Analysis Overview
SHA256
418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91
Threat Level: Shows suspicious behavior
The file 418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 05:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 05:40
Reported
2024-10-26 05:42
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrvY0\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBTZ\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvY0\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvY0\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe
"C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrvY0\abodloc.exe
C:\SysDrvY0\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 328c971d9b168c378ef866c32141d8b8 |
| SHA1 | e106574f6711b2b0f7c0704e740862eec986adef |
| SHA256 | 24f2f59cc94ddf4b5b27835fb10588b0b529fc304867883758ddf3a44134a1dd |
| SHA512 | c8363ddfbec1c4a26d891f340e76c63b5a8fe5655e2263adada527ee6d731e5606b433bbee892eabdf3c7dc011db5b7ffd5def5e8eb359d66f2bb19a599acdde |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 39761de07e100f33ef699cd2346af760 |
| SHA1 | 2928809862e8b403aab49d8f2a7dd1c7510a99c0 |
| SHA256 | 754dc38212d9c7303ae758695dc659124570b538a09e3952c59e6faddd5a43c2 |
| SHA512 | ff94dee7d984a2e5b2ed52da942bb84892855d688be3bc0a68ed8dc8804d501abe39b0b56b4bafc99bf6b021e67f13c1fd2be1bb2445d27b59c0d21966c37b6d |
C:\SysDrvY0\abodloc.exe
| MD5 | 042ffa9cfdd4a74cdbea9b85d9b82133 |
| SHA1 | b8cb10699f83ecc9455d9ab3cb745b2076139dd5 |
| SHA256 | 467ed62cd63e24376f763362754ac5130507549eef3df887ebbbade2c02d7020 |
| SHA512 | adb2bfeb67ba3ef000d7425a72f228e4d50c5b475411f3c7520a77e5f58947fdb90532f6932e4cb448d43f81678a63a581614e392299a68e6a280e8d1a3fa365 |
C:\KaVBTZ\dobdevec.exe
| MD5 | a047b7de2d7b23eab2e2a17f684e4c22 |
| SHA1 | ca0a02df2c95dd2e3dc512cda9efbe0aa2c32cc5 |
| SHA256 | 49109c118966811dc419752e968db2499afba86a7140e93614c9f1947c305b9f |
| SHA512 | f07840f80a0d288002b3bb57552feb4e278c9ad4aadf9e609643450673c35f41d5547ad281dc08072a5aa39084d8281a311324a0714562f91718a2dd66f33a45 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b34f824e2bead0184c4f29becc8d1cb0 |
| SHA1 | 0596f07105d7d41ba12dc7516676c2c26b487f26 |
| SHA256 | 01473298137c2260ecffe325ecd129019940b2ca13a20975ef8a7f3a74686519 |
| SHA512 | 24d83501a1de4845f15b35b5af48d422eef80472a339b67d242fe9bb907bdd444986577dc3f66369287f79124162ab1456e30aeeb6bc59edc8aea34f9643cd89 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 05:40
Reported
2024-10-26 05:42
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotLM\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLM\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintBJ\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotLM\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe
"C:\Users\Admin\AppData\Local\Temp\418475080feaec7ce594333fd94450c46fe66cb88f9aafc2a7d81b7583215f91N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotLM\devbodloc.exe
C:\UserDotLM\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 7d55c521ea1b6b5e45bd471636936b90 |
| SHA1 | a5afdc1a575219c6ae439ac3fca70b4aa915da15 |
| SHA256 | 9bfc6dc8db88d3d7e5f535b0d2b3160345669bbaa1186b36a9311afb9932d1ad |
| SHA512 | 7fd4037703217a6319401864d28b70fc966c66eda8e6702eda303e50c91b6902616f518aa02a9ac256e9bdee9efa1b92d9e47539ecb94277105adb41f17db72c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1f082a7402ff8173909d0b10e0220991 |
| SHA1 | f60a8073f749f5e3bdaf8b106b307881ffd8dd35 |
| SHA256 | ee14e8446aa0a4fc00f6766275a9b35f418f1b0802c9038569e43e87c1e16454 |
| SHA512 | 824aeb9927da00b004f5129aa4edecc8d8ff33de166f4e7e7993ea65280e6f0034263fca5fb08f2e16ed8af0011c1a76233698da8b1c44cdeaadcaab8ea7277c |
C:\UserDotLM\devbodloc.exe
| MD5 | 5cc1a59021c54a5eecae3ec2dab4f77e |
| SHA1 | 949f0a0e0f52e99db82de7546ff505fe95336bcc |
| SHA256 | 25e2f6a769f669a621b684da1dc17313fda44134fdddb08c161165bb7ac986cd |
| SHA512 | 78bf5983aa31d9180384362c4992e4faf66263c44a006d9a28aa2d79bea0365b8fee587ef06b1d5fee97183d4c813f9f6ecb5f879b43531261596af0b58370cd |
C:\MintBJ\optidevsys.exe
| MD5 | c26d2119cfdfe0504f58ec471758c223 |
| SHA1 | af20671bc8856ff397b933a04e2a2af766515a19 |
| SHA256 | 263d802de98a35222503282d3dfe2620182af962fb18c0179a4dd8209ae76e07 |
| SHA512 | 552fe21f74ef3e08270998179cc02644e06d0b77c41629c91c27d82e6750e82f83b7ce56f7690f6eb9b36b4e9210ecd46e8b06b21d9468ed21fe217359eb2f8b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a6e9f6d54c53eff01ed2707bdf80cbb4 |
| SHA1 | 44a1efdcd1f0c7d6c5f1f8132ae288ca3b1839cb |
| SHA256 | 203e49bdf2e045931217b05e9fd9d2c9b6472871082f4660268d56e2174b5720 |
| SHA512 | e9142e83a8df494dec85176658d74d84351db8c134f7a8f6a358ffbe38fe623aace33d9205780bfe4bdb63e85440bb04055a67a6b0575f4cc4d7ddd241dda5d3 |
C:\MintBJ\optidevsys.exe
| MD5 | 9fa6980b9576768fd58aa755076063e1 |
| SHA1 | 7db05e0e4b7ddf46188b39c8ad9762d8b14837ed |
| SHA256 | 20a1ef6fd18a661f5d0f241402257d5f7b64d24106e7b8501878e350156eb806 |
| SHA512 | f57e372e7084ec2cbd400b7ee6be24cd2073cebe884dbd42e96e718703d1c4bbd1983b5a8b77ceaa6f55f2eac2d8be5dad4edd1ebf5d28fe9dc0b89cd2b6644e |