Analysis Overview
SHA256
95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10
Threat Level: Shows suspicious behavior
The file 95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:13
Reported
2024-11-12 17:15
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvTL\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTL\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxHV\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvTL\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
"C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvTL\devoptiloc.exe
C:\SysDrvTL\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | cca61f6ac85d28f74d37350c14f130eb |
| SHA1 | 48098d438b017a6e0f0bf5527d9a3f6127ae1421 |
| SHA256 | 1d9ae25b0de8de331ac7dce1ff3233e453ca3de309f5cef2197f13001e1bee45 |
| SHA512 | e9c56c5b6298e91e85b21f18562ebb2acc6d5f6727f76342b12342a13e9801e1fb57409bcb5143060bb769f04dd6f21f32b2df46183a1c8d1d9c1cdfa4ef5b17 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7f30ac06e8bec73fd277f605c2d19c9b |
| SHA1 | 70249f190dc1ff24a3d0ea1823756ff8d21b4fb7 |
| SHA256 | 7ac2ffb93ba4aa27a0b2ba702d383d9945882b144fe7c6b4279ca66772aa5f5a |
| SHA512 | 11d071ef911da18fe630321cb59d5b4809709afefddb96432eb613832ade61afcde1db258156ef6e73dbe3a8d4408d09967a5f11e5d19d3635ed9fb60e3f58d1 |
C:\SysDrvTL\devoptiloc.exe
| MD5 | 33d6f51202cac1c64796fbcd39009f56 |
| SHA1 | 350039420fa2be3e0b02ac505728937b12bc0794 |
| SHA256 | 4e5096537808c2348893a196315059b17fb90bea236053413dff8e762644e9ac |
| SHA512 | f8bb1ce6e8656e49dec079cd68fec01e50fc8b0a46e85c76dec9eb8ee22f6ca51f1583ffa36595d7543ae27ca1c95222a982cc345dbeeee3483f96d956372ac7 |
C:\GalaxHV\dobdevec.exe
| MD5 | 974108f8eae5989e5de66fe5d292f1f2 |
| SHA1 | a35467a47148f7ab18d194773d312d8326edac5d |
| SHA256 | 1f00ca27270fb0d29918f7ec4e0fc1bf645853fcdf26580ee6c014769f0bb9ac |
| SHA512 | 41ccb85da84ecc7d25bee647496d659d5d7ae15e339c92f544c23f0b626380fa0a85eb7883f692f54581035f6431a43384294ecc4ac5d13d8000d60f44ee3401 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 20be682eaf1079762e5994180acbd9e5 |
| SHA1 | b3e4059b5f59bf7f1869dafcfdf6063c53cc69a5 |
| SHA256 | b18b882a5a9993494ef9b76c32df4c4fc8dda307b71710fd76f7f15b29580515 |
| SHA512 | 0d239649283ec7719dfb70626ad0751ce2a3588c3a6469a6a5b7f238e90bbb22b15dfb18cc83b385e2675a71d8058a649055c353c63650a0fc221abe5725eb10 |
C:\GalaxHV\dobdevec.exe
| MD5 | 2873fb57ea06e0913c9b5dde7bd73c2d |
| SHA1 | c2794b886d0f3c44e805ffe343756fd81b5c87ec |
| SHA256 | 08bfacea5ca3a11f935a3a68ac2abceac42a731bd3c8bbb834bb6471d43f4587 |
| SHA512 | 9db7ab2c48ad7fd8125df8c24bb1613169cdf1b762ad2552a31ad27ecfb1c9fca9350c4a31f167fa663450d181ba96804fc03f9938c7eea125d4b5efde338d76 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:13
Reported
2024-11-12 17:15
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\AdobeR3\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeR3\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6T\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeR3\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe
"C:\Users\Admin\AppData\Local\Temp\95d0ccd99730a8169b5c71ec7a7064e720562c07f34e16130e2721a910700d10.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\AdobeR3\abodec.exe
C:\AdobeR3\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 66f212d571e1b9aec9d49982a68c9944 |
| SHA1 | 4d5f794f18c0240e71494cf3fdd08006d34a3fca |
| SHA256 | 8618595687a8527abc16205b8ed5c96770b1aa4d621736c29b838725e16c422c |
| SHA512 | 4c018ef074cacbcb00dc09192a1fb845c9a0904b329448b1e69a291e8336be67729e6e440467192cc015649be51a290689fbc25220c1c2832f1609e8ae7a53ed |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | caab9aa866e9537d4b4e8f7a71b1c322 |
| SHA1 | bfb3db4a64d7a43e56871b285406bf1ad3f1b788 |
| SHA256 | 07b637558e81b303e132a09b6ce3ae1fe5c0fc6521a45ecf9a0d05f8bdf65919 |
| SHA512 | a7c257465067957f8d973dc1fcf471f2f1a01b0cca3edd252c569b390280d0b7d0d87e44f7e4f5b5d9bff1d262bdb38ef0684b619ac07494b5c9a47c41a88782 |
C:\AdobeR3\abodec.exe
| MD5 | 39244d9ba1a52e4aeef4259c9e698e90 |
| SHA1 | 5ae70bc14e19c264ea60e5e0fb27e116405d7deb |
| SHA256 | 40869c814345bf023b4be62cab3aa85b1b3e5352deec3c2ab2e820a3c17f81bb |
| SHA512 | a48b3d92171e906d3b39b9808ed5c00ecd68e59961be2697b3352b9016e420a51846518cbe7a08a7af03b10b952beb7e59b30f6f6ac00f6da431afea9c9920d9 |
C:\Galax6T\optialoc.exe
| MD5 | ae403f060aa22cad7b0ed0009dcab246 |
| SHA1 | 28bc0a15cf767caadeaeac040ddf4da37ef81571 |
| SHA256 | 19080880aeca3d3074d5394bd46ef1ba653f783c861a13a14c031ae26bea2393 |
| SHA512 | 04b584f990b7b67c55c742dabc8e18e4e18a15260fad82a91a4cf9fa254d75f6a193db911d63e8db0e1b933ac04a64f989f1283da281d69bff0d4814ed157e05 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 133bc5fd613094e0373c8c12c84fb475 |
| SHA1 | 2de9773784ae3a3bbd7a6de189a8d44345f72d5a |
| SHA256 | 4dd243e7d2f0925e498a468e9dd47378ba016f8b37e872c8aaa22e9eb885b034 |
| SHA512 | 4d75d35da7fc0575d20b02d4b29aa8f78f2aeabc53f2fbeaf488f65bdf16feca3e38babd9b23689a0c1550f1baa7d2888931b8040270754c7425c4f511701271 |
C:\Galax6T\optialoc.exe
| MD5 | b65eaa6b527a3af59bd949a90da7cba2 |
| SHA1 | aa021b73edff73c7f29e237a2cebaa335ba5f5df |
| SHA256 | 77ab70d58e706461912632334bb6007cb4e9073e0ad34790ad1f1c0358941123 |
| SHA512 | 9f9d26df3c8b177995f53b7b65dcb05d886ce163a8acfb7ae256170bc5bf6ee5c20b29046e3e81a04f04ebe9e536c53ae626eff29a1cc677136491326164d7cb |