Analysis Overview
SHA256
fcf93e47d3926a34c62a74095dc4a98efb446d40fa6a5f29cd8157fbf747782a
Threat Level: Shows suspicious behavior
The file 8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:00
Reported
2024-11-13 15:02
Platform
win7-20241010-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvPJ\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvPJ\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZE\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvPJ\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
"C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrvPJ\devbodec.exe
C:\SysDrvPJ\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 757e98524c1a51a8bf1df5ab9316a52f |
| SHA1 | b328e095aab2d0bf9434a2f650ba70f067cbf248 |
| SHA256 | fe5528f5b65a73f0ae6666a8665f1fe89d5568d5ce8caf0322db125158286863 |
| SHA512 | 0461e435e0c45a17dce306f949475e9ea67c8319e75e7c736973ef2d2abdac76347ac1edfffbe653051f44005731d8f42d1ffd6264b2470ad488378645df38a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 959abc6f83c114b870f5e3a3c428ec01 |
| SHA1 | 32885bd99de206d08979b0d4c81272cd019856a1 |
| SHA256 | ae942eed0fc8d927efe6379d3296f93a07bae73c7036586637cf4f9a12ff003c |
| SHA512 | dc422c529c307eda6d9314788a298704a6d07ba2ca0f96ef1042a9731c663ce9fe50c0fc1bf97909e4aa71742baba78602eba963b7cdb0536a05afee75e685e4 |
C:\SysDrvPJ\devbodec.exe
| MD5 | a011a80addcf601867cd637f6e1f56df |
| SHA1 | d503ea9bd996f98055ffc8322347eedf7b72e145 |
| SHA256 | caa5fa54cbe7206eeb3d41a2a153688a475308665a2bab50ff10b98b1feaa689 |
| SHA512 | 9c2194f153a93238caa1d562577d3ef28400e336b54565e352a8dc2015ba1857fd02f0d19960b97da728b5010d6384163b17d96d4ffcd4b17f3286f098e0cb76 |
C:\GalaxZE\dobaec.exe
| MD5 | 1891ed9d5d30e75d4f6be27a7aa6f14d |
| SHA1 | f243c99cddecd30ef886d6cb6bc45acff7b92675 |
| SHA256 | 1aac9ab42ed25706a5dca4a2bcff791a3eb697025016520dd1ddfb50e5c00c82 |
| SHA512 | 6fff764d77326e7e40a14e660101702e0fc20f9f3bc3506946ca1d406a4a085334b54cc1ff0bb113f5ee708e7a5619808e3a762b3e0d5eb318a1e694912d195f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c2fb53cdd8495ae42ba9c91b4fb1c2da |
| SHA1 | 7baa1eb52ea38415cdefcc7c5ae3d0ef075a4816 |
| SHA256 | f94c46aa0c8497c92d31d7ff299b902cc1df13808482d31c1e919cd7194c849a |
| SHA512 | 30e5e674b88edee47c1a53279683eafa33ed7793a64dd62f755fcbdb80b61f1a7be2e81424d247bcd2e8e2b877aa5d58ed61d59dc25885c58f5430804296a365 |
C:\GalaxZE\dobaec.exe
| MD5 | a1b11f5603077484280667fd1dfc3cda |
| SHA1 | abc21425bf1b4e92ec67a0926df20c8735094ec0 |
| SHA256 | 894c8f9e45ed5e7e4eb02187f36334217c82cc3d04ccb4dc287351488613d51e |
| SHA512 | bfd5debadd2b755e260d27d92ee365d0f4fbf61df7ceb6290760892a938fc9acfc408c369a8c4413097ea453c550f944039e264a3a351f734c30267bf22f9ce9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:00
Reported
2024-11-13 15:02
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvX2\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvX2\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidL9\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvX2\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe
"C:\Users\Admin\AppData\Local\Temp\8a5cd6344d4b44ef5336c36747a2010d42e44fd3c2b165c7e790be1bc52e823fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvX2\adobloc.exe
C:\SysDrvX2\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 9874e87187c8db3030927f9021fd4cbf |
| SHA1 | a62ed583176ec9df249a75d0a1cca3a39cea7105 |
| SHA256 | 1e78ec616fa83e68bd0ce3ef38fc109799d79a06ce9634347480a8cd3759fd9c |
| SHA512 | 5ae5371767b165e92e45db21019214d1aba1ff3def2bb74854f7da686d99ce784fe7a8c2fac06f1644942857166033b806d21fd462b39c7415a852293b02504c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d29aea5425e7d9b192ab157e1280de64 |
| SHA1 | 0968cfb1b87a95ee888f808c3357cb3e72f8379e |
| SHA256 | 20d1fb08494d313c312d556f8251d3e931542be541e45a563650e3278c66c9f5 |
| SHA512 | ac7dbac7f4db31675cad03ba901f93d9d12af03175cfaaebcee8183a27c3350fd64bb8a51b13041b65cfa686e674efa5ffcddfbbb38d391d2556de51b9b83346 |
C:\SysDrvX2\adobloc.exe
| MD5 | f06d96a21058ecda2d79f4ee5c83383a |
| SHA1 | 8a65694765c213ad953ae01b1743ac27e00a8cb4 |
| SHA256 | 329c2b1edd684a81daa89e59d0fc86d46c72840de21a2060eeb18371719199b4 |
| SHA512 | be49b54ca5f6ac587bd99f77a30ca7417754293d0080763d6d92616526473e6506461bc96ec0cbdebe4ca6916233f373b97944d166e9500a5a3a7aaf06f968d0 |
C:\VidL9\optialoc.exe
| MD5 | 90ae4fede7abc64a0f6047848c4df1ed |
| SHA1 | 7d2c7ba2bad34d678099158587218c05d33d67a6 |
| SHA256 | 41632a9068f4384ad13766464bc2bb3a2e48d779857fa7bbd7fde485473c7a35 |
| SHA512 | 91595e3923179f9a9f869368413314be202c147352239d379c0c5cb1fbb9f070bfefbc1d4def79c74c8d4aaf1a11f31c6206ef87d200340b874d7fa7afdc93ec |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f77a0d73f1024d3d9a7a69f4c00b0e50 |
| SHA1 | c3129c795813865fb8a80bf73dae96f74d9c60e3 |
| SHA256 | 64b06ce7a026a023522ebf75fb01898b3085aaee20cadd5932b024d7c4cb3e26 |
| SHA512 | bf37d3393d1ccd4499686ce7bbea190d0f67f48ba4ab2aa59e0f841c5ae76d5fce39e885a2502033f3b24b7a731f923a5b3d6957f2e60f9338cd3331a08edcac |
C:\VidL9\optialoc.exe
| MD5 | 4640d617ff70755f517e57c5661e8929 |
| SHA1 | ed7961b758c9f7a4307a2632879991bb6c8652ed |
| SHA256 | 6d607c67faf1f1042ecf655e764a6d8ab9eb7823535df75a81a7c624b1fda265 |
| SHA512 | bd1207edd0e91a399bef50fba5dbac7d5c54486f577defdf5f8303d26640caeec8b7131d5820dc92d7ba5db9eba137223c4bd6d271f3e3e3f8b383cb14b1602b |