Analysis Overview
SHA256
39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2
Threat Level: Shows suspicious behavior
The file 39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:54
Reported
2024-10-27 21:57
Platform
win7-20241010-en
Max time kernel
150s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\UserDotNK\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotNK\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7F\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotNK\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe
"C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\UserDotNK\adobloc.exe
C:\UserDotNK\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 78414330185f7406b9bdb1a9f5d4b536 |
| SHA1 | 1c45e1b3075816fac4b996a02753b55a9531223a |
| SHA256 | 6f011d50fa992fa385085066fe74750740876648f57e87b973ebc5cec91d594c |
| SHA512 | afefc30ac5b57444a59adc6daf7d1a833a86200d914ed660c874f3fa52868af628943a30fe96f214b1d149b0fa421117cbcd078f747f763788c83b948039531f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d3f8ecbff0e4e9b2d6b6f7c8cf1d1867 |
| SHA1 | 9fcddb81067318f08f81235a408ce498116c4f9e |
| SHA256 | 5b7f6ac5b408d73abffa46fdc3b76ea0f133c3b316b958ec44734d492fb29de8 |
| SHA512 | 7c57a378e3c8d369be78752ecfd88f097017e48ef090993b605fadc9f5acfd2539fd9d40c585dc8105d5c6ad52e823e0759a096cdd5a0e90492c8a154ad6098d |
C:\UserDotNK\adobloc.exe
| MD5 | 79614f334286685a32eb0c5ef6224022 |
| SHA1 | 6f875074c09ab863c021b9f47ec73e20d6996bb6 |
| SHA256 | 285e94d399a6a9318af38fbadc6dec91f4798ae9f46cf2a78c082bf892486d93 |
| SHA512 | 5d6809eb7f0645496330ce34f4b84c11ffa361c47ce211f8b7a9fc78ae406e34987869a0dc1c00b3a91de8a4d8f0e4728e6b97c3f32ea1b2fb2366acd103a34e |
C:\LabZ7F\optixloc.exe
| MD5 | 421787342b5c25ea8b431dfafdfef693 |
| SHA1 | 3efa428bc86561ce20e62870f08d1fa23c29a3fd |
| SHA256 | 5caf5e44aa8e6ae6cfbde12e56d7ab35ab3a82d7a935f40fb136dddc7c81d9a7 |
| SHA512 | 857c7c1d9f5f31a1d141e16daae8d2c5307d14cbac94b054c031526ee08e68cf2d86e1ccbdc057ea4ae6045828db57ac4707e88147dad9e316e89362d1b24ae9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 27406e538d441c4c3e489f473715aa33 |
| SHA1 | 2fe2be9f022373f9d40cb8a2436090f1174120d3 |
| SHA256 | 3302eda6afe0bd68926fc10826c791af58b1a52b13c927ba7d7c9571f0532771 |
| SHA512 | 5a2724da90760721b30d0a11cb6404aaa0bfb4232d3e156e3831703fec9822ad2af5199d86601e9d4e52ca8051e447fe4cb6c6a5b7be53e299469c7ef8905ee1 |
C:\LabZ7F\optixloc.exe
| MD5 | 3e992c0ce2fa9ed9489791945aabc527 |
| SHA1 | 7f70b8602d2532a1b6a86ce2d07cc9afd93a5092 |
| SHA256 | 9d2c73e2cc86ccec9db4fda94d7ab497487489404659557c93eded9f374e4ffb |
| SHA512 | a08d30a0515cb13be336814375da9efc26e5ad062638e7f2c3adfabcf2c9a85baea0cf655115f4597239d666a5f613e84c939345a42ee44c5db27e98b37d4184 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:54
Reported
2024-10-27 21:57
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesPT\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPT\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1J\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPT\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe
"C:\Users\Admin\AppData\Local\Temp\39337bdc85b60e2b1328ca831b2047a0178995283e86433417b6cb703924bdf2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesPT\devoptisys.exe
C:\FilesPT\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | f80530a20ecaa5294704efbac8e77100 |
| SHA1 | 9d3922392928f8163bf29b91198ded9363af54f6 |
| SHA256 | b0a2f06d8bf8c9f1beb6158b2690362d45417c472a5721958cf956d6651c66b4 |
| SHA512 | 3693ef2acb777317cebb3a5d95149f59b1a82543e762b8b386750e3ef1053432214209c7d2be82a5beb94f6db94ee649ae360434757ca704f1bdc12803c8c84b |
C:\FilesPT\devoptisys.exe
| MD5 | 6ccbb2481726cd5e527178464135473e |
| SHA1 | a29124cd8793a53c74e6436f2f59b6d14d4a8045 |
| SHA256 | a352806d625bdffb613eee036410747f86a1bb1eaaa6d7ebbd0f33335c2e8334 |
| SHA512 | 66af12ea2da91935894ff7748b5cf0efcbda8191f64bb82ba48c68a0811ea4d5c14ea68c97e17c06a805847bf25f71295a657e617cd418033718eebf869264a7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ee1cf67d9172909ce39a15281ac386ed |
| SHA1 | 339454024a181852f019b25728e4fca43af89c60 |
| SHA256 | 56da45ca68987a4f0f31cc99bf1e48c581f920526e2c013ad67b82d4a0ba4208 |
| SHA512 | 64a05f4310319515ac4ba87d11be0362ad2ef5d7fb7e4a05fc3cddf05d455d0a3a4b66b1fd112b1f82401d3f38d73e0227a21fedc77939ab15b8a28c7f4753e3 |
C:\KaVB1J\optixloc.exe
| MD5 | 8dfaf68a4798615215de9ef3dccc3725 |
| SHA1 | 3e63576799ce92c0030f967e3d3f8042176b654e |
| SHA256 | f7e8dab8b7871910716a2dbfb8eb72e306c4e6b3e4d5e9a5ed098c64628b0da4 |
| SHA512 | a7931d9f71e1c5830abc44f82da58bb1491e46515323e9da7d35ece820d1e25b4aa21861cd2ef271ca34d631d3eb0cbb607f600076cd0df27d19236306797d88 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e3bdb195e070e710e57de7bf7cb8741 |
| SHA1 | dc19ccf827698802393abcd784f0a86069fc3f92 |
| SHA256 | e20786d300b1d3c9cb8842bcb767b5403c3dd3702be31335ecfc0f381bdefdf9 |
| SHA512 | c7aabab185c13726b4f9167acd9af096fc37c9fcd1f18b0aa1acd5ff5080b8b33d0ddaca06a2687908cd98ef515c27570bf68a5f19a7d68fe2c3cacd991f304e |
C:\KaVB1J\optixloc.exe
| MD5 | 4e243d6fada77162e1529368e42e62c2 |
| SHA1 | 6f21c7726872057e83ca642bb3301407d6e7732b |
| SHA256 | c3801be4c849d35235b3cac6cf13bbeb813f0f7b44b4d539fbd663b56bf95d53 |
| SHA512 | 1f43f284d6a346ea7878a5a88abb212fe07da1d18d0e3b595fac53ee5b093bbdc194b3f8142d6cf5f06a60088ccbf012fce9ae77cbe6728fa799a8e48537565e |