Analysis Overview
SHA256
95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc
Threat Level: Shows suspicious behavior
The file 95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:34
Reported
2024-11-13 19:36
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\AdobeZ7\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ7\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2Q\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeZ7\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe
"C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\AdobeZ7\devbodloc.exe
C:\AdobeZ7\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 42cd857d627856989fd41bb19a5d507f |
| SHA1 | b7c5cf8b53aeeb4f329acf958b498fa51c45f2f9 |
| SHA256 | ce94ca8125129b07751fd3f71cab0c1c9e6fc0688ed8f279c0ea6f46c97134a0 |
| SHA512 | 641ef6a5a00a8b0df5a0ede25cf6f9f8d9fb718a292ec53599d6f2418e3843cda0f0d4275a5b3f0263074f8b2e91e8bd5924267ef1e0c8e7d4433b92b2cde1b2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c270c50901188d7aeb8ba6f607d0e77e |
| SHA1 | 344535a99e4cdce89669af314c59f4388ac3c3d3 |
| SHA256 | e664d34ef849f18783a62e62d4f261482ff9bdff1b0000b4c632487d6801f53a |
| SHA512 | c24c5128c7e8a255f84f54e4742fa835befc20b525c0f8d6dd150eee11b1a80c545331bb3aa04fb83d7249cef9f274a39e0c87a009b472597d00469bab83f7e0 |
C:\AdobeZ7\devbodloc.exe
| MD5 | 5caa3ffc32f5e0a8f6b5463441a8edc3 |
| SHA1 | 27bb56af804c6fa834e55246560405db0db1144c |
| SHA256 | 5d6db432f8c1be11e3cca5992afafb6558b80bc927a89863eb08385f8fd5e5d5 |
| SHA512 | 60a0a2c3a9e206c9fb1157530fbd4ddf8209b11a9f3b45ccaefa1f8dc9ce44105f068381cf094872cd950aa90e7c9341630341296b60ee4a39f258a4b1130364 |
C:\KaVB2Q\dobdevec.exe
| MD5 | 13e88e1f9873d5bc8dbd757fbdd333d7 |
| SHA1 | ecd0adb153ee0d000e9570bdc76fc1831b03e54b |
| SHA256 | 6b186bef494a846b371f767a62e995ae66edc1dbe79e71c1ac6aaa88eabc6bf5 |
| SHA512 | e06e6dd31f29822a60cb6db88df798b731d6daa5e20254ebb2e865461dc1ee2764ee28145bd307488b1c369b70fb09744f29705e1134e76e909e6a7b32b8eaa0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 07fd6d89f814b0a5f876a692e09010af |
| SHA1 | c7b084580a0345792d7e7e4574264ee3b138327a |
| SHA256 | 65122fb9f5260c3d8f37074601f5ebe2307d9eca328fff00734c0a74cd782ea7 |
| SHA512 | e8e532a5b2b8d09d8eb555f0479ceeb9842d5231de94a6926989962f177550b7ca179ee293ffdc0fe5fd7faedef7048c1b974430575ab7fc5b870f270c96ab12 |
C:\KaVB2Q\dobdevec.exe
| MD5 | 7844642637b1e430926502b33b995016 |
| SHA1 | 7161bd3f1b6b7015063b9e54d8503e2630cd70ef |
| SHA256 | 71ebcd6b246d73a620434880a62edbc1dd9c0103982cc7b4acfc72736fa74697 |
| SHA512 | 75685b3908bde7e4963b348412c35f05008773d4c27251fefdcd81197e61f9d38c396e0ada6a5691a693b8b516d09f239320b48704bf120903806f5f264a034f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:34
Reported
2024-11-13 19:36
