Analysis Overview
SHA256
18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106
Threat Level: Shows suspicious behavior
The file 18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:13
Reported
2024-11-12 17:15
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeQ4\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ4\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRI\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeQ4\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
"C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeQ4\devdobec.exe
C:\AdobeQ4\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 2acb505bd9897411f9aed3a398cf0af0 |
| SHA1 | 5ab8748db930a16dd32f081c7099a2b0f1f0cf9b |
| SHA256 | 51f72bdbacb62f9e02a1455019031b9b93b6f93338410cd4ab15afb30f6ba6fa |
| SHA512 | ee12bd4210538903066a5b857bbc3301314d7ad8153875ae018264c456e6d2d2e5c3c713cb9c9cfe516d75a39ea82a00e6fc28b6397d0df0712edf5bd4cccbe7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 192ed5335773d412a8837cd719bba0a9 |
| SHA1 | 7106ba468c4f368ffb60f3eb4b96d1723fd851e0 |
| SHA256 | b9eb210503d0ca32637e2a7611f39e78092e8efaaefd956452645cf66c682599 |
| SHA512 | 414821fa21f928cb684ccd221f48a77d60b795d4462ef84e12e1057258f7273aa41b22bb7b8f6df9947b4d5b9631dfd06c8adba4e38ec653e39d09211ac86d65 |
C:\AdobeQ4\devdobec.exe
| MD5 | 66c0ed644a55d994059cbf48f92a3f47 |
| SHA1 | 44dc23e6332eed8c75cae981e2f02dff13593b0c |
| SHA256 | 16ad0804d9e21f5db6c5c317993c48e5eb17c7b14bdc5702b19abebfe2a5bddc |
| SHA512 | 5b19d6fe28722f5cbcfdd686c4b2f72becb262d8479b1254fec9d7495d7a391cb0d45c643fde4e6bc4ea15d09cd4b86490d0fc31ce63c6dc3c8fb28f921d6358 |
C:\MintRI\optidevsys.exe
| MD5 | 8dfaf75dcd0ba59db3edef18c654e50d |
| SHA1 | 0445a56622df7b9d751b85a4ba68951375f3b472 |
| SHA256 | 7efe70f2053ecbf2dc0071cbbbc4b99fcad6624637a2d099b177f3c453fb0664 |
| SHA512 | 637f1c68ed3800de07d4fbebdbb6606e42f1f07825ba9b95ed117cceb4882f52b8664ec4ed93d93f1f98cdc8fb0c47137497110431bb58931325495107cf8b25 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e1204374d74db41a7bf97da4e17c2a24 |
| SHA1 | 38f428bb5c56bfda0f01184e29d657962e3e1564 |
| SHA256 | 7f6a206013fcd34f645c921a0f474d1b57e55bfdf87581c43415248b43df517c |
| SHA512 | 62b4a5c8d17cc8d508ef50eed92b13b302c5f98ef1f496dd2da6b1e872a89eb26fd80216fe417d81777148f0f7bba6b8ec34e41d172ba1a55dbc643ffd9f255b |
C:\MintRI\optidevsys.exe
| MD5 | 10ceb884458040bf9e1a4dc80a849258 |
| SHA1 | 0473339233b4dbea8a98d50bd5d7f63df6b96b56 |
| SHA256 | e1edbf1ff01e6593f949997f868664afc006dbc245cf0a159984a249d782411d |
| SHA512 | 08467962765e680e4abdc31dd6ce85db171a5dddf9249c1323261637ccaf185106530980c3783950c79e38303872f7764f0669ef29c42bc15aaba62aa7371ac4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:13
Reported
2024-11-12 17:15
