102231a39090e882fbcbf16a52d3d25bfda95e3bc7ea445a |
C:\VidT8\dobaloc.exe
| MD5 | a48326df3e9f03af4efba04847a1aea4 |
| SHA1 | 641f6ff2c62029a37c2423f95507af9119ff957c |
| SHA256 | dbb8d656d3e9c5d826466eba74e72c6b62ff271896618a0c2d40a7d2ceca8c3f |
| SHA512 | e7dbeb38ba60f41db7ae27a20398c1b40d45053240559da891f6573743fd9d163ea76b5d12e5c1c4a11e456e793cce38eb25ec08c975cd233a3c4b2a905f6b55 |