Analysis Overview
SHA256
52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0
Threat Level: Shows suspicious behavior
The file 52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:12
Reported
2024-11-13 19:14
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeQ4\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeQ4\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintRI\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeQ4\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe
"C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeQ4\devdobec.exe
C:\AdobeQ4\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | a4cfa7da868f6ad3f1f2a296327ae806 |
| SHA1 | 956dcb32e2a652dbd1e1696517dff4c0d609a73a |
| SHA256 | 86127e0a797cad65aeda25a3f6139a95bafe595b6949a9a1ade6a5232cf4d3a0 |
| SHA512 | 48457682a8107f9cf6e5aab3c66df7c402ca302933a2d8a116aec737d8f373ab338aae8d93f5de1088add3fc8dd4895bf8cbed564fb3479c72f4a5c2709d541c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 192ed5335773d412a8837cd719bba0a9 |
| SHA1 | 7106ba468c4f368ffb60f3eb4b96d1723fd851e0 |
| SHA256 | b9eb210503d0ca32637e2a7611f39e78092e8efaaefd956452645cf66c682599 |
| SHA512 | 414821fa21f928cb684ccd221f48a77d60b795d4462ef84e12e1057258f7273aa41b22bb7b8f6df9947b4d5b9631dfd06c8adba4e38ec653e39d09211ac86d65 |
C:\AdobeQ4\devdobec.exe
| MD5 | 27a967a19dfd749fc4ec4cba765049b8 |
| SHA1 | 749b08848a6c35a95fb836c0b1917f3e4974898c |
| SHA256 | ebd80c7dd3d162c27901aab8bbf0943c91db15b05898b5c178ab17a2dc9528ba |
| SHA512 | 1558b004a33f2358aa50a75bdbd1a5b33c2148b84d1543659aa79d89e05a6c9558b126169517473b7aec290966f4ef28cd5815716cb9e8d110d36a0092119e50 |
C:\MintRI\optidevsys.exe
| MD5 | 5b5996381af636bbccd95ee6e6c392fe |
| SHA1 | 4678ba435b4c20dc6d28d5a7b252600dfb1fe177 |
| SHA256 | f83e5309b87a90982a3a6fd24992984e012f0375eb4e251c2fdfca0e81ef5838 |
| SHA512 | 9eac790190db1fd9d427c74ac7a8163150a0febadffee6134e162df028cb901a02012e1b7c672fff67709ae826464f642a64ceace927448ee5840199de6d2fa3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e1204374d74db41a7bf97da4e17c2a24 |
| SHA1 | 38f428bb5c56bfda0f01184e29d657962e3e1564 |
| SHA256 | 7f6a206013fcd34f645c921a0f474d1b57e55bfdf87581c43415248b43df517c |
| SHA512 | 62b4a5c8d17cc8d508ef50eed92b13b302c5f98ef1f496dd2da6b1e872a89eb26fd80216fe417d81777148f0f7bba6b8ec34e41d172ba1a55dbc643ffd9f255b |
C:\MintRI\optidevsys.exe
| MD5 | 8df8fab62052244271cc23f5116cc49a |
| SHA1 | 589dbff6bb06c57c083bdc2098cdadf007ce2a49 |
| SHA256 | b5c99f6a8805e1f31526c51f5da9cdb9a92fcbf59b58b9767b83c458c654a31a |
| SHA512 | cbb90d69b76d07981c2230820a78a611eb74280591223b8e75d63c53d3c3395e2b9b2066d83505bf3e28fb6d5a83261e1dc170e41dfc354cc6ef3f2bd826e779 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:12
Reported
2024-11-13 19:14