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\FilesKT\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKT\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEL\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesKT\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe
"C:\Users\Admin\AppData\Local\Temp\18c50f227c88d7c7ed51e747d7127275e20ad85a446535dde171c35ce0f54106N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\FilesKT\xbodsys.exe
C:\FilesKT\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 3adbe7210f464459a40a07a188b0a089 |
| SHA1 | 733b2b5c5f7442f849e0decbc371c16511a6b6b7 |
| SHA256 | 11a74b6f70c63e68bba563106364710fd768b74f88ddb325735e626eff54c0dc |
| SHA512 | 84930a8e48fa8b9d65d3ef3130df435ec9d9cfaabb01281dfd8a480e46e17bee7bf193ab430e9c999f6e6b69e00d7ab4348becc66fe38830897877d81d050f91 |
C:\FilesKT\xbodsys.exe
| MD5 | 2f2b29e5d07837de396beeb36cbb07f3 |
| SHA1 | f9ccbafe7e35183fd3a29f6df1140a2be819f0c5 |
| SHA256 | 309ecff53e870a8916a97d4fdf272b369a770912a55b2f1ce7c3020190c2d882 |
| SHA512 | 07066e32d4d46bee9ae3eac3bbdcb7d1970657a8464f7c946fca0c8a669056738b5b9b8d19b36ba98a5e07ee7f1d5c41377f374c345e16496b2471e973287d2a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 62500b816125e48f9f7d11274d9d9bf0 |
| SHA1 | e76228a32c48a3de792f7070f7b64a8550b58db4 |
| SHA256 | e2d60cd7c457c602d95c0a893f818d34a0d31b8b74d387b9c84d070996e396e2 |
| SHA512 | 5868ad2991a97731f7ece303a2afdf7a8cab4c667acf0ba386af18dc19fc0a583d9ee1d6ed3fa66ca2dcc38116964d9026b8c92a4aefdf63381c5fe291b824fc |
C:\FilesKT\xbodsys.exe
| MD5 | e61c6ee467ccf7edf4786023375a9081 |
| SHA1 | 35cc868f5a567f186ce9d1197b535a7086519473 |
| SHA256 | ac26fdb3ca69a8476434b5206b251548707b2c940c67449410df4b4757ddbe1e |
| SHA512 | 2342f3e9f89489604a6325f926ce492e2f40f0024f005ffc8976eb7c421ea9e5206d4281040106bfc4ffc4cb5a9fcea381d39a62f5c80e46f211106901fb3cba |
C:\KaVBEL\boddevloc.exe
| MD5 | 25c9b30b751a52abe4a1d552559e59aa |
| SHA1 | de7ff044e0a3995c620287015c8bfab85a86b138 |
| SHA256 | a73cd4b3b49dae0c19e9f2f5111842932518d39b3c84d02d2299f2b3505e17af |
| SHA512 | bd5ce9378cdfb496dbac8fae43faa72b1dd9838ce6160a8ab32bc68165089a99fd06f1e2c22f09c104ad20550ffb5f468dcec41c2aba3383966543775b91d0c0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 700d96510f323103a6e78882f146bf88 |
| SHA1 | 5292dca087c1497c1717f77bfe25eeb16666d7ff |
| SHA256 | 535842a763a5f68dd1c196aba1b2d87a1b295fdec5816d8852632e16bcbf13f1 |
| SHA512 | 57ea1c008e6f87252f6f34a77bbaecb8c0b8b7ca8dedd2ee676480884a228a7c0ccb1081ed0218f24cff50f6ae76712a573bcdb5ba137768cbd9b2166dcc6a53 |
C:\KaVBEL\boddevloc.exe
| MD5 | 9d3900eda9b7deb3442b01f625528836 |
| SHA1 | 975f86a3d7824d17f1bb60ec5f84fe2f92043640 |
| SHA256 | 4dc9f6fb7c9c0380a1fc1d6f52b27aa3e8b10c75358e30b494c9d049db2431a1 |
| SHA512 | c686fd8769ef882759b83a88714745cdf16239e7fef0920dfb11af6025f289cf8ada5ce7f5a30752c027507f050908e7445098bf5846092901a0f7ea5b1cd435 |