Analysis Overview
SHA256
fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f
Threat Level: Shows suspicious behavior
The file fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:48
Reported
2024-06-03 05:51
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\FilesFH\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesFH\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ60\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
"C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\FilesFH\adobec.exe
C:\FilesFH\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | e60c34b738f7dbe687dea40e058903e0 |
| SHA1 | 70f66efb012f70a63199c2e1ae69167636e6f2e3 |
| SHA256 | 54a0ad41cf068f46842fdf8ebde88d9c08115cc82b3398a7326253d0f4afd2f3 |
| SHA512 | fde0296b7d9a631a0bca2ab047035de2acb979d3d286e8d16bef56196d71447e9b57b82c87b8adc3e1b647bb9089ed1969d9308937cf9a3302d5d428744b25bd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c44daa244853508c30356194653b082a |
| SHA1 | 0192eed409e4656d33230ba8706975fc49ba7b75 |
| SHA256 | 35bbca254cb55e01a75be832772e46072d303e64e10e7403bd2eda2cbd246622 |
| SHA512 | c77beb7ba86a2016a49cbd89448f72544bbed5c309a52382d79d19e954ef302ab975c0f1e9e67a8a5b3a39be42c33edac5010e293d4bd466ca02dd0f1b7ea826 |
C:\FilesFH\adobec.exe
| MD5 | a786ae78b0b320794c8b6c0788854ee7 |
| SHA1 | 2b42b61be6298fdc1539359f1bfafd9a7ac38bff |
| SHA256 | 8fabbdcff5729643532f7e17a56b1e2e7a940fb1b8e65ca7497f75c146b43e00 |
| SHA512 | 7395f4dbb416dadb92bdcf9691f7e26e00e872dc1694f81a4ccd7ca4a493a6f337446891c93ce7b97425ae643985d90c2e998da32055e4800e46d3af5533b70b |
C:\LabZ60\dobdevsys.exe
| MD5 | c52b6394b49b47b3a025e0fa69f7a226 |
| SHA1 | cb6c9cf1aa784e2f40e207aa9613e7c044f45660 |
| SHA256 | fcfa93ed0f6bdee482ff7bd2f077fac8830d40e9d20fb5c03367fccf5ca3e577 |
| SHA512 | bb73af13ff364719f5f7e7c6c961084319462baad56e203f20ee104e31f554d58833f1bffdbc6dc5f5bf07f20d89b2294594a1b6b0985916b5e032ef8ba0d44d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e61139b6d7046f6473c20678d8854006 |
| SHA1 | 866905a1f4cb765e796c2b7da435156d29c9ad7d |
| SHA256 | c098686d150c2803216769eb1b5b40f335bb219fd00de203a38d4ef47c1f1996 |
| SHA512 | 74ce4ade0b6b126ce90da595ba241e6b0f0b3aeb8284cf021fe2dafbbfa9fc164c7342a99eb35658601c014e40a6aaac79c30d7d7390a58b29820e9633a17ee8 |
C:\LabZ60\dobdevsys.exe
| MD5 | c5b73bb87dd9c7e91f48a42191d0ec6b |
| SHA1 | e50d1148e80aaf0a9c4bbeae334caa42d49115e2 |
| SHA256 | 6ef68426f1e6599f61fca185a0fdc3043a8b90b0191616c15dd4fd47a674dab4 |
| SHA512 | 24bbb3638ee625412aa7a39d837241eefc5cf7f19e021f39da819f7b79362a9c07aa6f0e533f396a343e7748753b23100221ddea677bc9c5abb3ac7d9ab09dde |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:48
Reported
2024-06-03 05:51
