Analysis Overview
SHA256
c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2
Threat Level: Shows suspicious behavior
The file c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:16
Reported
2024-11-13 19:18
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDot4V\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4V\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintJE\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4V\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe
"C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDot4V\adobsys.exe
C:\UserDot4V\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 38930cf2a577bb585d710b3976a222b8 |
| SHA1 | 9a8f4ef0cbcf67e5af7ddcac6fb2bcd0696acb5e |
| SHA256 | 569802bce22bd711ec79dfe1d86fee2f6cbf954bb9cf671a0e166068b9f81e8d |
| SHA512 | 06af428fbeefcbf0d8c5900f7d7ee09a6797883e0bc98d32f0c0af65d2087e66fd22bde6629887a9bfd393d046d0673eeb08add54f6c37f02630321a0068f582 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 50cef773ffe689b44d7b1b7cf47d18d6 |
| SHA1 | 330b7308674bc7f70e83f52dd2ceffda94934dc2 |
| SHA256 | 17d8ceb214db6e0860064c7df1f366b0d0a11399fd8866a1dbbd004f8a8268b3 |
| SHA512 | 69ac24ccd4453110dfae2b30a38c90e8467a6bf9cedbd5a535e0942a74b324e814007a131cdddc7cb1cc7ea16fadbd1d502e715457bcd07548c90e07d881c4df |
C:\UserDot4V\adobsys.exe
| MD5 | 1ec3032e3b852a666b1f7e0ef1e62c41 |
| SHA1 | 5ddf2596dfae4e643d2f08759fcb3d6e292ff4c3 |
| SHA256 | 0122af8ffeafaef1d2f5a169405758d695d131f57fb0bfa54b14bb58abf824c7 |
| SHA512 | f1ee7d442244b233e2f8056eefd678a3f4fcfa3c4a83313247844110311b9cc65400c268e451de9b03d82f9093b1b3a1a40d9eb07adce8335145cb374e06a29f |
C:\MintJE\bodxsys.exe
| MD5 | 5298969dc7239d869eaa9807f4cf7e12 |
| SHA1 | fad1c584ac1efe7002b25a1596b1817bc76e7faf |
| SHA256 | 3b618f28f963ed00ab70eb68a5a078ffe7aa40c7d5027ca6ecbf96086bc4471b |
| SHA512 | c23d363c5121fe5eebd5fc8bc1df2195b7b1ade380e712842733476f1b6275a50052a07965622b07c7127c14597282377adce9fc567200fb579a19e6525de053 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aeb384f1e097ea21d505bf5ca2c7c1a2 |
| SHA1 | 828bb63147b318e28988954fb745cfa007a35e12 |
| SHA256 | 343aa316bc647a2651641fe3ca303ce2030d4c35e426bdc31a4b655797011fd8 |
| SHA512 | bdfe85dd5268ad255e9fdef1286e03aaba2143450a3b7a984086e9b81a2ec8934ef3184044336ff009c30d706acafe79d54233834a3e9381879aefae3607acfd |
C:\MintJE\bodxsys.exe
| MD5 | 20794ebf3c51ee84b866337d3ae19003 |
| SHA1 | d9bbedd6afb02e962b95db07995c54c0a8446492 |
| SHA256 | b025a5058d66c26ded60f8fea11b825330969d3cd1ef53a7c1fa3e1296eed85d |
| SHA512 | 381737ad10bafe55edb7b2858cce4e5a6481e3793b1f0545f550368b208915f8e857f467aa0ba0b384b1d016acae357f7315693f3d1147ffa1ef8d18c64aa852 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:16
Reported
2024-11-13 19:18
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\SysDrv58\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv58\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQJ\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv58\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe
"C:\Users\Admin\AppData\Local\Temp\c57ac7e7ccc53b8a141d9fe224ad1bd0deebc3daabd67e5bdf35b42603ceeef2N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\SysDrv58\devoptisys.exe
C:\SysDrv58\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 603df20fc141dcde12b779f3628edb3c |
| SHA1 | 457a91ee0acf9b08abc67fa3c617d38a2779d7f4 |
| SHA256 | 13e1116b457e86487a2ec6b4a094b985c147f9a44624ccc82c964b04e72f56a0 |
| SHA512 | b32c56bed348d616445127955d7a60773fb96b46544b28abd49583d6f5bcf2a3c4a8eb9a226534b1b0b02259701cec0d1c3d303d74f6af91e08ba5cd0a5e4695 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fa05ad0ba426dba14b79e8eab489e808 |
| SHA1 | ae46b176cea4621de5607daf881b75022773d389 |
| SHA256 | e14da7417a580e255d2b1a72df0c59901886862cf0fab06cc99cf8c20fe7a2b3 |
| SHA512 | f0e863ab590a5085b006579b98b00c0b6cb3488efaae0cacbb12653673c631ff40135683c2f2ad792254bb009b2cf8f4ec33ecf8ff9661fb2e1913fa8b1429ab |
C:\SysDrv58\devoptisys.exe
| MD5 | 2e4f2d04728527fc3dc65505c26899fb |
| SHA1 | 48d9661799a275e767fa397f434d8f99437772d4 |
| SHA256 | 1646094fbde9efd67639e326886b8736bbc70ff8a12f8d188c3e76b0764dd391 |
| SHA512 | c8fd8708225bc160cfccc4c76b96e2a182e7e0d34acb0e13931b515fb4f111d09af5130975f36e57c600a1723a42dcb5a3551595d9ab316896c15932e3edc007 |
C:\MintQJ\optidevsys.exe
| MD5 | 0c1c986e229374a18c530a2d7f32c7ae |
| SHA1 | 536fe3d0c06da3e3dc6348a71cabd2efc5aaeade |
| SHA256 | 635165133833613840e24036f960860cbe63df6d0750f8a0d72ae985e6a6f2ac |
| SHA512 | 6d5576bedf47641d931c9e55a2139618962160ecd20be6bdf48e3ed9e5d5c208dab442d1ae5e7451b4bcfeb9a64f7c3b221e306e0df08fda04d4b3f7506c42db |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f72aa53ba505f6ddfb47646348cac794 |
| SHA1 | 5be28642b46267e5151d156cbc5e9914c862161b |
| SHA256 | c8b76bf89b6ec13c8e85e7d5d3fb4fe65460ef2a180d892b94ba40c1a6be56ff |
| SHA512 | 4a6a8b28ca8897b7d70b9d171befe3aa250677eaeea5903149f9d0cb1a11a7a34344ba4a23b5488288ec9f81cdbd77bee7c3451f14a04db85549f0f34ea584a3 |
C:\MintQJ\optidevsys.exe
| MD5 | 056fddc407dbec06377774586d73d078 |
| SHA1 | 13f054299719865aef36d8257559e870e3aa8a1c |
| SHA256 | bb1cb7f2d538e93fe230c7ae50201b4b5bb10217b212886a7570283931736f88 |
| SHA512 | 913bf63d2d5c6522911b8d1eca7a18a6398dcc7ca8e3b7fe1cfc605706502042982df6c6de300408e88a57f4863eed71bcb6882d32771a3090665a62a8f7eef1 |