Analysis Overview
SHA256
c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8
Threat Level: Shows suspicious behavior
The file c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:05
Reported
2024-11-12 17:07
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\SysDrvI6\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvI6\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintX4\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvI6\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
"C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\SysDrvI6\xdobloc.exe
C:\SysDrvI6\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 942caae9702c34a42c59d8b02eaa4d2b |
| SHA1 | 85ecdb96039476979280d3db03ceb67901a17d1f |
| SHA256 | c250ea2fc75c47269191eb44676bdc71b0eddc32ac5f40f9ccf0c2ac9641b8fa |
| SHA512 | d302f9a35ed5f5293df95bd9622156311b3e1bb70a78f18c87092bb1fce3133fa259cca3653085b3e2572e9a77bdc163e34ce92ab630d59c4dd2aa4d2ef875e2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 396e73b7ae2f6de8a8ac35750c2e8dd7 |
| SHA1 | 1b4981db941612599314ed83795cd6be3baeea3e |
| SHA256 | 778fadb294625d94a2ef2c79b284ce46f0b8aec5c41830070f0a6430b5f1ec2b |
| SHA512 | a7c8e1e71f4a01a0553f64f5379ab05f74d0794bfd6d6ede79a6156f2827fd4243ceaaf3d8de4f17cf5f95cf412f04770fa6dc24b426b53927da48e588df0683 |
C:\SysDrvI6\xdobloc.exe
| MD5 | d727bbcec65e4a8a64a4675dc311947f |
| SHA1 | 3fb799f9a2677244e1c3f52273b8aa41c1a835ac |
| SHA256 | 578917fd7bfa71e3e12978ddd8b7ac2b8c27bef7b85f7c41303ba18f6cd2da5e |
| SHA512 | 6933c719a041b928206f18d2e13a24686bfe08662f9ac600b4a3b4b7261f3a6feca4acc4428d076b9c944f7bc11ae2ac028f1ae240985c5199ab9c54633d533b |
C:\MintX4\optiaec.exe
| MD5 | 76840a35cf3749f16427ffae318cb45d |
| SHA1 | 358c51a8cf123b763b5f50e7f76a3787f5461651 |
| SHA256 | 5f80b9fa3b5db93123b3db5edd4016de36c73d5d0d7c10de98d7eaac984942bf |
| SHA512 | 7ffc4d738246df86a5fd6327fd82cc9d70415bc434e49f3e6469b3d6f619f198430f3ed102f3b68776b963112c9ed90def04c41587a202c6869fe67d4c61a537 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b7a17337d693c47c9150767275f15b7d |
| SHA1 | 9ac4170174df9e2b73b065f7200adc33fe1c7d50 |
| SHA256 | 32f551e258afb0f21f3fe25be8dab70eb5bee7d5baf44ea14061b37e4d023437 |
| SHA512 | 94f8bd8e0fb853783d0a2ae5a224d0766af5cfc1176dae7875c936a8c81b95ce0ad3f44bb37520e0bfa8852ece783fe745078786b706b509cc6fbc5ad0bfe1a9 |
C:\MintX4\optiaec.exe
| MD5 | fa8cbaa4d554d6ab62a2ccac96ca1ee9 |
| SHA1 | 4089c34bba36660127d921628fed83b236f43b1c |
| SHA256 | 76c67222af1af83a70e70e0e29e92063c37d3861489f83bfd80e8db87b595a59 |
| SHA512 | acdb54c56f33a2a1c538619a3dfd4b25bdf23e07a241537afebda9e0b31b66b72f5c335d0b877c4a1b1b628bc72dd9f71dc679ab1746d40f80a6d56426278dae |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:05
Reported
2024-11-12 17:07
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocTC\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocTC\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHP\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocTC\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe
"C:\Users\Admin\AppData\Local\Temp\c9de47957e3b2c63d6adba40a0cae4f1a74018d1eae5f5a58f4e5a913c1cd0f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocTC\xdobsys.exe
C:\IntelprocTC\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 2e33fc6acf0e5c293e401ff1b6d2ebae |
| SHA1 | 7cc426a5924446823e40469dfe5d7e36dd82c393 |
| SHA256 | 939cb63901e2a431f661790a0cc7014ebe9c2e44ee7f25d2d466fc9d4abbae05 |
| SHA512 | 7dfdde2b4c0f0ac3bdafd727cf762c2295d7b8420724a2422833c2cba0a6be0dced89bc3e50f637dbbbb9ee477361851616a46b1b162c1e5ebb28590ca521121 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7422085b6e20515cfc9f991a3fda908f |
| SHA1 | 973fb40e233bed80be0443419bb0620e0af24aba |
| SHA256 | 4e2d3cf3dddd1157884873f42a91fa37c0e379b5d9408baf03bb6f06cdf24454 |
| SHA512 | 1b188bd2cacc2afe2ef0581062269dca815cdd8cd3f0b0590a2d01ba5d2cc5336937da5139da233e5834251004a36f01af5b3fda61893807aec4bd2bcbf81eaa |
C:\IntelprocTC\xdobsys.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |
C:\MintHP\boddevsys.exe
| MD5 | 07100e6afe75408088a5457936386f8b |
| SHA1 | fe350bdc37425df601af04408696b6ef20d3c45c |
| SHA256 | fd8fe7e928d18bf37ad205e934553a9b3b68a489d8e81df0742ba0c4b35db556 |
| SHA512 | 49b6d539acdc384c9b7e8917197daa1f1756f417322ff3a36de44712573ad10d314053030338c1f685d2710f8a085fc649ba9f342f81175b0b09286501388148 |
\IntelprocTC\xdobsys.exe
| MD5 | 5d64995f4f17ae396bff6eeaca08f815 |
| SHA1 | 07a6a9740a033af352243e01cca3b605f7c9bb5f |
| SHA256 | e663391a828db42af5b519a040789c22d8038d87774b27dca6ac01d15a50548e |
| SHA512 | 179b223b7cacb9ea78f2b13a09edda7fcf989a60414a1e0c67a56fd41e39c7e09d2eed142fa8ab889e227cc05dcaee91fca1727f76590310a60712c0f7082f6e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3cf89be7627b4e7f785f207797a01cd0 |
| SHA1 | c907ca41150126403461c9acd8c00583fda2922a |
| SHA256 | 6901e611bb1f8ebd814233c1bd63949a0bda75f205c933f077b446c56e39be8a |
| SHA512 | 71fd92b3d680a7c7b8e3850c3d9adec4d0dc17712c873c03ff22deec5003af5cfe137eef051c8a11d2ffc3ab52705d763ec11d398ed48f4d7dc826a8ac5ff6ba |
C:\MintHP\boddevsys.exe
| MD5 | 253ae397d796d1d76402f504fc720585 |
| SHA1 | d50454173ab839e203d3327a3ccf354f781574ef |
| SHA256 | f67f659638993deb69d02f5df9c77fc916afb510b918762be1e42e310b035b56 |
| SHA512 | 643ad63de936c4a97ab0ab96fd480b5e867e26835d5765d5b02e13cf7a87a9aecbd5dd028afd00414f4c75c86ec7a68052a4ad0086c6423bec24491cbfada5af |