Analysis Overview
SHA256
97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50
Threat Level: Shows suspicious behavior
The file 97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:46
Reported
2024-11-13 15:48
Platform
win7-20241010-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrvZQ\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZQ\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint5G\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZQ\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe
"C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrvZQ\devoptiec.exe
C:\SysDrvZQ\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 8222d5f916d24920e936f375663e2250 |
| SHA1 | 34e071652b29b1e9f8e1a199fbaf26ea950b2127 |
| SHA256 | 6cd35af6b606764b5564d484098aa1cef14f63d7304fac453daca75bb0d5c7ad |
| SHA512 | be7952264f52b7a7f446407bd52d0c27cdbf944f6c24ad83490ef5a9d975cb357aa8c59ac4c08073e2010b8d340ef01f04800fd7a75ad45f00e41a346766f6e1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 445ec5857f158fdf6f55dc246ad5bd57 |
| SHA1 | a6ee63dd07179223b48b5f653f61fec626aac0e3 |
| SHA256 | 7ee91eb7c7bfe0f12d384f10466258846f96584c36eeba8f2d6e23f3a6d81a3c |
| SHA512 | 9b4582c4013ae8d198441dcf06c44220e8683b621a675102fc3258cdda8f98638fd00a50fa2d43961f51f00f55b7ed424de51b61d91e31caf6268aea67cf4f0a |
C:\SysDrvZQ\devoptiec.exe
| MD5 | 55ebca461cb4676e1592e55319ebd2b1 |
| SHA1 | 47c96b3abcf4e6e0095e4b3c0d3d21fa6e456290 |
| SHA256 | 6a0d7598fda932fd1a6788f3028e3d42f217b33cabe033083a4e4f637ef5b881 |
| SHA512 | caef0fac99ae5e383bbf81c5c4cdd91e47cb2efaf476ed3214824ec5413894126750b63b6e2f55a5e61836ca51829aca86ffd276bca0d56b28736704532d5b42 |
C:\Mint5G\optidevsys.exe
| MD5 | 7ef40c12b9faddee12b030fff7395dd3 |
| SHA1 | 32b8ac5eb18652af329e69ae80746ff8852d1ef9 |
| SHA256 | a2debcb479767d7d773db9be92aa64bedcb302a60cf24ad4bde0a92ec9a45499 |
| SHA512 | fbf3616466a9a9058c2012724611536f610ab894f34ec67a42dcff5264381c77da4ed097186a4551ecab82af246205264a91a6e29c4b695027be95d85c4615de |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 908452773c7daa521415bbbe3db56fba |
| SHA1 | 9ece4847a624491a54a6d11dc0e8b2eaee4bfcc2 |
| SHA256 | 5476d7e036c7afbd320873dd78d79b97c38e32cdefe834be60f783b276bfd3c0 |
| SHA512 | 76db9a6f2c0859e152d4566efede9fc7a24f5bede23e24be1ad75ad12327edb1e063fbdb2535bdf4046324830541277c9efc2293395e763e55e27e529ac36f2c |
C:\Mint5G\optidevsys.exe
| MD5 | 442334353dadbd4e34070aad4f621bb9 |
| SHA1 | 5c2d9777bbcae3621f744def6201ccba8011a738 |
| SHA256 | 0b5066dfd01686b3636e6e6deeb38d3b5ebb962358fd3bfa3a851d06a0e2b5cc |
| SHA512 | 2edb890c6e8a3814059ba79a08defee2472076c071f296a0cd034564acade94681534036c2ea06133bcbcc4fc5fdeb07dd8ae724a0eeb3ec6f2b8e2a3194ba3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:46
Reported
2024-11-13 15:48
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDotVY\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVY\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZZ\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotVY\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe
"C:\Users\Admin\AppData\Local\Temp\97ee89b9a231ff75f34c7c7404516c3102ea9bbdda1f841dc568d65c5a3b9e50.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDotVY\xbodec.exe
C:\UserDotVY\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | de33347b00f88702e93736df20851d1f |
| SHA1 | 6ff256577025e10f5d4ed9ee22196bf88b5ca801 |
| SHA256 | a5d53636dcc8c7f21e394c8291b3dbbd93af9445bc238dfba25a3e37bb7f0da3 |
| SHA512 | bee3c1b12715973307eb07c716843a418e30f829e0c889f8dceca2e75fb8c96388e4f52882cfec624a40ed8839451760b34528576bf3ea5272606a54d3da1576 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7c64d4c3ef7f35010b9e50dc981782a1 |
| SHA1 | ce8884127bacb33f783aa38a97d55e7d41e53dd1 |
| SHA256 | d86410b0e939983afa06b2108e224315ef6437b9704b6049ad366868aa8425a7 |
| SHA512 | ca21c26fe6d08d1ddaf60b161f79c3299cc653c8b9f287da86fe1f3d01354ba25baac0366215fdfd6d41135f22d809306625de99c7cbeb2b7dd6f0ae4b14ae8f |
C:\UserDotVY\xbodec.exe
| MD5 | 6865d5c791174ddee4cd6c9dcdd29023 |
| SHA1 | fb1b94a9ceb9467ec6c45e48a3e1ff8e1b8ab31b |
| SHA256 | a4aa8049003bc034ecfefce6be852e0053c5230b53f37fd02c4d54a59bda478a |
| SHA512 | 47b980bf6cc1075e4c6775cc43c2687acc681ee030cc7181b95f384a3350879b674b8799e57e2df4bc0f9d6b55f933ca6e146451c8cb49805e6ff0a061cbbf20 |
C:\KaVBZZ\bodasys.exe
| MD5 | 321bc236fe1c1ef16c5395cf4e214589 |
| SHA1 | 5c4922f7f1ad008090d1ba1f1986cdd3c6051fd5 |
| SHA256 | 55199f09303a403ff07278b836f69f05b7142be104fb58ca78b617cdc6a36fe0 |
| SHA512 | 5335578325e704dd71509a554c0e22ca49f4aa518284acd5102133a3d2fd47c1382fbe6f800eea672f39e199ea6bbdd2c14fa6b5aedf8feab786160c62f118f7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3005c322e0d37616883701c3b6f928f2 |
| SHA1 | 299ebd4af221089eddf21a3eadcf741e1cdc1071 |
| SHA256 | 4f58f061cd0c5cba98769e6c4ae5d6b8cb9438ba7366de8f2c202ec356de574e |
| SHA512 | 3697e802714e75188e87f6dbb0f0bf83baf917f91492557fa9a9aac3fc8860bc865c947f0fe014a5ffeebde515ea9eca4c86f6d6e75db9bd551818486f8d33c1 |
C:\KaVBZZ\bodasys.exe
| MD5 | bad234c0428ea7c70ecb7261c17870b5 |
| SHA1 | 2acc82e9e3bacb592d21519462e8c2703768a560 |
| SHA256 | 4703e77013c198065b038ea91319baa461c8cfb262bdd077a398abc1d863db3c |
| SHA512 | 9ecaf24c746e6db49c5c7687844a622bd487f1a5ee5d3376b7022bbc742df5ad0f0e87b539b7c915be7b40dddb08878bf12bd12d1bcaf07a9e0a5f48ff6c528b |