Analysis Overview
SHA256
42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6
Threat Level: Shows suspicious behavior
The file 42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:51
Reported
2024-11-12 16:54
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDotQ3\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBQN\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotQ3\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotQ3\devoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
"C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDotQ3\devoptiloc.exe
C:\UserDotQ3\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | bbae29d793f1f61bef87885d564a2f11 |
| SHA1 | 8a46b7748eb77deb3177d200ef105bc6edfa081e |
| SHA256 | 013abfecf3b6c280e98f4b73e53838bef14162783c468fe20814f7260ffe4de6 |
| SHA512 | 52e6e16a5bbf911f7aea8e1bc9104861de4b2637d153b592d5f460f9b975daeb81f5fa5fb33a427db7cab82cc1cb2b6e47af8296542a6489c03115fb7d77597e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f180bebb3bb1ccc382140030c74f363f |
| SHA1 | 1382a406cebf869fad990d15674c737483fddfcd |
| SHA256 | 5909b577757d985e4e3f6691805d26725e6ecd06770ce27d82fcd93cccb2c004 |
| SHA512 | ce1e6ed0e14d3dffe12ec7fe1006e3712c3be438ca411fa5f7490d801e2be76b3ce2b92f631bbbe7dd5fe9079460fde0bc6ea8fc0926934664fee898d91fe853 |
C:\UserDotQ3\devoptiloc.exe
| MD5 | 65dc4240f77882b60ad491b6b46e3bfb |
| SHA1 | 3350ad419946bf6da355c6976b0da2bc8fe0713b |
| SHA256 | 4430f337c4bbb584c0b59fbb0012ea269e86f1498544d402becfaff5e03ba140 |
| SHA512 | 011cb9e81308f0e829bd51f019a4e98808892d002b0988c11c0ea6e09aac1bd15919c48448b61eb710159dbbe8686706f3ec00960b138db68b1f9bd53f8d5183 |
C:\KaVBQN\optidevloc.exe
| MD5 | fd7f26d739038b915a606dac5c73d829 |
| SHA1 | 031ee1e3376a1042d11133faee359266008ff335 |
| SHA256 | 901d06cfbcc104200d0d45f098d1bf3893645263f36300d9d14ec99c9fdf115c |
| SHA512 | 807f019e5381c343aef41dd36647b473bb512c6971a960bcf4e6559626df560ba354d86ca8fe2675574dbe6ea007e6a8791786df4bc89be8979fcf139c5ad6dd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 420306fd4ec57ee8ebe42d49c039f485 |
| SHA1 | 44489caca684128edffe86f1e6f7ee3dca7e7cde |
| SHA256 | cb3884854af1b05e627612be601009a626d172abba0d336b60b11b5dd49730d0 |
| SHA512 | 1eedd263a8a6fa58d8d799ce5daf15524226cf85c9623c3ded2fc716b88bee5783a202792dd96a6762d99d2c3429513762570ba468e36c7aea258cc7a33dc3c2 |
C:\KaVBQN\optidevloc.exe
| MD5 | cf0673f8aef9b856eb8dccfc22e770ea |
| SHA1 | 646f67e7e93e43d96e9c7d5145e66c803f72dd52 |
| SHA256 | adafd38ef4a0750dc00f9b377c6157179b770412aeb5d14125df0e32bf6d26e7 |
| SHA512 | 8b9da512b3cb61fd6842c2f905ff510b501b3ed6198d34284d3e2dee0a0ba70d62cbdb459f8067844d50f7161ffe32c02cbc1d135be9682ca3df2eec2ca29ee5 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:51
Reported
2024-11-12 16:54
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDotGB\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotGB\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2T\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotGB\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe
"C:\Users\Admin\AppData\Local\Temp\42b39737bef9c52aa5044f8a3952d30638726490188d3dd8d1fe7637dd6aa6d6N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDotGB\adobsys.exe
C:\UserDotGB\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 33bfa39a27e5e14b82f354ba90617aba |
| SHA1 | f6253b7be63e545a8a2a21a43e9d472a87ac2983 |
| SHA256 | 2e158bffcbc0c472a6734bcf9b03dfabc96707228c1983b29bf463b655def2fb |
| SHA512 | c43feda25c21ba6e29c61bb28c0e3250f1c2e3880ae727ee0405a68cc4dd01ee2ad393d7d8855dd271fbc141877aa73bd1e0d27c0b12ff870ab2b6040c433b6a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a70d0784d91df7f94a5463ca8519d0bd |
| SHA1 | 10eb1e255417cd954c8c1b3c8a9bf4c95d35fd05 |
| SHA256 | 5fbc773c364a032e99b491a10857896285cc3034f0c301fdd7560afef7cc29aa |
| SHA512 | 158d9ad34cd4a5cfac3b4e471e2b4c777f11e76915ee000e244caec02fdf239094c03190e803c85343b8febb25748505806b3c7ee4b2ea54b18615c2e34e6fb8 |
C:\UserDotGB\adobsys.exe
| MD5 | d6d6f2b24b8a8129cbf4c07961dfe70a |
| SHA1 | 54a6a781c68096bf5c98734119373a2b746fb9d4 |
| SHA256 | 27b4e03a3a95dc840ff6b444e2b15e77190b3dff72bad8d7539263eceb3f475a |
| SHA512 | fe66d1fb078ce0d29722cb7447838200837889747e878e26ba8b5f552cd00418a029f5055545a71d9da4064badda13846698700bf309d0eb6033b9d795e1daef |
C:\KaVB2T\dobdevloc.exe
| MD5 | 3d1d2f31661222e080c9f7b1e6269e17 |
| SHA1 | 9369a5f43aa3f317c09e277bcbc501f6d3dd5d3f |
| SHA256 | 36257a3005fd4909d2e9f05983b2cc2428edd3369559294ef721209b4dd666c4 |
| SHA512 | 676f76418d399a29cee8303f7882a2a4a33445b9243fbe44cc794f3a74225671b62fb3b340d068a4046a79d469e9ca9470cee4148ef2f7c48c61a27bfcd58e5e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3b3244152c6db8a506ac70010c7ef2e8 |
| SHA1 | 55ff8a625c1a84ce127cf18869766d755bf3c40a |
| SHA256 | dd2ce19cb9df04ef881fc913c92cb0a2038d183fa8cdf37ec856204f8ddf7f3b |
| SHA512 | adae73e8db78a5a6e65b83407ad5f6812e6951b605f097a9bc3cc563f9ac89936a9372d36eb3af12355665cc275b6b109c3649f0976c8623b49e354f06894cc1 |