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\Intelproc0I\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0I\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZJ6\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc0I\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe
"C:\Users\Admin\AppData\Local\Temp\52a8bb490c868edf054e614d365c51ad26d9fcb96fb32d9c36625031684517f0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\Intelproc0I\abodec.exe
C:\Intelproc0I\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 814c781368680a3660447300bfc6acaf |
| SHA1 | 81228caa093b55e5bbefcb71fa882b377cdd5c07 |
| SHA256 | 777e4fe5e1d5841bbe2b36f938d829ac54b3468b2b44ad411c0229803c09363c |
| SHA512 | 685bfb634a618b177919d16df0185a36d05efa0bada7e422c5810c00aaf00505c38c4b5f1eef39c798eaf28899fd7ddf9c6d604edb84ea679aad457da9fc317b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 730f7ae9f213b3203923a82a9b5ef52d |
| SHA1 | db4b7a7b0fb8bb735fc8f26753619375c5aa27af |
| SHA256 | 246b2f4330bbdd5efe0627493e0c54563ef4ffbcaaa3cd3cf6b4adfa95fe7404 |
| SHA512 | e1c27340590e8856df407a25951fdd702dbded2e2fb0bdd82e039cd65dd49b3269ecf7d1bfec501786568f335e8a242d038286b32f8832b19b4b51804bf3ec73 |
C:\Intelproc0I\abodec.exe
| MD5 | 937de1772346375a4d22b2da5de837c2 |
| SHA1 | cc6341e345fc600a18bf794e6bb7c108524be9f2 |
| SHA256 | 90b9c8f130f4bdd8624bcd6c8040c24641767e6a12aac0d096cc44a18b25ee1d |
| SHA512 | 44bbb069abca755a8604e5349e9d0c722517b4c68b604a82ad2ef24f19f1193c7ac191fb0f3164ce6dad43f68301096144fe2ca384d3b465286ff0ed80ccfc90 |
C:\Intelproc0I\abodec.exe
| MD5 | 14d7306f05344e10292d74faa98a0ba5 |
| SHA1 | d27eded64dd62617aca164cff210421c0fe4bbb6 |
| SHA256 | 15b0f0b2326386aed734ae52593866df21f62a057dc82ee789f47531cc680e12 |
| SHA512 | 1c7358c7553a42fc9fc1a3f436fc8b0cc020a6bee3a349c1c5502233dccdeddbc64fbe0ee50f89ffc75855075ed684fd7f4c47cf36b6e327444910b985de1195 |
C:\LabZJ6\bodaec.exe
| MD5 | 2b58c8a4ee044b6d505a0c25b24924c5 |
| SHA1 | 59b80cb8cd2dba1119be27823e6a9fd6cf83cb4e |
| SHA256 | 67a2e50dd72dbe320b4e29c363d83a1e509b825bf377c6846a7bbe61b933ce00 |
| SHA512 | 2d5d54779fe441e3be6c72b7b78b31bf7dfaace2a66b2e83369d1d7a3ea23670d515f133378031f088b3005adef42f3e95dd170e16e7f82fcfa0bd0020c0aa6e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 07f241b9b1ae4b786cbea8bdf1a6807b |
| SHA1 | 48171354dcfc8f3cb8123e33d1c2319a65415c40 |
| SHA256 | c2ede28c8a80420a02bac97d482e6629b539bcad6e9dc8fd922a07c99988bd6f |
| SHA512 | a09b2a60c40a24e8db1400755c03b37f85840adc772ccc89002ca8922b3dfb420cea2ae85dca454e6c58eb61f4ff8a000722bb4722baf025ccf5ad57adde8c09 |
C:\LabZJ6\bodaec.exe
| MD5 | e2bcfb4e5531950cbbe1a5e3109dafff |
| SHA1 | 2273e8e7deaf3debe7f9e75a905888108043f9d4 |
| SHA256 | 860b3d6689230a237185e6d43f6cb815b0feaa386f4667b041020fa21d829469 |
| SHA512 | 809ddda7b39ab04a6668ab6dbe6f3a8829ffe32f158a983f67f662a223de420a409de569fb9444ed8dd4cd4bc2ad90e4d37450fda60ceb6c1a12dded789d4029 |