Analysis Overview
SHA256
7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7
Threat Level: Shows suspicious behavior
The file 7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:00
Reported
2024-11-08 23:02
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocW6\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocW6\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2H\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocW6\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
"C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocW6\devbodloc.exe
C:\IntelprocW6\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 01218f407e5e5863390c3b1803bc2f33 |
| SHA1 | d19aaad7b23d54209b5cbb6ee037ad81950b11ed |
| SHA256 | 238c8c3b84ba212ade1c968af2b17595500c2657add5f02031d108cc816e86c3 |
| SHA512 | 88d8356d85aaa7e74c614fb5c74be1e18e31dc98fe0e2a883561bce917cd06d7c5b9e1b1b7789890b7c9f6377bd89ab643d4bb65ccbf760194ebf4254732ec0c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cbe404409eab0d977ad6191f3ded2e35 |
| SHA1 | b0a66c8bfd9f00de61cac422f6f17a95b128c4bb |
| SHA256 | 1569329493a8ace82538b7edf157f11506acd2738811ba82ac8543b275527eb3 |
| SHA512 | 49c81c8e219dfe07b2d07ba2ef0cd645e5888bac2c56ea8a298fb3a34553f575347e915f171dc775fc9f48cfb56c421e8fabeb95f8fb1879575152280837a661 |
C:\IntelprocW6\devbodloc.exe
| MD5 | 87e354be4aa61f8389e6604d1675efa5 |
| SHA1 | 38bcbf38e1394145f2166766703749df80b20328 |
| SHA256 | 794a732d2f891bfb9155ea0d8e5fadf6c486785b9bdac6abdd220ce2a8ae179c |
| SHA512 | debe16cf4c6394d0deae3956bc8214763c4c74bdc89afeb8d6260485b813b797e7be5c2ee0451d765a8b95d2b39c23eb4141843e9767cecf2694d3bbc13552b5 |
C:\KaVB2H\dobdevec.exe
| MD5 | a6a897a02f85a881d9b0fd214c310707 |
| SHA1 | bf8451284fb285ac1b3a7cca171d69b0cc7fe01e |
| SHA256 | a5a3058e3202c44f028e20c2581830a77bf0c36a7173c3a92302ea92764a45af |
| SHA512 | 90d30e338f7deb5d568fc35b8ac389f35619c2de9b5e514f8e9c4f406ddd1443935ea97ecf7a9326374f78b4d7d6e037d151ed1e5f8c678fab622d25d92c29b7 |
C:\IntelprocW6\devbodloc.exe
| MD5 | 1932106027281a1496d62b7166c3f637 |
| SHA1 | 5d5feb9f5288249afc6431f295b4a2d759e8b97c |
| SHA256 | b7d5ae6d62b1c9a96ab132701da31d89751450b259639488e362390ac1e8e412 |
| SHA512 | 6314635253d10a456217b4898c4513bb0018a07ce47912675b04bf6bde78fd0d7dcf47227ca3dc4110a227ffbe9bc87bd198a13545fd2b87c0a2a187737fe726 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d575b2e982443c39d32137180db7900d |
| SHA1 | e596419f925e0f9dfcf9f0b61468e4b47d918e14 |
| SHA256 | 7151b93d9aaa15d88891d6fa480d9b9dbb2e36353ec24a15ae510039fb1e4057 |
| SHA512 | 84207b0b31bc0465c045f638991c7e2b3d3fdefe39a261228326dccd421003d92f6419f90b1950fa4b3ee867e566c26a5fb9a3e4322eede84ad168ece23556ab |
C:\KaVB2H\dobdevec.exe
| MD5 | c4974f4f46c724aeb09efcf6c12243af |
| SHA1 | a6bef17f126a8a8ab98b0b7d9c58d44ff4d973a0 |
| SHA256 | 7bdc55009592d1f5dbe73dc2ff185b4eeb747ac0e1347312ff1f3c53b800360d |
| SHA512 | 90e80e4caaeda523733cf5ebe7d6d18f48910a436e0f43dca68fc45d2454c564fee242f1587012b46c0c04e6b50ed8db2721d7657af211efbb41d4582d86619e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:00
