Analysis Overview
SHA256
bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24b
Threat Level: Shows suspicious behavior
The file bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:36
Reported
2024-11-13 13:38
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDot2V\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2V\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB5J\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot2V\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe
"C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDot2V\devbodloc.exe
C:\UserDot2V\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 186667be31ac95e94a39557d276d523b |
| SHA1 | e158aea3d7167e8db941c160b557b36a8f67fa6f |
| SHA256 | ea3f55b8fa56dd7313e91997abb3c8aa14776c83ee5260788611790e119f97fb |
| SHA512 | 14354235bb38d3757257f41d5a9eb8bec7506a5fdafa70eb86011cbdcebb6afff1f455435399898751f3929ec58c19eb08b3fe7540c5c9b97b3a0dd48a7f880f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 36e48f8be83078a0a1c8ce16ebcb202c |
| SHA1 | 4d7e3b631d92e55701c9a43b1aa4c0aba0ff441a |
| SHA256 | 7d0ec97bfc24bb5b95e83be2edc797a190e718326d5ae6acb2d1232b47f3d13a |
| SHA512 | a37c6ca1f7742dbe234bd6a0f9c9e480807e798aef03c6f166cd2504b47a2adedf10922a29002aa04462c10fbea330d330c96d137bc53eda8b80c8ff30c7b283 |
C:\UserDot2V\devbodloc.exe
| MD5 | 0c4b668974c8c7d932296aa3af0f3a68 |
| SHA1 | bbfca419d62b11dd80a84a98f0ad08511864c902 |
| SHA256 | e4ef7d46dbe2bbb074f2eb5e038ad2603f3206a187cdbf0ad769cc71991c92c7 |
| SHA512 | 8f7ab8abd47e2b22a74f0fa6440833321415124f15d3ec75c71d20884fb2a01c84c93f0d2b7d096d870ab9de9479cdb001ab7c0658c9dc42b0d7a0f7df9188e8 |
C:\KaVB5J\dobdevec.exe
| MD5 | 88513c9507b61c3c038a6535a2e6eadf |
| SHA1 | 85ec769a42853d78e6a364250699bb8a53d9d253 |
| SHA256 | 4a5542edb299e20ff357cee226e596eff5236d54c5aeb084c5173956b82eea56 |
| SHA512 | af523e204c1e2d28549fafddc275c1e5ba2baf52a6851c88992813cc65001f9e8229086e16fabdfacc4464a62579d32e5a30808c51b3d070f1eb123a1cc3dadd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a839448bfcc927ed6f7a759bb8bee5f0 |
| SHA1 | 91d817bd3af6228e080dd588382d2b27c4175153 |
| SHA256 | fbe46dcbf7c3ef94cb0dec1971d7b59ea4c383030bac384fa21debc1cfde3137 |
| SHA512 | a7213316c8449c959f41d0dbb4ad30f513c1b3e9d003aebecd4212543fba53fe6e432b4a13ad319adaea46140226d20a8b5d279b54bcfe99e7b563461faf1cf3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:36
Reported
2024-11-13 13:38
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\UserDotPS\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPS\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintP2\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPS\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe
"C:\Users\Admin\AppData\Local\Temp\bf84c4bcf67d1f963dc2fecc339622a86877a61613267e827fba27bb68b0f24bN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\UserDotPS\devoptiloc.exe
C:\UserDotPS\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 1e9672fb1c2bca7ec7872c4d9cd45def |
| SHA1 | f478c2456a49285369daae9a34c8fa9407b686ee |
| SHA256 | f50c7096190d771ae7396ca0d655aaf5080a7df5267702c674ac4193939c22d8 |
| SHA512 | 3cf2494f29fbbd74a394b9f8f1c5a73cdeb7b82ea74056aca94960f284e49d1b5d5e6278c3a330b558578b7685ef1f03d064f7ca9613a2ae34151d26bab8c331 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 815c96e3d648e5a3be55deab2d1e9be3 |
| SHA1 | 3b13b5fc2dad91fc07b378089ef086fe46fbc40f |
| SHA256 | 3ec0b9ad201929c2b548da68faf06212300dc0e8f12c98b83e8301f5faa650b1 |
| SHA512 | 12e67372c762b76f94112b4c951bdb8fd9758413e9172ebe8c1a8a0096ebca8b1b04e03dbfbde185d2281bcb301d870d3b47fd0431a7860182b21a02bc31e085 |
C:\UserDotPS\devoptiloc.exe
| MD5 | 069046c11f2b033a1ab2d6fd50e618bb |
| SHA1 | 487582a189171418e624a8253bf80307b9a42d97 |
| SHA256 | 5c2a81a0ef125cd3e69c59d53c8a58737f5c81b1ae9837298694782f8d3bbbcc |
| SHA512 | dcf46c1486adb80d2b0bed18efd31bbdb268badcc7207f0703eee4997b0e7985f8b3a045aa54e5d8d6b45f604fa623d1582969cee7a45f7a495c2470bad66af7 |
C:\MintP2\bodasys.exe
| MD5 | cf87ba070fe9241fcff91c59eb1b6104 |
| SHA1 | e50c8f2091e58ec87624f0e45a96cc0e9e7db171 |
| SHA256 | 56d1ea5aade92326b2f6ec1ea19cc140a41a04a3b3f59b16afcf36dd9a6e4e10 |
| SHA512 | 2917355956a8e580e40d5ace419081137284ab493b1543fb39038759dee169134506c3b8110299cd3ffd12c55cd2f150fbd83ffd50cae8f190f0a852a2a98bea |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d1fdf51bf187fb51b55db8cd497ac8a4 |
| SHA1 | eb9eeddb99c9ad2de1dcc5b705aa96f2f8a7d45f |
| SHA256 | 279aee81ec7519903a0b2ee0edb527cabd24cee251a6a0b4f3de3d4b242e543d |
| SHA512 | 7ca0f1a0af7867299ada6a03fd4eaddcca8e358ede3d4b881d72164624d79f4e7b0f399ba21e0ae90e67bdd9e21baefdf4ef6cd51d5982476998c42e99dc9b90 |
C:\MintP2\bodasys.exe
| MD5 | 002c0f40e26459c01b3fa7f052dbb592 |
| SHA1 | de865562341eb341e64dd6b0045935d8d0a12ee6 |
| SHA256 | e9d3d29cd4d4b9a9ccc588ea8a333e524c4848136e094d860bbfe3f62df89806 |
| SHA512 | 118c12bfda9cabfe8ea7fbe64cf9d416b6daee934f392435069b8fff089e06ce9d3ab28a57f514d44a3f49971eac4ffa6e34fa66f7a0c14712d01db0029524fa |