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\SysDrvNG\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBFW\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNG\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvNG\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe
"C:\Users\Admin\AppData\Local\Temp\95aa75f7087c0342c5bab144a8d850ef58b95a3ac4bc74fb1c91b52eea85c3dc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\SysDrvNG\xoptiec.exe
C:\SysDrvNG\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | f729a267c274bac57176b56a5b9a92a6 |
| SHA1 | 289828fe70ee84a5f3c5d1f438a1fc941785c2ce |
| SHA256 | a4da41783bc4a454d70a7c196ac70edfbdefec3c90150d2a31c50c3234f72d36 |
| SHA512 | 787722d80a8c2a4981fb5b43dbc40687e4e46fc5f8b88d74759bc5c59a123fa2109d514279a740f27cab5b4bddf1285e6c5a954a7dae7491fa3adaa9c9274fe9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c07a78b1cdcf4062c04c630d3d97a05e |
| SHA1 | b677eb6788538d8f2788979d72b5690a4711958a |
| SHA256 | dbe3cac018503337de86ed25cc1a9044e62689241371787c4958ef84ad782c93 |
| SHA512 | 68c25375e5b0473b332a3c76d0b4183a38c4f7642cc4f94f923f18ad43bd451659bba9bfd00bc1b784e1b095ce58fcd71b97e9247361b5cb9570cc2475cd7ea1 |
C:\SysDrvNG\xoptiec.exe
| MD5 | 84e334bd6f66a7ec1f5cc3147275d1c4 |
| SHA1 | 19e08f7b50bc12291380bd68bcb561ffb9b67718 |
| SHA256 | aa61643dabeac16afb83085e34206bcaf16baeda0289434f41e622d2c31f281d |
| SHA512 | ca8e3655548595df4a0787cffd199833349337d0fb45861ad424689caad1f4b2a9ad0dfdfa32086fe8546353d566bbb84484cd6c10e4765ee39cfbabef5b4de2 |
C:\SysDrvNG\xoptiec.exe
| MD5 | 6c8d382d93ceb03d02daae75970f11c9 |
| SHA1 | 8aa93e0206011bc546c27f11c759f48f5c77c8bf |
| SHA256 | dcb1ae186ece60b5fb16079187aa1bd385154319ad6bef93e9eb6e241adf6f22 |
| SHA512 | 9a1141a96b773ad6fd1c3efe332f2ff86697a278befc5b5d14b600909254f66291d51ac714bc29bdfe47e8826125cc9b4a6f9350f76eaab5f425c0eeaaaebee2 |
C:\KaVBFW\optixec.exe
| MD5 | 85b86769bef75431781276dbe0c9d44e |
| SHA1 | 5e24595c3b935bced5563ebd04bdce93b50290e1 |
| SHA256 | b48201e3eb1884249e49af6bd0040a732b1c8b18809879466a046d03ceb486b1 |
| SHA512 | c95fedbab59fae71cbb40e1eed259fb42cbbb307908c9b620743f490baee656396a77d64978f8fc32b1e74918d9a5f024ab42c43aee373c163a8c3d5bb045334 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d809f81930bba60195e63bd20ee89fc |
| SHA1 | 69edb12b1dfd2405e8e1f7fb1f63ac9c149a0e00 |
| SHA256 | ae272f10b7ef9bae591ab24eee9ae3bd12f7a9f4b7583e413a46e7c793e92ffb |
| SHA512 | 7520632f40fafea45a4947d95ec245e88fb904485b55f8b54055e98efb401996353bb7064ce44eab600fe8b0e21b1186c5d5744536c6a67d6fc47290f998cda4 |
C:\KaVBFW\optixec.exe
| MD5 | dd89f2050da7eb72320adf28166562bc |
| SHA1 | 664bad7a7885de347088b7097e4e42e8e60f52b4 |
| SHA256 | 3785d7302066a014d3786616164140b2340521bf45e4a7784a0d2918fd3b8eab |
| SHA512 | de9aafb15a13f445fba8455180838b4f191050a177d9f40fd068fa7512d23838635adcb020dcb416a57f99e1e10d4b266b59c75137855daa9ec2fb26e4de2fec |