Reported
2024-11-08 23:02
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\FilesQ0\devoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQ0\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintC0\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesQ0\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe
"C:\Users\Admin\AppData\Local\Temp\7b5267179d43473cb3cc88e2e9af0f45a0548cb3a257e744414952d7bcd987a7N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\FilesQ0\devoptiloc.exe
C:\FilesQ0\devoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 579de187030a611fce4d0d180a3e38d2 |
| SHA1 | e9729172c276914f651408d56b44f12125feef56 |
| SHA256 | 209562840092617d0c1ff82fdf5b82a19ae01124a652f80e3a390cf6af61a770 |
| SHA512 | a6f096feecb678baedf7620ca041b0da53d1eae71a889934ad3ef24a920d28ac2f431abdba901c7bc64517e628964a3c192edd22aac626aad3b782c0bc170649 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ceb542fad178eafe5620c3eadf5638a9 |
| SHA1 | 7de44870886576be3593d2aab6630b5cf1dfc172 |
| SHA256 | 2aaa3776ad052f2c2172bd0aeaad0671eb30a21b915cbb855156aeee64239ce4 |
| SHA512 | fd505a1adaeb276700cdf79160ae9b2c79ebd5e90959448f0869646b63597c59b5c60043fc34208b11ca23c5965e87ffdf11a9fe6b2125769f0c524887b8263b |
C:\FilesQ0\devoptiloc.exe
| MD5 | 503ae888801bdabef4f9cfc02f371bdb |
| SHA1 | 3c35a8302ccc87003c868771c569831875b2efef |
| SHA256 | d8bd87b35cb0d996641814ce046ac9dc31c024c79c2e905dc1077bc411923bea |
| SHA512 | f479d87223ad2641d781671be39a1ae29806db325d0901e309d3fceb5d5ae649bf5b3c65110ee6d289e1eade0d551dac29cc8a2ed949687b01c909dd51ab5e6c |
C:\FilesQ0\devoptiloc.exe
| MD5 | b35e67007292b7b49d701dc7e6221e44 |
| SHA1 | bab3695315603f314cff0a71af90a7ed1e4c6263 |
| SHA256 | 551c893b52658767871bf24998be1663740c8156925d6bbcd12770091e0d578b |
| SHA512 | 24695ea7e494b46fd10dba663e8236aea14d2b1eda69d5a8122fc3e4b4b57c6f567112437fc093f868debbe0999f1c75245c4cfb2f0e6fe5ed25b8a4e407853a |
C:\MintC0\optidevsys.exe
| MD5 | 5b5af493edd899d061e228cda1cd5ae0 |
| SHA1 | efcda9fafc3c5dc4d7aee01fa9086be903647d5e |
| SHA256 | 025f566883f7dcf753c51eba1f9aab3a29e9444d8af407cb380ff550898eda56 |
| SHA512 | b95b95ab330bb0821cc171e3d4ffd86fd8bee5af9d1f5b0029ce5aa4818821f3026e04eed2e4cd160aaeb1cb64e5f3e44cab63925e24985b1731c2f8a7c3737d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e7c684e9bf5cda15f08b22791d299595 |
| SHA1 | e313a30ade0dc660ce58a598b82652a2728ce244 |
| SHA256 | 8871ceb359957d943ce23202f7e1e965da57da0d3b7c907bd12780a5d69319bf |
| SHA512 | 7cb9d8311cf8edb87275fb35af501169ba8956e7463a815b9a583e50427877297ccdb9f737c177f9867bca877d187d4e118818baf4e934b2e52c6cab4c12f370 |
C:\MintC0\optidevsys.exe
| MD5 | 72674400ac7e77f20a448febe5f02754 |
| SHA1 | 9be518be2406db8f5f00dc55fb9ffb77640f5d63 |
| SHA256 | 2a38e4b56f65847c4410c56623818a97b465a77acb66798f46421b40ea1d1e29 |
| SHA512 | 9eb0f1485d1f6726fbf11abb57a212343ef9c51e5fb2881c1d7566d3e73535022ad02a70460a8973df7ecfe850579e5dd60bb31e631a68eebad5a5a04b957524 |