Analysis Overview
SHA256
57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8
Threat Level: Shows suspicious behavior
The file 57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:48
Reported
2024-11-13 19:50
Platform
win7-20241010-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocZ6\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocZ6\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxAH\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocZ6\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
"C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocZ6\xbodloc.exe
C:\IntelprocZ6\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 5063d8562e42e3f6ea51dfa0df6cec2c |
| SHA1 | d617c2bea44b07707e27b3b2f724f5de1b5cc17d |
| SHA256 | 6f7758eb0c085f21dff1c2d27405a3adf12953a36448ffe4c9b38dec5a990379 |
| SHA512 | d9b32593973f85b027ac691964de3af4e7fb59a61328cfa2697571c3ea84335309342f11e158f94891829774de0a6d6694e2c8c88b3dba11410432b31abff8fe |
C:\IntelprocZ6\xbodloc.exe
| MD5 | c63623d7d58f5985f5af1d647fe48af2 |
| SHA1 | 502f2fe423a9e727ee91f3310b6dcacbd8897fc6 |
| SHA256 | 19999e66557bd54152a8ed7b7b95d66bdcd4a3947eeb7407d731ab6c968767cd |
| SHA512 | b6bde127ff85b0addb5a039591fbeb4172fe7582f4243a8bfcbb209dd337ef718be579d533b6dc9ecdde52f266fa9cf20065ac67735977be4714e1d9c4e6137f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3311d824d5b2c425559a6b6cb02e8531 |
| SHA1 | 351518052ea3f92dd0059667b65a0146dc2ebf89 |
| SHA256 | dff2eed3eed9529f1070ef2ef4abd48217672eb0c9f9a94bbaa9b4073800c1ec |
| SHA512 | e1c12d477271d5cfd6a7d25b6f9bb42645304186d4d541851b2cbecf8a323b0641c9ac9719849b3fa7969db76157f321da06e8d89e43184f4ba999835a2f1402 |
C:\GalaxAH\bodasys.exe
| MD5 | 4a98f28708d3b69fdba2ca1820cda614 |
| SHA1 | c4abf96ac618b923c0204eb9777c83d5e7794817 |
| SHA256 | 21705ad76cea6bb93cbebe83333d4bebb4950f6ddd80a4d878997b2229f06f7e |
| SHA512 | 3603079eae5ecf203489ddff84b1dec20c50ed56951f420917f8d27a31d4e31b9dd076dc1e2362401fadb678613b9176c9f931ff0b16fdb70cdfb09f6872f313 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a561986076a98ec2699d986e70254643 |
| SHA1 | 4eb20f47f9f3205d143801a325f07c00784a83a9 |
| SHA256 | 7a1ae1610cd149c3fc346c6697e30e9a20bb72af9b6e03418e803e68b916491a |
| SHA512 | 90567f0061d05b03dcd5f65c8ac71e1937a487b9a20d433badab5bca403238c28613aa3ddd03488ac16064127987cf09e1a7fe61667113c9e198b550c258e3c1 |
C:\GalaxAH\bodasys.exe
| MD5 | dc15e86e319ef185540511b77b43aa8f |
| SHA1 | 8a43b3cafc32391559f9308331f6eeb2dc06f750 |
| SHA256 | 511c0ba1c55934b3abb666a5d065ba70ec22b6f46bcd10f359acf311132fb4e6 |
| SHA512 | c2c2794a0105d7e9a74f5ba6beb99c6e6fab698f142944719234ee326b39f342b36164b40a802c4d2352002fc8aa637a11ef4632c81ab1cad3cc933d6142a667 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:48
Reported
2024-11-13 19:50
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\SysDrvN1\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvN1\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUW\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvN1\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe
"C:\Users\Admin\AppData\Local\Temp\57507df342e08f2c973ac127947c89ee9eea14fd89d2d819ba210bb2723fd2a8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\SysDrvN1\xoptiloc.exe
C:\SysDrvN1\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 2ced12bb430acb0cc4dd2987f1f513bf |
| SHA1 | 3d9209087964b78439ed1da76893a9fd5e2d5bd8 |
| SHA256 | 0881624965cf152791b1b45dd1db193032dd17ea64eb9f85df4ced6d566bcad5 |
| SHA512 | 704cf5c29eb9ffcf7944c7beef01cc5ff64a3a3c7db8f9312d9f3fc4e217ee28cb50621fcfa7a7f9a62a370258f5183cdbf8e1e939ee0af5ab3edc7550bde280 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f00715b6f0df7ad27d80ecb721719644 |
| SHA1 | 94bf91019d66a5bbbf40347a5e4f5b6972c1d420 |
| SHA256 | ca7d0bd3e57d67f2c75c9f26ca1142eba0ea8e48a48bed112b0553bc5dea7591 |
| SHA512 | 995f4c7e30383765984f585484cd8c30c1822a7148c74f225f7cf8d822e6b092adba5c6e11bf6140cb69ee3c9bc9c176d1a59fb7a57cba62b399cab3ec599733 |
C:\SysDrvN1\xoptiloc.exe
| MD5 | d893a45963361dac7e8fef93283d482e |
| SHA1 | 377a7512739775494e5a151f700c52c9b522e355 |
| SHA256 | 96a0ad8fcadd070036672728bda15a75a9a9a8059652ea6252faeb6ec5dc4b8a |
| SHA512 | 34f62f271e5d9d1ad099fad041321c8ca5ce9fd8e9f81c27ada09c9be7fe1ee4cab1496d33f0a877178a520c14edbfa3dc79f1830cae727469f478b459785aa1 |
C:\VidUW\dobdevec.exe
| MD5 | 96bea98d9c4749b6f69714269de0b740 |
| SHA1 | 6c3ef7765c25859f371d01ea9f10523040ddd57a |
| SHA256 | 0ddb1ad5ff8054c1590cc3d56e76c72b5c4b946528f4d1b37e1051ea09f7c302 |
| SHA512 | 535b31684379da1d804fcbc6abcc35fffe66d44223509732c8187690e362d50ae092ac4884ca80f104302c090ae4511a68998800074b3e5135e6c6d9c8fb33c5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 806ae4a7c416dd27301fa863fdca5c12 |
| SHA1 | 28d5c04b85dc65fc30aa95688b55b7195ebd0e70 |
| SHA256 | cf86dbf9f69b9039d2cbfade05ff1d81883f7f2c933bdc364e7b7806191a1d7c |
| SHA512 | 53c478d877cd03e794a013cf5748ea7c74aedc90070227fdeabb7040d8311bf23efb737357cf9aecae7293e778dc0d88982b34cedbb116ecb7c8cc7fa328020a |
C:\VidUW\dobdevec.exe
| MD5 | 44e6b6badf1656c3dcbb1ea4fee72975 |
| SHA1 | 6c28682839322d159a51c9df7c4caec4a50e4cc6 |
| SHA256 | f083b618df15848e9db8f20483c51aaf5765aba4ba96c15acc8c39b1546f933f |
| SHA512 | 75dca18a081d0fabda337fbe0b34789c05f7a62615626ca5915e1b69d6c9b03a518acc031d270684f50fa8558d5b22b0818a9fe64fde9b02078ca3c7b049c57f |