Analysis Overview
SHA256
941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987
Threat Level: Shows suspicious behavior
The file 941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:21
Reported
2024-06-04 00:23
Platform
win7-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDotST\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotST\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax2D\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
"C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDotST\abodloc.exe
C:\UserDotST\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 8b979d17b1e31c0d9a6508dcaab6ea8e |
| SHA1 | 49ef3dfa7e35188a43387c5cf73372d46d6f4135 |
| SHA256 | 056ea282f20d6e328f17aa225b37109be19dbd5d701e99684101625a78129e46 |
| SHA512 | 0ae2d4163a510376b46806744bbaa17df57fc6a850c6a89067ace610ff990fa9bd6b41cf05130e8d6bf6029204e4b92b30a17a6d1d959e12cd31caf5d2daae9d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a4889691ed0a42d9f82e1d115ae6b0e4 |
| SHA1 | 0f7700dfbd856756ce5b06962356006f23deefab |
| SHA256 | 8f8ddaeb127bc861671cb51ffa5c23e080f53d455b0e2db7e874e4a3fef9915b |
| SHA512 | c4ee342bd97ccdb293f91eefabee641ec74db3b1ea9c483e94a43eda9485f325efe3f47f5d78d38d660bd7fd152f694b5ea519e2ccbd4661ffece6c6a9e137be |
C:\Galax2D\optidevloc.exe
| MD5 | 4b3bd2484fd59ba0473df68d0d7f8a1f |
| SHA1 | c4d7b4b3b65db233515e3684b773e4d6232040fd |
| SHA256 | 0620fef7d51d97a3d260a1b2b3acbef836002afa52a90f1a54a15a30e389d545 |
| SHA512 | 76f797e74f5e8a805b499623a079c61964682b4af238b288c56c388fbf7440b6c5e86d09970d8ba90bca853b4dd59144a1d1c961bbeae39cdf952b8077ff9504 |
C:\UserDotST\abodloc.exe
| MD5 | fc5ef04b2995b69640cec1f071f7926f |
| SHA1 | 65b3d5c360f0f2a4f8a64992b021144b0bba4979 |
| SHA256 | ae4ed96b635fb8663aeddee18e3bddb7ce3581e9e2ac021bf2470b59fab93ed8 |
| SHA512 | afde463e64baccfefd830f183b113dab6634f699af9000d86cc28406ed78d5475ac918240ccd834abe6d4b16be5a08853293c60ce96be22c993ac02806f20308 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3face50e47f9e3c9ede0355b9c722292 |
| SHA1 | 199bc25a99f8e984e6c6a307d8fced55d97fa37a |
| SHA256 | c4e6a0742c97caca46c1d4a94e51d0a8af368ffa309b18872644a7aaa0797e91 |
| SHA512 | 555e4efd9f2566f19f80f3453cd790e1b7fa7327f00f35380848a0a24cac998d5efb75a11fa8f4f2fefe7df8569fa47e15a120671cddd44d7591a1953933780d |
C:\Galax2D\optidevloc.exe
| MD5 | dbf5aa1f644df3c27d8bbc36e1056871 |
| SHA1 | 5e10f05c7a6a10c456b0be9b38c751a2967a9c5e |
| SHA256 | 75bcf13c8a274457f05112e09f702957a7f541c8760c10bc86d3a1ae77679793 |
| SHA512 | 9b132bca4ec19f898a62e5a53b74711a3c11fa3f71aa5cae5419be39ddc6d3738aaae75a3e35bbd01f2d09b9882aac11e1deedc2a8ed8b56fa05437fd1499fe7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:21
Reported
2024-06-04 00:23
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocLU\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocLU\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidSM\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe
"C:\Users\Admin\AppData\Local\Temp\941f4e48b737449c86825809a5ae419a47f1fa55a0dd0a12920539f99fb9d987.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocLU\xdobec.exe
C:\IntelprocLU\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 7bf2693fc4fdfde66b4591558d3aa677 |
| SHA1 | e566a8f30ccbb0bb6cf112bf2b875fa6699663a1 |
| SHA256 | 05b48d595ead8521c2c83b2c11c1d81e9e89340bc4c5710697727a07c0f8c6e0 |
| SHA512 | 4683d2f911e254f040f699493c541669b37ae753595029a573f18737331a633dd1caa092e6a6de5509d3e7913952414d1efca44345f702f98f8204ce9b9ae9ce |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aafa7fee2bb59dc0ce55ee513f88b478 |
| SHA1 | 6ae78a9fd8e5d7c70aed3c13ef42c6717dba1061 |
| SHA256 | c18c3adce63f260002cecb9158c2b10ffbae44e43f001b4a59c2bcbd9c60d9d3 |
| SHA512 | 78a15ff8ffda2e09aefe4bd6cdc29417a9b3dd12ad512333d1029189206cb0ad349fea1bc34b3a965bf76e4f9ad01d6251c396d939a7565da1cea13fe767c987 |
C:\IntelprocLU\xdobec.exe
| MD5 | 21d1b072a29a047c71fac3560b291d30 |
| SHA1 | 2442c9ca6a5b801842bb2365dba5c4edf155aa70 |
| SHA256 | 5fbfb46ac0a8df68f1e3eb18a1541f240e6def6fb4272e98c534ad44085cca61 |
| SHA512 | 43dcc24288e69655683ebd33708f1565e1d3cffbee1cc6c08c51aa823ad9d6f5421a050c454165ab5c257a087d5d172000df41c9a805bc8baff9e34ceb080bcd |
C:\VidSM\boddevec.exe
| MD5 | de66a531f652663acd0325e6864ac420 |
| SHA1 | 11216cbe2cde36541239374d7c820c7352499985 |
| SHA256 | 035fa7afe08564ea125d5e445dec01378a06e944a5d70ec1785a30020fe6fb50 |
| SHA512 | 43d01a2a141d40e67220516a5b6c63cf39cc6ccc85905022d91451a17b7f2136a36a9a25248ce0b33ed1e632b7d38b4c2ae326c1c40e12bc5439c00ad29f640a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 43aba280b1b73087d79d41d255020359 |
| SHA1 | b9843dfeaeb783553c138930c85c61217ebdc146 |
| SHA256 | 3a50833dcab246ca8204789341a9573d07dcd93d312c8d6112f4e557330dc528 |
| SHA512 | 1ca2d1e5dac565f06de05001f941eb5790121c2352e9489c9a5a660317dfcbf0c3578e37cfb5f7d6ffed0b60191028c08abf642421511fe0b2d3ad7342b23fd7 |
C:\VidSM\boddevec.exe
| MD5 | c0c52cabbe31afb25a784808c9597412 |
| SHA1 | 5d17e821e2b18c94868ced223dedf8698db09abe |
| SHA256 | 1e097d541f3dbd4e536e764264c02af2f40730ff5e74422f0c8c8260cce9cd34 |
| SHA512 | eda8f0f590c615d9aafb02f00203cd80689079628a3f4b17e332a4cd1a521b10d43747c1f73da77de127ec8458821d0e19dc67c980ba7fc25e16da18789c6c95 |