Analysis Overview
SHA256
7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7
Threat Level: Shows suspicious behavior
The file 7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:30
Platform
win7-20241010-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\SysDrvUF\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvUF\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPE\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvUF\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe
"C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\SysDrvUF\devbodec.exe
C:\SysDrvUF\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 3846e7fc3b875ce385fb4e6e6ddd1b64 |
| SHA1 | d52b233fe268422f81aa799750aa9816c6aedb76 |
| SHA256 | 66042c0e6eb4ac4497136a92d03681c95e3183c8273eb19172b772c22d208979 |
| SHA512 | b6624df8919536ccaf46620fcaaff995bbeefd2be5e2b73d913d57b63b4f59342504df42753bcea336910cb4c1ab82119746cf177160ef44969718066258fd3e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 141524b70056eca78247a4cfa55b90ba |
| SHA1 | 460552fcf0e7c80c46e7bbd87f401a64ca7eda42 |
| SHA256 | 676e4f3c0ee346b061f44ebec8c5d18aa417a8ae7d06ce94690243d4afc59a0a |
| SHA512 | 5581503b102013765a2b1efd733c47860a32f6b6a0eb8114d4f11577e5e245f8a8a0150b3e2e77251ee5737964d18b9c0d9f2d72af38971017a019af644c8258 |
C:\SysDrvUF\devbodec.exe
| MD5 | a9a24f90f3c1a85385865d4be7e5b4b4 |
| SHA1 | f8bb42eeda4b4ebc285665839deda95eff04d19f |
| SHA256 | 5108a73a5eb33fddf3b71fcc571b71a70ab7474649e03da5bda9e1017d099392 |
| SHA512 | af902547bb04f07417480aa18604537eda4fd071dc4cd1379a0db45b9c6a5b9edf2833c05b8e7f97d4a6b05dfec081c633563057a4f173470bf726fbcb66bb93 |
C:\VidPE\bodaec.exe
| MD5 | edeb0e3122248831c76b669b3598b477 |
| SHA1 | 1ea732b801c1ecf316514b9ca748e52db8db3080 |
| SHA256 | 70fc56bc46744185162ed8bb1a81584816f6f519a6b3a21489e953a54602e6ba |
| SHA512 | 87f99b8263227c7911caabcf5f3945adb09dbea3541f3dc657a0a7ee7d23a35bbbf41f9d69e97531c8d15dd35c91bf80832bcd01eca9f2c7e8aed776f1a060ae |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5e83204ef3fa4bce2de1e3ea10ab24b7 |
| SHA1 | a8c16d535f64bd84255a03da79c5cf9255b38f88 |
| SHA256 | c73da94fe1fb34969e5d53cab61806201369eef2d7f2a0f03879aefbbfbcbaf0 |
| SHA512 | c18d4e12535ffd11d277563c695366b0f07e18e70eb60563d96800b9748a365e8f8f1baa01269e991e6d76c6dc4dd065981f8711b218f7c46156df92adb35319 |
C:\VidPE\bodaec.exe
| MD5 | 4e2cca41065f0fb8cdd9d5fc09d2370f |
| SHA1 | 21d23c5b7b43c5692165939e9a0a91ca2d2a9cf1 |
| SHA256 | 2d4827b2813c6e321e99420bd1fe65e8ad9c456544a356c2f5959bdba4360362 |
| SHA512 | 0063d91ca729d2f1f40e5e5a8fe262ac52ef54aebfac51a0b0cd6619e6ecde983d45de3a341d25c7232c7fb74d3047596dd4fd9282913e4e5b73fcc174bd02f2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:28
Reported
2024-11-13 19:30
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\Adobe1Q\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1Q\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFI\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe1Q\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe
"C:\Users\Admin\AppData\Local\Temp\7b57958d791d601d3c6122095f3fac5e3364a171016d25d48a571fb3917834b7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\Adobe1Q\devbodec.exe
C:\Adobe1Q\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 1d91559476575e496dbe03f7497cca14 |
| SHA1 | 7a44f14f6075842fffeedfadc14773ad666506e6 |
| SHA256 | abd66c9db101fb98856db325fc3a4faad62f2dac1a33773c903786a75bc6d6e2 |
| SHA512 | cc4293c43e93397ae0e175ab5f0676aad409cee39272de2283fbe7d9dcb4bd9484d963e341f4b16dc1da5bca8c458ab3d6e3e0afa3800eb00f0ae81f252bada1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a17562c2f6e43b057ea26ceebc910eb |
| SHA1 | 12947b480fa54b58346adfeeafbb05fe1f1fb19c |
| SHA256 | 63961664404f38fc2408875dd931ed4e9cf1036d1b3bf4a17754afd03b6d5477 |
| SHA512 | ae691ef147f66e6eda594c4d424ee83b87e61a6cef0f5da330965d60e92ab6319208667f43933ec45c2c1f09305e67552c33d19ca33ca06b3d441ce15d502421 |
C:\Adobe1Q\devbodec.exe
| MD5 | 68bdee897bc835429529034c4323727b |
| SHA1 | 75019f6f34f9cc8bf1021406b31c22a671a62d99 |
| SHA256 | 90959460ec88e8fdd5a108f338da2c04b461c27845a7bd2ed11f7b6cf08935c9 |
| SHA512 | 5df8837e2decba510a4b2f39127fcf8fc18e2993d3e35fbe151c4193eaf1b43026b4b94fea387e9a5525ead9dc995f58e220273289665ef39b90ce572d146480 |
C:\Adobe1Q\devbodec.exe
| MD5 | 68d2d6de0dcc78cef54b7894d1a712b8 |
| SHA1 | d0f5a3f7a55badb453080b57d2458f98c53b9510 |
| SHA256 | f74587cdab3a17da746b50e7577c6c62a073b941ee7cc7c37910d68fb3b5b984 |
| SHA512 | 2b9f059dbcb14c7de2cfcf7f284ae5a1d7f33b17c8d8d56224ca996635cb2c3171ebd5f4a78c136a9e60b4971d1b2a1300fa7bc27a73dea6907ebcf173593eb7 |
C:\MintFI\optiasys.exe
| MD5 | 8305b57b707455e45fae642e3caf0918 |
| SHA1 | 98b27a991df547c6d83410751161b171e277d2e1 |
| SHA256 | 5400a2edc8d49fb6be43e3edda1732e4fd60204e7b8ed2afa55fa35a28e7e898 |
| SHA512 | 837a17d972eb8d466a84c269adbeab37d0f42650a4df5e2880f1abac245ab19c3eeb05e5d020fe817d785c65837cda81406bdd1b0c8d8123d72c3f33c3cdd90f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 63efaa577d3dc32aa98cdf3c2537dc44 |
| SHA1 | da6dfd846708ab8387e6db5f7bac5e952c6adf8b |
| SHA256 | b943bfbd33e467075258c405a9cb7a989def9d008f1174f3367ba2aca8955bdc |
| SHA512 | ffe41677796abef4f53b040431f08b5a76d760be77e73060d55c9839ab521cb1c7ab691f8d64c06b1d8b516c5039ed1429a780b72930eae5d5aea8420d7b8ef3 |
C:\MintFI\optiasys.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |