Analysis Overview
SHA256
d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544
Threat Level: Shows suspicious behavior
The file d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:59
Reported
2024-11-13 19:01
Platform
win7-20241023-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\UserDot8Y\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Y\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxD9\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot8Y\devdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe
"C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\UserDot8Y\devdobec.exe
C:\UserDot8Y\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 77e0f876702dcc84c8316453971eef6f |
| SHA1 | 6063f8defa25dd720973044510f32e7498341058 |
| SHA256 | c8008f39bbe151ec89062c1a0d823a1bb49a08dded286a24f4348607dc0293e1 |
| SHA512 | 54eebe06e8a44cefcbf7af397a43e143a2f6ee6d3c9ea240b3a08afb643e543f9c33defafb36a31063fa95e1c541f44c5e195ba80e2f9bc87f8c1db7a0b5f3b6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c76f1c155cdfbeb0e8fe53b554af340a |
| SHA1 | 12ca24b711b06d3124bd870c9e279e3a5901098e |
| SHA256 | ecf3d91d76cb3e998397c5db3fe7bc5a12f6bb12ec129c74b50776dd3b63af9d |
| SHA512 | 1afa906e779c6330d5626ef855376e8d05a1fa6404e19cbd65dc35bc23381e75128d4c92d8e2633bb7c6d66d6b816498665f903213ca1c34587de44ab908fd84 |
C:\UserDot8Y\devdobec.exe
| MD5 | df57a73e37ec3eeefb9efbe11e2d02fe |
| SHA1 | 36ec2be0a533705a06e47dfafe64dc00f214ed3f |
| SHA256 | 0e134b16bb1c17e8a318d5b0497f9796d72e8aebf6a7d73924a393181c9c9bb5 |
| SHA512 | 81d662650a6820d58ec60247b404de45103246fe000d2a157d7572663d042c894fba3a2070b0d7ed33e536d3c0e65aa7c6e665a342abaf2c0e9fd905ed273b2e |
C:\GalaxD9\bodasys.exe
| MD5 | 647321790ebfeaf5f76ad99222c94c7f |
| SHA1 | 72cc355853ae1da426fdbbd652c84e7bee87db59 |
| SHA256 | 7f3974e2f3807fbd784e43069933851f72891e6a1ca4c0c1945d00f8ca414cee |
| SHA512 | ad229c4b654a2e183b0be9dfd759aaa93bd638590bb572abbf9333d35a8ff451a63f3424592dbe3688f82c9ce8c8c9a816586e1f565a427f536d001e4ae7330f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d98e361a3db67096e1505c351e252fb2 |
| SHA1 | fcd5becbac6017b0fd8a16c505016bfc0a5b0f09 |
| SHA256 | 9d91bda78f7071fb0646ad75786ad6c220427298898cf3725723b0a9ea6bf8b5 |
| SHA512 | 08102da74b578ccc7854e07f09b2e38c5d7eb6c3e52c5919ad8f6b88b767055237c4feea2c650e5fa2ea8694ef71d22ba55ce763591a9a5122a6dfdf404076e9 |
C:\GalaxD9\bodasys.exe
| MD5 | 15fd7b4824364a9856d1d6550c852ab9 |
| SHA1 | 3dc924dc3141053349b5fac1b6b1b0e08d55288d |
| SHA256 | 696cfc537f8b65d89ad44656bdef99a616a257c0cef20281c24d5af3dab0ed86 |
| SHA512 | b2b9387994857997ece962aa88e88d6ea896935097daaa93940c556004b14b713e7cc0093cb97f1f129518aaf1b1c21ed278cf88b983452f1af62b6b9b6cde6b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:59
Reported
2024-11-13 19:01
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobePQ\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePQ\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2A\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobePQ\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe
"C:\Users\Admin\AppData\Local\Temp\d196407c9c03ffcf75289dac8ed7bf1a05a75189c708007827571d88b8b83544N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobePQ\devoptiloc.exe
C:\AdobePQ\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 025ba5d58d207e69406a39f1c2de4096 |
| SHA1 | d92a9cef3defba8691b18c2119e0f692de945581 |
| SHA256 | ca2e1b30d12ddb78a5eae6f17780936a4c7fd6fe85ea093447ee3dd5f4a4998c |
| SHA512 | 183a7b8e943aba63f36cf9d4862466601fb6007930077abd26a3180c7c6563a704ca6814c501c6132a81734ff8fa9832ad60ccf59ac80f22897e2f891512bef6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7d649ee152f26f1375f012fec39f8681 |
| SHA1 | 32ef0c938eefa96c47a17210c9fa34c52b4a0e51 |
| SHA256 | d6615360d38ebff76c082cdec70240b1d436e1a2ccf5b7b0ec34ecfd295cba3b |
| SHA512 | e381bc2a0e12f3fb8da05d53eb979579f6c20d0069af01acff78c78030c8871847645328b48c0d57432ed038baaa6755ffa9ae3faa75687e16cb7612a10b83e0 |
C:\AdobePQ\devoptiloc.exe
| MD5 | 3355085f00eb7fcae2cd8bd75928585a |
| SHA1 | 0744ef77d42dbd0397819538f3e435cf2645593e |
| SHA256 | 789eac89764484f3d5f160eaba44e6f0d1fc12f6cbab902b77b27720d3181cc5 |
| SHA512 | 4415f9f98a13884da00d58c031c0204c32c6b5af9d989de2e4e6d2af1fc980fbff582888fefe7bc8322e54aba459fe5696f0c1baaa1642304d04c8fb0479d4f5 |
C:\AdobePQ\devoptiloc.exe
| MD5 | 6f1a44a063b93e7e5b38d18e8186fad9 |
| SHA1 | e80ad7cd62be481d2c2587f825c6468cb947e02e |
| SHA256 | b4a662808129c49ceb51b199349bc7cd2d9c27291742c83938cdf157318809f4 |
| SHA512 | 7943561a0ec4ebb50f62a1c04090528565c97e7409b174c6b6ca4adaab7de1e57345f0a51810e8e6d3b49199f1077a9b6e070e51f2e67eb2431fc269d2b8fbfa |
C:\KaVB2A\boddevsys.exe
| MD5 | aa29d7c5d86ec56b18dc0bad60b1522d |
| SHA1 | 4287a771c10690db1201115b7549b484a0294572 |
| SHA256 | d41fe1df0d0d4169641ca41e99106dd5aac1ad873f5b4567a51676250cfc5717 |
| SHA512 | bb85d563c89b0cb443742800689e33153eb88c46ed11707f36d0eed82c37983cac7d8659daed07f87ca97ce20faae4b630fd2bb623fbbf2ff5761f8dbc9f1a71 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9a519ff345b821f8c217e5deae451f24 |
| SHA1 | a0a892aabab59e583f543a35c94885d9e82984cd |
| SHA256 | e3a9caf510a58c9adc0f6da37844bfebc70ad565a1c210645bb4599f69069c2d |
| SHA512 | 4defba1d3ba42ef2e74afcd729af3856ce61a4a12fd4fb6816d7f3a5a95245cb31b523f380829e50cca91af34d34fef037ed9463b637ff69ca87cdc470c092ed |
C:\KaVB2A\boddevsys.exe
| MD5 | 678144540fd68c3b793e106e5aa26be9 |
| SHA1 | a99bfc91aeffa793c8c86af0775b448967d958d3 |
| SHA256 | ada1ada49ebd1505403999587078d42fb587ef9cc0123708e39b9bf3d21a9d4d |
| SHA512 | 87e13ab2b5810430d03c6dad0d6b045805b3a3dc550718dd513937a53fd84fd9f138fd9f03eafe2410d811459e58ad0b9d119581d8347b236057b4f43ecfd266 |