Analysis Overview
SHA256
15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbd
Threat Level: Shows suspicious behavior
The file 15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:41
Reported
2024-11-08 14:43
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\FilesJH\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKL\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJH\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesJH\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
"C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\FilesJH\devdobloc.exe
C:\FilesJH\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | ec24a0754d21335c2e21694968deb460 |
| SHA1 | d25219835331a0718a62dae46b4fcfac747fbdc1 |
| SHA256 | 7a7ecd29f6a4d74eaf696bc85dc3c3aa28d02fc7ed3c504ec67cf42dee43b966 |
| SHA512 | 904c9d1701ab7266e295562f8d5592287253476143d251d777136d1b91fb4dd3bed3fabe7acd3d42c876b5860e25a4d44c5ee752b197a4e47194bebfe699d97a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 305fe4e47519e22918aab150615832e8 |
| SHA1 | f3014d1d86ae70c4cf01253421254a792ca47756 |
| SHA256 | 8c5e1513096563d12d916cae757e30053f2145383f8ec29c022de295bdaa4106 |
| SHA512 | f0ea2fa934091a01b5e7fe233f145cbe23903cfd6aa50daefe9bd6593d011f291a68c4bbc28750f0e25f92ef5031dfcf3a7bca706311a21e60863d03a9440ac6 |
C:\FilesJH\devdobloc.exe
| MD5 | a196bb8b4ff0261d2843a63fd47cda7d |
| SHA1 | 2ac12bdb281647f970a826640ed0b3e95597b3b1 |
| SHA256 | 2a84dc62fe70d70e54b26e8d79349175c169364497e281a9de39f1debe1478be |
| SHA512 | f4d09f3f127e42e4ca1a6b121e06d02a679a7cde5ced18563fa3e4da8b6c892cb5ff1b3d638194c419b3b73a9123598ab9d97fe0b66fc1d835b1647dc13c35a8 |
C:\MintKL\optidevloc.exe
| MD5 | 9ab5fa40d725ac6a41b543e625b7be0b |
| SHA1 | 1d82fd3a46c49014467bf91361e837d3b5a96410 |
| SHA256 | a016dfa3b01c1fa8e9e46414f55fe0687369549d4facf11750894f228db64a56 |
| SHA512 | 68d96a2fafe5ed12229063d1b3f96d63f28003bb64afb60034085652602815dd4a3e4528c57dcfe31f3585c6010d7acedffd35ba5378d0f9dc211de5e6cce9ce |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fd077b004664e4ac64b427b58b0d63b6 |
| SHA1 | b5f7d4dba95ac5c69c0d19990bb786060e533014 |
| SHA256 | d7c904d14339b00ac963279e49b10b9ca5fb6ecc419cb5a76a2fc12866a49844 |
| SHA512 | 84ff8c61127c94a81ce7680cfd145f0a81d5e95934e14a3b8553b0d43c4e0cdfe05131c09c843ad337cafc757bfef70f96de6a40d8f5f6f8f4be14af11d6b857 |
C:\MintKL\optidevloc.exe
| MD5 | ac8dff9524179c2fc3299054ceb02add |
| SHA1 | 6ea8517941f2cab58fb076281858e973516a3044 |
| SHA256 | 3c95146a217650c861598dd57e0fdc044bc229e41a12c5aa56911a580c414f20 |
| SHA512 | 032041c453932c7d307ee72ea8b96210b205d23ed2fc54c28bd15d817835a81c594c95943ddec2046c2b8e29de3f8ddb57ffad7277140b63d347850eeea046fb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:41
Reported
2024-11-08 14:43
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\SysDrvH9\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW1\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH9\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvH9\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe
"C:\Users\Admin\AppData\Local\Temp\15ad802d3d595951a671045fc06a5677e5397884366ed454342f6951c0172fbdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\SysDrvH9\xbodsys.exe
C:\SysDrvH9\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | ebb01d018ee6de3dde060ea803142800 |
| SHA1 | 89064fc16fe3d718e2ba2436a8966acb1be5f8a6 |
| SHA256 | c0c734aa89ce1532df5495e19a6060fe1c46437482da13487230e8a0bf63385b |
| SHA512 | 344407fa40acab52f96741b3ff062d28cb71b0e9fc3b971043f147797777ce17a257090c9203489dd5600dc2d4f187e548fe8ebff19873152ab819403bfd0784 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e849bf1da8bb45fd8997e76b4e70b7b |
| SHA1 | 95a895a7c7db856b73d8d98f50b980eaabe5576e |
| SHA256 | 26af3d00ec48f328cf0eb41fefa4c4e93fd85bbb3047ecbb510f2750c8e5eef9 |
| SHA512 | 1179ea821bc33fc12e89c113f6a9dd5f941a40a9cc520185133ec2152557f198a402f162fd85c162ce3577331c9769c26fbcd8128a3beceb64078570fbb8f839 |
C:\SysDrvH9\xbodsys.exe
| MD5 | 9f3250d618678fc30738d35e2f571ac5 |
| SHA1 | a8d9ed242f70ac79e10905a237d6a7a078a0bc31 |
| SHA256 | 3a27e940f6ede36879df6e6ce8686ee723a7dd4b60296e6ddc23f06ce9f6f31d |
| SHA512 | e878bdc3fdd7aa7fa99821f27e3bf79dc19cd32e4f0656878e5ade180b6597ca08b388ce7fb717698eabf582cee8de04d31fe1db0c0ad96f695e936e5904fcc5 |
C:\KaVBW1\optixsys.exe
| MD5 | 1915fdd937da72ae64b0e4efabb29568 |
| SHA1 | e306db7d90fae6039909a04ae7e257fd803536a7 |
| SHA256 | fbcd6d33e24252269fd806045921bf489428be0ba8d67c853a2104e25ec156c9 |
| SHA512 | fe533c42e713f5f3e443a1b480d83c005acc09bf41b0eeb26bbb5ec1a1766acff272f58264d99d53c4a5a76f4309158c70f1859de80f94d71174b956dceee86c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5d29fea3849b636d9c63038162d47568 |
| SHA1 | dfa0005bf59aef312b05511eec947e3f31a52e2d |
| SHA256 | 1d3a03913d2147f2e872da9a2a0c5b9f2dedbcc070e0062c2772dbe729b853a5 |
| SHA512 | 2cb3c958d5dfa06b9f04ed97defc955fda9c9b5d2add7c56161c07195ca88b714288e4d03f8c303bdb61680f6778dddc7d9ec7130f92e73de481f99e72bacf09 |
C:\KaVBW1\optixsys.exe
| MD5 | 10246f27b319a8814d78c8c45249234c |
| SHA1 | 3a75a12d6fabddaf20052494177322e3c95da7e3 |
| SHA256 | 1f26c6950e626060b0bdcc9f2a6bb9d65b17264f174855c33817973098977430 |
| SHA512 | 8e3dd5ce288931cf5d6e103295f78ba77df4124c647efbb114afe963031ce13129abb4a749844d6177f1fcf20cc33f598c4a239c8e727911755bafe8344f7990 |