Analysis Overview
SHA256
5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094
Threat Level: Shows suspicious behavior
The file 5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:36
Reported
2024-06-02 22:39
Platform
win7-20240419-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Files7F\aoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7F\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWP\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
"C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Files7F\aoptiloc.exe
C:\Files7F\aoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 10c059b545b42df16c732f425068d56d |
| SHA1 | 60ddaa3ef16c7e069bac6ff2ec9faad9c95f82eb |
| SHA256 | 23ad1cbabbb7d44eb17e4236b64e82d2db1f3283c41725d778b7a7359ab52c8f |
| SHA512 | 7eeee4207a19155efc069eb1f011da7b4f5403283bb1b22a9bdf89d60c33b6e5f080a007f1b57d1c4ae8ecfc34b18790384762c91581d8f1a25208f07d0cac2e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1137aff61d3e35640787d47fc3dd3f45 |
| SHA1 | fce1559eda37f49d9c4d399cd2dd030826864545 |
| SHA256 | e92c3998425357c2a5ae3434350c36aeb3f27307657c4fadc13b2f935e58ee8b |
| SHA512 | a35b9bfc15f6e7794b29c84f1a78f6bb1b18ea1114b577302c322a091e16e61fecf0ebfd6310872ad31bc501e492ddd1a051b0f1fbe59d0a44da162ebb380f79 |
C:\Files7F\aoptiloc.exe
| MD5 | c62540e7a8eed4eee2f01312d2097566 |
| SHA1 | 6da763d1f1c49ab85861cca3144b2c5398326987 |
| SHA256 | 9fdfd13e01e781458e9cdbb169e155ad84bf01b9e09d511035db546c0b70874d |
| SHA512 | 4d70d5476564b3b5485e46b9e5dcd37096efb276115b7cc265f4ded6a35d255daf792811ae6a9a40eb64ddf51853e875c712be509ce77ca1838530a5ff246146 |
C:\LabZWP\dobdevloc.exe
| MD5 | c7d39515d485ee8e720ac84bfecf6014 |
| SHA1 | 095e90cfabecd39a219dde693613a9210410b3d9 |
| SHA256 | 533af5b0f3359f49af5521697fc3778cae9b00616e66e3fe0bcacdcbf019461e |
| SHA512 | 3ae77d6c0f49bd9fecbc4797e684ec50a9230645a07a3f95ef79eff026e2f8101f2fcc6000fdec57c15def663a331756465f42b7a93160c462d72212d1c1965b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6f886862188a350a00ad2f6efba62573 |
| SHA1 | d453b1736e323936c824193eaf91e13626f0e2ee |
| SHA256 | b470a8a86d27ed907240eee705f04686bf504a5fa2ad03557d205ee9616317ff |
| SHA512 | fbc29f9e42d3084e2e7a3fcb27e72307c6fa66daa1e1d96832d799eaee616304fcbefeafe0f04568c908e96a4c6f4be2f7bb213854c29f14ae0cbe095fb8533b |
C:\LabZWP\dobdevloc.exe
| MD5 | df175b00734e83b413e4c41c7ed14028 |
| SHA1 | a45ae8b388e818195046b566969c4ea27272a9be |
| SHA256 | fa11131d8e2806f4f4562e7c31e32d6b8bbac0f0e0908db58e489ebbfdcb1c09 |
| SHA512 | 253cf3918622d496119d2c15c19a02bf4f2c082306da3792cac1d52f9d20adf76f315788ae791c4c574b6cb56608c60c7810dd1b60b6d46189b80d157c853088 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:36
Reported
2024-06-02 22:39
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotZ0\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEN\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ0\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe
"C:\Users\Admin\AppData\Local\Temp\5e6b158b79e63613891c8d38c0b136d7b0b518f2538eabfb0593bc84028ab094.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotZ0\devbodec.exe
C:\UserDotZ0\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 796402e9b87ed8dcf34647077ffadf8c |
| SHA1 | db52c035fad068f4e634b26f155714e49103874d |
| SHA256 | 1bee31ce7f27e18fa7819ca363dae026daa601b06d6222e6939489ad35c94e20 |
| SHA512 | ff1b9752d18308ff0465a26809118e693ff9c7608f30b413889506e0eecd7f5ab77418d248bd730c7cef8f000a9b0d9fece2836bb919fd9eda3030b2af3a689e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e5f89182f806c25ab3c4c1d647a0fa13 |
| SHA1 | b59f279802046401e86c1d7a827a23c8212b3ea7 |
| SHA256 | c5f53c200e5fc19ef4b070476ae57c6f657e6f9287ea9a0aed75fc905d0cf70f |
| SHA512 | d5d4e479dd93ae4196c3168e195b2db175fdc5276d1b7056b11397e4624d6c188e2fc26b6d91aea0f9d7b5fbef3eeb5ab0ed0e2dd99757ae74f134437dabc68c |
C:\UserDotZ0\devbodec.exe
| MD5 | 95ddb5bd4a3174adb3714e3c4d68dc95 |
| SHA1 | 5aab918f906f7ce458760be087d607d5cdbe3ce3 |
| SHA256 | cd71a2f26bf7f24ebb5b35175b909b1c17e72ec9f8e1fdfcf99932b3df8cc917 |
| SHA512 | c83b54b8d1781826907af26ec48bc9ca82663b9180c3cfe1368ec46c1ff8e0eea1ca86670cb170493de736966672d10b1a54325a860520286a8882fd8be81cc0 |
C:\GalaxEN\dobxloc.exe
| MD5 | 6394c9ab66c0cffe9ee975d1b8d98b41 |
| SHA1 | efd0ab424aa8b7834ae23fe345955795264d9716 |
| SHA256 | ec6dab1b08d49b2d062367c83f6505e371c8299f3283590ae79aecbabc73985e |
| SHA512 | ff2e67a715918bc9fcc0875b36d4a14dae3ba92e022a28f26795745cc65acab9b8fd24a9f10f457af499019f51e6cbef6fcf3890fac2fad7e88683029795af02 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f4bb72a5ca054a52314cc09a45984ca0 |
| SHA1 | 4a460107d1394a2725ab5d0c930f362e3ac4a5ea |
| SHA256 | 2e02b2917d4d834f12c8daf6b6d4c6cb5bf2596775ade1c4e2132398957c9be8 |
| SHA512 | 69f82a4ea9f7cd0d57742a871b6401c0cea3f6f827dc3089c44e343c6cb67c57dc2e5138a292e0531aed9f22b2518b5a813de9e6c13321044dafc918be1b1b6d |
C:\GalaxEN\dobxloc.exe
| MD5 | 6b6406ed9e6d5843d2725a1d8d50a949 |
| SHA1 | 41b550084effc9acb36cc583cdf7823222f6ef8c |
| SHA256 | dce14bf474eaaf5661c3f7f4fc256a8c5f96c9b7f4ee289e4041fc6ec16e7baa |
| SHA512 | 15e5e1d4583f0cf8db3ad08ec4bb668d362f2237dabf5bb38586456e41aed4ada9e3164a109f8b422910481b39a421b40a544bcfd894e86b7a2099b47f2d9d94 |