Analysis Overview
SHA256
df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4
Threat Level: Shows suspicious behavior
The file df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:37
Reported
2024-10-26 04:40
Platform
win7-20241010-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobeME\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeME\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWA\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeME\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
"C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobeME\xdobsys.exe
C:\AdobeME\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 3c3e3a5b6bd052d4bcf1561f6a194148 |
| SHA1 | 1a4be5cee2f4ec045a11d475f46dcf103ddc595a |
| SHA256 | 4efdfe152139003f07a30de795b0e76e3699a5b332ed3aa6bf187b95c655bae8 |
| SHA512 | 9ba397e8b9f32312f93cfe44319345a238357faefe273dc081a40fb900098581daac834243bc00b15f0ebcc7c115d8a365f92408ca639569be3555e041b025c2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3d1469a357d788b44132488f5bd36995 |
| SHA1 | 6b5efe735b5e3aea4dc28bbc8bcd73dc6bdae3b1 |
| SHA256 | 6d9544e1a5e1103c69a1182712759b4e0d5fbe45252d7714754e31a9294ce154 |
| SHA512 | 06fbe473ea090dcd2cfad9dd3be2dc103a4d9fe978215b127a4464e4d46c1811f4f934992e83f8e15d252022b1c76f2757c14e6a3fea3153a27237bdb3605ea5 |
C:\AdobeME\xdobsys.exe
| MD5 | 69dee9b0499519eb49a78f78c6ffd5d9 |
| SHA1 | 59edd61b2d48db78a1c15102ae134e8efa60f37a |
| SHA256 | 7fd98ab0bd7b37193b7daf6fd688f554195547124f7cb5bdee95cb9709fc88fe |
| SHA512 | 218cf1d5b63edac196b431c1498d31f6a942dd0da8ca0eb3a8146f35759b2a11b41c56bf51e5eeca24584af5c08f12d8aa079e9bca4bc18ce2863fa18d9792b6 |
C:\LabZWA\optidevsys.exe
| MD5 | 1575cfb4f611d2785a974b7170114e7d |
| SHA1 | 350d5d3135fb1c2ac32c52812ea3202f298dd9ac |
| SHA256 | 4d9c304ed16316b6dcc75f053392cb37eac472bcd86bf9cfd86129c5aade1eca |
| SHA512 | 46449ee439d1be25f7faf459f220b885218c504bd8494d9e2fb274225f98bbffe1a420186388f7a5ed037e9954a8c7c3cdb6793ccaeeaf448c541391e090bb37 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 45d30f1d988caae27135b5e45e18eb29 |
| SHA1 | a640fb336e0498eb66b4b58fb22e3b8a48dfdc56 |
| SHA256 | 819e1fe703ba024f672dbf2e6b164ca0cdcfff7604d35ce62239aa5b3917c822 |
| SHA512 | e0eda8155aa264c87891b1fdaf0cb1ee8150e6f323ca81cf42785d434b3f1291137b7fd69691e52fb6993356a6911c32bc3ba1c2240a058bde58ef48f65ae38f |
C:\LabZWA\optidevsys.exe
| MD5 | 883b5aba3589da711279e73b00e6a253 |
| SHA1 | 0d51181257eae531f9d61ef1ac1a3e8b92a9b611 |
| SHA256 | f54909b6f2c4b2f8247629452d31fd68550375dc0fa6484c899dc46e26afeb43 |
| SHA512 | 1d9490015d640e63bab6d48722cabd2db524f6d87c2378b83cd314d6193113ab8577463ef25bf46adac4ac446ce2f4e834be62c3ca6df361d21b3eeb5269d551 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:37
Reported
2024-10-26 04:40
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\SysDrvFT\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxPJ\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFT\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvFT\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe
"C:\Users\Admin\AppData\Local\Temp\df25f1a84e02dc5fa9f38002dd187c7bdd24709992046e10f97bd4e1d2aecec4N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\SysDrvFT\devoptiloc.exe
C:\SysDrvFT\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 43cd4bc776276a934a84107dda664c37 |
| SHA1 | 3c28aa5f0c13642db1b85ab016d3d675b71d52b2 |
| SHA256 | 2d935c69b3eef3171680e2860159f24ce81d35a73f7ef2c32e99e810b6fa4e1f |
| SHA512 | 27eb8169b5e82da043a77f160f2dff0f414dfa661389e41824cea38679519c6a7d1c54f4d6ad07e46e3ae540f2e6440e1fc2e987700a5f11c289a3489b4e54cf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c87521cac59dc8636cdaceeffff57f95 |
| SHA1 | 2e9d96cacfcac9068bee7f9761441290e3dd6836 |
| SHA256 | c954ce24cce760a33ff026afd004f993a89830cee13044408dce1794cedb25b1 |
| SHA512 | ab8cf815f9c6d8342631276772c59fbfd1fc5408b6bf4ae17f4199351874b229b75073ee44fd0df673223c853d9e7c3d5b504f42e8075b87abba9fa4d6134642 |
C:\SysDrvFT\devoptiloc.exe
| MD5 | f1439ca7f62955cea0a11fb3ce1eaa2c |
| SHA1 | cfb70a8e67e3d23f56cbe694845f9a4b76dd760d |
| SHA256 | bc80fa3fac51184be5787fdaea266bbd8ee08aa558cc39b8c48e1425216c8a04 |
| SHA512 | 2a1d04e77067180777cd68f50594e7e3d3041bdc9e5a15f443d071cd993a2fa0405e00a950fbca2c1e539ec41f43dd24d8e7873cfb672681ea6f7fd6d71c271c |
C:\GalaxPJ\dobdevloc.exe
| MD5 | 580adcb785f4c9d7fa7af2eba4b73288 |
| SHA1 | dd1446e035ff646b25159a1b9d6352cb8c78ba4f |
| SHA256 | dc1206cf447efdadc029458d8426a799fd9feba020da4e33b840485a8ac234f2 |
| SHA512 | 32c1ad509780ee27dfae40a19188dd3d2995e4b59e9151c0a8fc426b29ec0c5f9cd1d4342b7de6a18704d08cf16f3e176729725c0943e9370c7ad3960b60aebd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aab39225ae2a555248e3e417c63940f4 |
| SHA1 | 5789edae92c854e555ba4771dd9e2fa6faac1e0d |
| SHA256 | 5c4544f0db351afc886a361cae7c5e185a1f1b51833c2787513b2078519608c6 |
| SHA512 | 371d675b2aaff18181d6750ce6cc273a55d8737ec08216cf19953c21bb736c31567d055d98e7d010afc5dc8f0327ad1782aa6170e2b966af8d65195dd9d662c7 |
C:\GalaxPJ\dobdevloc.exe
| MD5 | d5c473000255f9842b989abcac1069e8 |
| SHA1 | ec9b07cc872b4bef88dda00e1ea7808736a3fd9c |
| SHA256 | 06e9caa7ae9ae632c13d0c646aaa1fe655dfebea8158ad82821d37df90eb6e19 |
| SHA512 | 65908aad2838a2af4c331d82a66f17997002c817506f27afe57c82336b3438c53df3bee857c048686efc5ecb1706f74f558b588119cb2fd653f18671e78898e5 |