Analysis Overview
SHA256
6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08
Threat Level: Shows suspicious behavior
The file 6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:23
Reported
2024-11-12 17:25
Platform
win7-20241010-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\SysDrvZX\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZX\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLF\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZX\devoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
"C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\SysDrvZX\devoptiloc.exe
C:\SysDrvZX\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | a585877f139c420ea57bbb243df44aa4 |
| SHA1 | 9cbf167fcccf876df8385ce9d06a9044f87d56c2 |
| SHA256 | 97fdf5dca5bb154d3944fb0260b51904112e8fec66c0ff189931c739dc1697d2 |
| SHA512 | 20ca61d26620dc8418586d360aaeb7110bd1e07c53b6cf10aa8d2b4243cdce0918c6278f242f1c019fdae1b31cf6936a0e7de923c2266539a498a1f646edcb05 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 278ee6f9bcda58cc2218f55904c4a3e9 |
| SHA1 | 87871fe4f8e96876cda5543a14781e939e749c6c |
| SHA256 | 2eac99da5a3f72e26d34eceb2fff638dae7bd988a3b5a500890644f743f2028f |
| SHA512 | 13d1a39f2e41b2d187cf3820efab67926d8f6df678b374a2d32a292c22eb3431b9e911805bbf3c5d291904ab221b987ca3864f539fde7f71ed83d83072407531 |
C:\SysDrvZX\devoptiloc.exe
| MD5 | 97d906ffa788f2ba8509d934294e4d52 |
| SHA1 | f1e5b7dfd1a4f319d5ece83bf52bdafb23ee4b5c |
| SHA256 | c4fb901c3a274deed1a2132a019edd66b9dda7bcfa072f7fe6eaacf47d4a086d |
| SHA512 | 254cb4d453bbba5e87b2d091e8209ac5740023cc7d7d5678d2a976af5ed731df23cdeae4bc073fcd05591303d3940725357c0c844d7a212d0182c4e3c0b97ea0 |
C:\MintLF\optialoc.exe
| MD5 | d2cc5d9440b000c786335062ff447c9d |
| SHA1 | 81d58c45276a75c480e7103a3a349e8f3add6203 |
| SHA256 | def49d86cead7ec5c2d6c3dc92109956d0ab9d28d7b52b047f204059f8747510 |
| SHA512 | da0ea6ced2bcb7a9e6649d431b58e0eb8e9ca22db008696dc480147b40ec1a0aadb318422eb0284233eac865cf7009f5505e49d0a4246acf848cf70881c9882d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 55b38c6aca9d9e298fa7176b75e1b559 |
| SHA1 | 26c601fa0a19713967932f2b86166f4d46fa1718 |
| SHA256 | a6c0048a17b9f3a0c1214a44067fa9770eef53c946d5bd3bd2ef1599924568ce |
| SHA512 | a066c27e26c6630b26c44f4ec21b1aaa76f2d1a8dbfb74d1a0fff3845ec248168da3805e32bb04155e1bc6675e41b0b1696f2c2b59ebb683b6408b7c14af14df |
C:\MintLF\optialoc.exe
| MD5 | 25a27647d3870d56c20f82aba7a36e9f |
| SHA1 | 52c6035f13accff1ddb4e06e0fb71f86dabc25f5 |
| SHA256 | 66a4a5a90cdac91c093c1fc624aab5a426d62aee13578a3775d36bfb165dcb14 |
| SHA512 | 826856681439e70a392a0b4d06445a1475d98bae4437c38df216dc68ad0361f6fa6edeaf5d9e61797e4d9b35b2e6caf00a2d3d190a148f02adee08597796ad17 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:23
Reported
2024-11-12 17:25
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDot9P\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9P\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBKC\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot9P\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe
"C:\Users\Admin\AppData\Local\Temp\6942fe18c24d14afd8252da2f9d53ef207fdb4ee6e62c1bfe36ee83d43cc7e08N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDot9P\devbodsys.exe
C:\UserDot9P\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 80a224f073b93411a98578784e34ec88 |
| SHA1 | 2b69b5b26b76de13eda0892043b1c2675c63ee24 |
| SHA256 | 9900959f4447efd2229c842d0ed6a645197f3e9be28d316a80b3a39587fcb320 |
| SHA512 | dbdabf277cf6d09be75c2203068d0b8c1d0c862116d5d44d1b3ac054831c07b2e099681e186f5ef03fc26d9a6f3d6e4d2fad29d234134080c226cf47548f4fac |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6ca4c129eea65bb7588a6b09812b8014 |
| SHA1 | fe758ce26416456942572ffe01865379b8e654b6 |
| SHA256 | 6a5ae70509c2707bba8b6e79a923a486cbbba302b9856a2ebef2dac6831ae015 |
| SHA512 | 351c9c542a56db4a6e938854843b11f55756e5817078738034c910a308b72fac23247172048fe6980c75d19f7174509b87cf592c9dab6a3a2aa9acdae5d784e1 |
C:\UserDot9P\devbodsys.exe
| MD5 | efbe368a855747c59aacbe5016e9877a |
| SHA1 | a6f12719f2945f1ad3f0c7051469d156fbbbd828 |
| SHA256 | e353872049e72a893f7708f705c94024e42eb6ace0723885f06eeab4c8a76999 |
| SHA512 | 864137138eb2444d19c9d6841e1d61ccabd7c363443d8e224843ff6342353a5b791bf87010014ec368792eeb31295a73a0a0e3de4ae540068eee4c422cb696e3 |
C:\KaVBKC\optiaec.exe
| MD5 | c21e61e7f02dc9e34e0fed9557148c07 |
| SHA1 | 6a781cfd919cacace205f8f49d07e9bf7f850d74 |
| SHA256 | cd189de8e1ddbb4d87804b62ad04cc11f67bd5f5bf694ee5a2fc6c7fe22adce9 |
| SHA512 | 10f1e05bffa92c05b89ba7485fca21aec32015f0457675bfab504a77a4255d24e8bfcb9f0446f81000883f8a8ee8d8b9aa8e3fc7449d1855c53628a1f0740edc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1c33f30df72f7657384b11cbeafe3d89 |
| SHA1 | 6aea8a8e4401a7b727cc2a539462f9ae64f689ac |
| SHA256 | 86607bbfd21728e30f4c60724b5efd485fc1ebeb6a71a9f20dd2ef99f55bef6a |
| SHA512 | 8f124f26df50420408896e8fa8f84b7b919ad3ff175f32c456ba3f527cfa528705e4fb8ecd4bcdc219978d830181c2d515da0e8a1d6ce3b3a727a1de0795b127 |
C:\KaVBKC\optiaec.exe
| MD5 | 962ade4564e516f5bd4a187a1ed68b5c |
| SHA1 | 8450f86fbb101930afd30538c94d9eb4537a5a3b |
| SHA256 | 5089611612ab52e3fb06e094d9ee21d8e0759e72af357ae288e9a70d8ad2b33f |
| SHA512 | ee9d5e5ea720bdab8fbee53243d957f475f00202880b22014c5905c584f51ae26f676d5810cb89570cbc45dd4eeae3d32fd99d569713c394db2fc869b4b203a3 |