Analysis Overview
SHA256
7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055a
Threat Level: Shows suspicious behavior
The file 7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:07
Reported
2024-11-13 15:09
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\SysDrvIZ\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvIZ\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB3P\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvIZ\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe
"C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\SysDrvIZ\abodsys.exe
C:\SysDrvIZ\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 07c55984312f67811766df4dea4080c6 |
| SHA1 | d1b8618b8e2c92dccf7efb038d82f803db7fa9c8 |
| SHA256 | fef7c5d122129dc5e97de3a82c77c9f0a898ac5ba2a2c8c5e3b42e5672f7c41b |
| SHA512 | b54c79eda355e0cadc58d40474f52affbf15c73f5045d902d21984d55d5fa24fd22a1f776c9f0ade5056ab35f2ccb8b95b650b4f9c8e1b9b21d748fd812f2dfb |
C:\SysDrvIZ\abodsys.exe
| MD5 | 07a8fc4b311f4cc2dd6e7b65b30ffb79 |
| SHA1 | 362f75836f7c59bcbf300175d9b98e336a67b360 |
| SHA256 | 6c5ea0222e465ab3b7d7d71ee3f03140c5ad8090de0b12e1139e78a7202faa7d |
| SHA512 | 52fd516ed3ca196e084a65836c236accc2bf457bde3977cb91ae03684fdc461b7fbf5b4b48b8387cf181a1d6c4d376b0139b6301b06782e53ba29a36106ef7da |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 19e18ac3bce0c16948afe3e2145e0811 |
| SHA1 | c3238c236009673065482e8bdd0d1205bc547819 |
| SHA256 | 9ddeec74cb186117341fad8f3af024a76906d1cb0b7480f9ded9ad5492009ef6 |
| SHA512 | c3fcd0c16f3a2b01064453484dd69b4e72f7d8c8748ff804bf0b7e17419e858d9d4faec107d3c762fc66330ef1f078b9a642d19e48174de5dd4644dfd90193a8 |
C:\KaVB3P\dobxec.exe
| MD5 | 8056750d6778bf7a7c14e5d70278465c |
| SHA1 | 4b8a8443484a6772497fab0aa5136d93d2c980b0 |
| SHA256 | c2184ffc1f2a505f590db23db4c820dc704978143d775d8288e78c2c9c247c9b |
| SHA512 | a2622b751329191ac8537b4c55e8cf65a8c524f8957fa1855832c546db9c1a8176f9a95d153879986e89fb025a33fd73d7d909106a2ff8a967027d50d09d06b4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a07c190579531b7d46d28cdccf283efb |
| SHA1 | 91b45bed6b3fbf0540ce770d3d21b13db8b54093 |
| SHA256 | 9337bd1bb9822acc9d4ceddebcfe7541c913e548c596b6e9c72f275c1a9a9eee |
| SHA512 | eff53fc8fe7155a099041ceacaeb3011012b1706f09c5ebbbd0483996f718d609ff8d0409010ea42af889fc52e61b0d06a2c3e10efe6f589fef08d228e16f494 |
C:\KaVB3P\dobxec.exe
| MD5 | fa108c1931053a532fe4d12de4712e72 |
| SHA1 | 6fe1541a0942671c60401bddb1a2b59329e313e7 |
| SHA256 | 02e993fc1da4af861004acc3916797d6d611168cbdff5fcd86ec59ffb4bb3258 |
| SHA512 | 365346fec883241948ce9675255bf7fa7373a1d4ee630e7a863f713ffb3a77ff3cfc216f999a71546625b32cfa9a80aa88ef192936359995995268a5adf8502c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:07
Reported
2024-11-13 15:09
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\IntelprocMN\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMN\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2O\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocMN\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe
"C:\Users\Admin\AppData\Local\Temp\7ad2fb7b58124b36c6acd57ec60aece1647c1cc7e24a594372e6fd16086f055aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\IntelprocMN\devoptiec.exe
C:\IntelprocMN\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | 5a8513a1cc0d966d887efa107b9bcf45 |
| SHA1 | 5b8cf80d98eb580a5561e6ff21997931d4e9631b |
| SHA256 | 8f2863f53e8f5c3a588a6981bdae7c15e9aca025396336168f5505125270f31f |
| SHA512 | 4a1d509e4352b3d6d2acf2c3f31a6eaee16151205b6032a4611c4b06a64db3f5afa937fa95a88da1ddfe7033d861b6d8437e9fc3b2a70caf04acd1f67ed6d803 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c51065c650332d8f72a12ae89e510d9e |
| SHA1 | 54d2c5ea9404e7ad5ac418d41cea8885e7f102b6 |
| SHA256 | 6db1594b7dad189f21dc12921e63545974f84c8e8d5d8cd2f21c7b83419e15b7 |
| SHA512 | e016ee33a8877881b14b897042a0f73a246a4bea2af3798740faa82a781e77756342a0bc1e74614a95cee50daffc82596cd887fdd32037a5bffe4bc790695b63 |
C:\IntelprocMN\devoptiec.exe
| MD5 | bae5eb085a9f023b8d36e2a083933bdd |
| SHA1 | c8f3b383d6ce74e8606027a03db4b0ae08c513b1 |
| SHA256 | b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab |
| SHA512 | 93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3 |
C:\IntelprocMN\devoptiec.exe
| MD5 | 116aa0235fde2ee09758afd9187cbb10 |
| SHA1 | bac1a691380864b079704b79e6c64b0784ff2c66 |
| SHA256 | c8415b988974038380655fdbb3265861ca8b4f581669bfe4d67dc7d441a5517c |
| SHA512 | e2ea71fdf4f2bd699eb7e14fd8b9cedee48395bbf270cf54e0bf859da5eaa77d385724ba6073acca19156d51f2a7e8df5efb30aa87666c8dcd7d522b06a223bb |
C:\Galax2O\optidevec.exe
| MD5 | 8cc795e9e9371e06836bbef5792c48a9 |
| SHA1 | 5d7d33f2b06e33d6475a0db3d02b1382fe4c6ee5 |
| SHA256 | 13efb88a29b609897d15fa028cca1cceb4576407b4ff00cfd23b71dc59403299 |
| SHA512 | 163c4f185666537daddd6afa84dba86ea4b89986c9b7abfe9d20d009627ffe6ab940f39342411fca458cba29982a2b5c67b9c2d7fe030c0a65bba701313322c7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e570f287b8fce721a633142f218b221f |
| SHA1 | c0755b9f6e98f6e209b6e66bb5546e084c575265 |
| SHA256 | 091a8f34f6eaca18f00c1393f1bff7fd52091f53139889f1cd48c4e5128f3424 |
| SHA512 | a126c95b95fec564ba5bbe28252008a93352e2bc2f444ecef070d9af46087e44c1748c199534b454526ca69b3a721f20cac905d851ffaeb50034496edffd1945 |
C:\Galax2O\optidevec.exe
| MD5 | e8ca77d1f2956719cfebd5dc2708c6dd |
| SHA1 | b834963cded3b4f5b1f0e961caa5da62b6b037c8 |
| SHA256 | 6b5bb8cf5989c77ad1542caea2022951b87a6cb173b4699a5e3ca45bb8f67019 |
| SHA512 | edb54d93d7bda69c468093a1804a775fe9307a2c041dbaf4d8fd16a8ccc9d55c493731713977bec04fb59053ce495e34b573f4b01a0be4c3fe43eabf46b8c8e4 |