Analysis Overview
SHA256
b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c
Threat Level: Shows suspicious behavior
The file b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:40
Reported
2024-06-04 01:43
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\SysDrvG8\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG8\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB84\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
"C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\SysDrvG8\adobec.exe
C:\SysDrvG8\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | fe8686c392b95dbcd651829dd843f69a |
| SHA1 | e74e3702ffc9a93d444429fbfda55926b0f7b037 |
| SHA256 | 9f46962c20fc8a01335ee0b0d793e276e4b03f196c5c88058bc932187e12af80 |
| SHA512 | a66ce2a0151c6cc5e26b2f773d52328cfb95844d3b5c6750b67b4d0f1b53c0b0210a575d0f68dccf17d91748bf063cb944824421ca78bdeb835c59d852203e5f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 60c1dd32089c944620c893f9385c2974 |
| SHA1 | 91beaad23a5b4a23dbb3278afa4180f5eadef3c8 |
| SHA256 | bdbaebfac6e7c7a09c7e0a523aec9750e1a73391ea34035a59324b87efb43b1a |
| SHA512 | 510eb25f4af8ba468f176307f044295ad40afc54dabffa3fa2a0167dbd739ad83f3f888336796704687fd508088ca20cfcf53785d6e4078b70541abb7e6d77d5 |
C:\SysDrvG8\adobec.exe
| MD5 | 9a850de66dc5881052d3985cff1595c5 |
| SHA1 | 0eab63ba20131b91d0940c558d9b9698b2762a4b |
| SHA256 | 2fdd05b6b95f444644c6d233141552a01becb24043e9f5494c0a8ad927d2ccde |
| SHA512 | 47240e84c21ddd92c026393a18f289c83716321504d2c9117b93ff411e5fbe720831134d1606711bf381cfac96d10a2f5e2d71e8fd99d4824080f04543d7b92c |
C:\KaVB84\dobdevec.exe
| MD5 | 70aa8c198830a2b01c12da238efea175 |
| SHA1 | 0359588c88dff1aead5a9d5775eb458529dec140 |
| SHA256 | c64518595965efea82f4b83c62f1bf2e5f3b5d2e7c23350f5b546e873bd095f4 |
| SHA512 | 16fcd7786f20d642a6e9f45e91e5fff33bf7195314aa2957697ea3642e3baca60c59300d26d10305590337134f2f57b22a3189d9f032504336e1a08a99e05c79 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e2893893f67d4902ff0ba08d013e1633 |
| SHA1 | ef8a23af61a5e57390a8d9217ebceefc5daf996d |
| SHA256 | 72325e0bfbe5593c0ad877e889430f303427ab36b94bd0766462e40308c4c7aa |
| SHA512 | 1cbcdc63366abb686e39d464dacca640d2a133f48d541e1d195fadf758deb9f3f0b88a2dfc65102eca2814af140c60d348849fa4f78bd1f93a50c836293c8ba8 |
C:\KaVB84\dobdevec.exe
| MD5 | 3096be6033ee11a269658c9d93308c8c |
| SHA1 | 6415cc31eb30268b1d4ec5b0e94e499c973e62a8 |
| SHA256 | 95fc50e0196af9c373a0409002cbf4b53736d0f5e06b0c1817cd448726755539 |
| SHA512 | 77cec7d846cbb9b19801c29cf1799b0c45c7d81dd31fa2e659f975c0511ec34ef4b847a72c4af2ef3e7aebae29f12f2f5f953bec8bf41edc0d56ca2181305376 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:40
Reported
2024-06-04 01:43
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\UserDotJU\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJU\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintW9\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe
"C:\Users\Admin\AppData\Local\Temp\b04fb6b524af52c151a7ddce2dd82f0eb8074b4a3112aef6330e805ed2a8e17c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\UserDotJU\xoptiloc.exe
C:\UserDotJU\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 6dd5c949df6af8bfc92edb5ad27b24d2 |
| SHA1 | 076e2659e11f886147e2247504d4df39ea828d14 |
| SHA256 | 1b4843c289cc5c72092881c90f3c9c24b0454331ea00893b078a0a2a75d9746b |
| SHA512 | 8c09c7640726a609615df18533e350852b038d067cd8bc23171ff0ec70b2f1653fa59d651b7536f93374d7d34affcabd9d0c5bb44fd792dcddd960a2e015b69b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 829d79fd000ac76bbcd24287ecc59698 |
| SHA1 | 92c310424bcc924cf86ee9cf68a70b30ccc70ec5 |
| SHA256 | dfefdc6e9c9b16c327755dec15d06909021f1ac71f022f4e439eb4ca93a25946 |
| SHA512 | f7802ea43f1f14e8e8e9fe3015b0960224897204a10adc421790da032ecd8594ac5d83db1567bf3a1f63efc7f2d1cdcaa80de8704b889d753911ac15cf17db29 |
C:\UserDotJU\xoptiloc.exe
| MD5 | 32afced78b14af7cdf52a84d87e53130 |
| SHA1 | 20a4e5b24a54023b039ef01fb1fd23aba0d6c0be |
| SHA256 | 426c0127251d2eb68475c9cedecf8b2165806723ba3441dd30da9ea1da9ae091 |
| SHA512 | a36dfae207fad157d45948162fef6218c5305841dba97ff91bfa5316c4a7a450c6781b8c5f38271c4214536708f9e7b9d74d67fcb281e75f527b0aae7d2195b2 |
C:\MintW9\bodaloc.exe
| MD5 | 900328aba977742ff8979a480c976e1c |
| SHA1 | 6fce4494a007f4cf785463f9b16db49906c718c0 |
| SHA256 | c099000a867b40de60302dab0c1509439c2d73788d41b2f9c9ed870292a955c6 |
| SHA512 | d5c14f1104ad4d12747430cecd19745e63fa885ba3e7c59fdcae0f731d5e3f247465d448c70a31e061ed416b1f117d2dc09a66aeb025a0e37ab70a8a3a7b32c6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 593361f96bec857f1779812bc11ef966 |
| SHA1 | 8249d6a1f4f4ae36bec433086df80992564bdcb5 |
| SHA256 | 5a5ed51b32c58293a73307033fba5091b46f273e056f7857b5ddb8ab3556ec8e |
| SHA512 | 2ac57965afd1189862db29c9990aa99ac3584acde6b145806a9e295d694aa5ea353b6a95fc0045288c5ae9da9c405ea2d038fc63ac37e29b9d8bcdd67cbdda09 |
C:\MintW9\bodaloc.exe
| MD5 | cb27200c9346b5193c3133ea3b4c4894 |
| SHA1 | 6aacb4723733ccca36fd90ea7ee68785dbb2da47 |
| SHA256 | 20e1b7e844c1a51d0a3c41b95be721834be011330f5da8152a7cbe2454edc1b2 |
| SHA512 | 2ee840857c7fbc5ce4992692c7435770dbe083be24a5a000a1c5dd8685647a2c20ae5e5a030b955b15e9ddfc3dbbaadf11c4908d397cfad997c5b73b8734c89f |