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrv1L\devbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxWQ\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv1L\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe
"C:\Users\Admin\AppData\Local\Temp\fb8c5b6de7cbeed8d9486834df05e148f2e340568bb6d7dbe98866d5dcc5ae7f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrv1L\devbodsys.exe
C:\SysDrv1L\devbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 8b3c3cb4482f7c184aa863dd3a8ad92f |
| SHA1 | 781a19504af7146d2eb67684d134d9e24c930171 |
| SHA256 | 0bbc1e766da309291f531f5ec49902047fa748dcea6cb70d9a075e225d105d06 |
| SHA512 | 9f68588ccfef041a653ec6052625eb79f86ccad0d6eaa4d571df4d600bb362ec8a330a24895ce9842d0dd491f67792272cc5c446c85264b3436c923ac3576f57 |
C:\SysDrv1L\devbodsys.exe
| MD5 | 6adf2557121d022963847c4d052b3839 |
| SHA1 | 5835dd2d84590b7ab93b148cdb56fd196c97f69a |
| SHA256 | 6c33c3b035ed5f42eb41dadc06bee0a79ca9f98dd62f8feaa55f8badef6758dd |
| SHA512 | 646802a5af63609c3ffaa794512009dae5f31742b471047242692243fcb91885f5055b0c4b74b582a29ed1dc4265e4838a0e5d226b23f4d025e24bbd8ef29165 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3c5d673db645641d66f1dbbd13033438 |
| SHA1 | 678b037fd28ca82745d67c36ce50eef43db39257 |
| SHA256 | c72d5278657434b515a753ff6e1a96eaf45b633e7e18586e4f7c312e20c3d4cf |
| SHA512 | 3d159058b70cad0cd3030e8541df9d4a38f249229691c8ecbc945542d021527a61929f64e710148a9dc69ea78ce812bde1a8be9e3a97b2611e12152559938261 |
C:\GalaxWQ\dobxsys.exe
| MD5 | ca27d44cd5d4736c047eba3e92d9fdb7 |
| SHA1 | 2ecdc11965fdb7e273d47ee17cc5be439725c28c |
| SHA256 | 5ede62ec56b6f7ea781e4c128db6d8cc8abfbb97a2535ca9af953b96ca2cb888 |
| SHA512 | 9eece0d9d402965acb60af7a917ec2148355261b1568a9d6b2b3e4f8bcc0552a353e655b5bf24f8757dd6c64cacc9177cb903bd821cc0596c1aa1adb225f3343 |
C:\SysDrv1L\devbodsys.exe
| MD5 | 6550fd0a86d2b2d267e02efd18b52b93 |
| SHA1 | 45d726080abc4a022fae42c94c619cb233c10c69 |
| SHA256 | 6b77161625c6377cff9f4a5fe288c51b4a0c3a71a7b08c10d5e82a6ad0065b04 |
| SHA512 | 0e00c766cdbc07bc595f4f4a65669689f4f062f76a11857b5c89cf39ef60f225b3b0947129989bc568b3c200c949a7554c3149f1c9dbdb0c19e3710c6b881e58 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a92e443b72e09a419c5f72c829b241f1 |
| SHA1 | 39c81643a999c63187aa67636af6dea2f36c99dd |
| SHA256 | 1804be3ab7fd4e9f25a1601588da133f7513e49759a2579b891d91ae75ec4944 |
| SHA512 | 6f33b81a91cdd835e1cbc31ea0c11c4e9a3ceec7708f19c15600939d003d13357923a872c09727166721ebac901d1b83fd7baa9995883436adbe4c342b5c995d |
C:\GalaxWQ\dobxsys.exe
| MD5 | ad1d01504adfbf03d536e50e9aba7882 |
| SHA1 | ad47e3eb8effb3a1b046404c10c0f7766a214357 |
| SHA256 | 2d8e6c00323ac0eaf1a3279664a3fd9c7cdf37c814d4688657831d719d5bb097 |
| SHA512 | f9811a544c11e31db4962fd87c499fc1229991e2a36aaaa7824d0ad2017b6a120f92c9f8ca6213f85888808fae9ab6b6de369b1677ffa74f0daa9db308c22fed |