Analysis Overview
SHA256
53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628a
Threat Level: Shows suspicious behavior
The file 53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 14:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 14:25
Reported
2024-11-08 14:27
Platform
win7-20241010-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\SysDrvFT\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvFT\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXW\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvFT\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
"C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\SysDrvFT\devbodloc.exe
C:\SysDrvFT\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | ecd23616b7febb3e8f9cb3f555c52ffd |
| SHA1 | 77c702e25ba61a529f3b987e1093c36b46e7947f |
| SHA256 | e575fc1dacb8b5d6788b7b3b581d72468f20877c4dda4d32862fd89559f81d2c |
| SHA512 | a108fce7c5bcb1029c8520e9a1561da021849895123c4af12a15eb09724e14a10287b9297e90f2ebcd01cfbb4d052423abc3f78d37b1436b883e055b2dfcac37 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1011729555b515ee2a4479f740e8b4a6 |
| SHA1 | f76c1e45d0fd8c390113cd250a5069d9610bf796 |
| SHA256 | 629a5fddd520006c56f2873c429d80105d120d355648751141f49aa41e31a804 |
| SHA512 | 98196db4170cc975281b79b4498d15015c2160993a69e3d6d5d0cde3ac8dd92303a0a831cfa3bf952473fe456d74d2045fb8ce724993c39958ba7ec61921a353 |
C:\SysDrvFT\devbodloc.exe
| MD5 | 1d0092807d5e32a4fb5b62e91b0cbcae |
| SHA1 | a9ce9d5061d1c291f2005992d0718692e48e3a65 |
| SHA256 | 165ee61ae2cdb579a6da3b2b81c0b7a0e6b883682f91de9d59d51b13799a2d1e |
| SHA512 | 902ea39ac673c4ed9429a005f62a718198ecdef67286afdcd9db772383dc6f44b8d712a905eca23a96d510543eee5f513ab0eea42e9911b387952ba61c3e4d49 |
C:\MintXW\dobdevec.exe
| MD5 | e67dc6834ce31d29f50136660d095421 |
| SHA1 | 83bb30820d93520ff880aac872bbc5c553d6908b |
| SHA256 | 1f905f47cfa431c6b5609dbe5776a9d2a1c4b2f45bdc48d2906fec9ac462b1a3 |
| SHA512 | a46129641a99403f861cf582f1f6e48afc06cd6463b28eeb6814ffa63bdcba0e4174ac4dc3c801586399395b444e2abdbc0415eaa706389b3d014c8e56189070 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | eb65eaf83cdc950dec0500d22dcbec85 |
| SHA1 | cc500b523aecf9be8b84b38cacc770be5d2e56bd |
| SHA256 | 1e246bddcc3c2f3947ada3c5542d79244107c267d661a467f38801070ad747cb |
| SHA512 | d0a92d7c9e9dc10e84e9e8213d982066b27ce530e94c9fa82c329f5acb13f201688c77d2367f64af99f0e6a62cb37167f50165acaccdcf4813ed2c436f0aa5eb |
C:\MintXW\dobdevec.exe
| MD5 | 5a66ee79c55767a5ece19ef4b01a5783 |
| SHA1 | afecff18f15bcf5f7efc93a90fe919aece258d27 |
| SHA256 | be5ac3d16e4ddcb83200e8371c6869844df96b8bfb696c30a6b60a11e96852f9 |
| SHA512 | 8f0861dc731545e7cb493915ec7094bfb6b276acc534c45a233efc875eba9262d858f04973f45d4fc5439a2345922d67781e6fabc7c69c5bbfe0db52e0947881 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 14:25
Reported
2024-11-08 14:27
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrvDO\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDO\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid96\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvDO\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe
"C:\Users\Admin\AppData\Local\Temp\53966b6227d74611215b1696b3486812bd35c0362ec7ad5b4b01fa891406628aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrvDO\devdobsys.exe
C:\SysDrvDO\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 9c1f95c30d0df407e6420750f0acf6ea |
| SHA1 | dc9ed39bf7cea44be3abc0dbb7088b4aeecc7749 |
| SHA256 | 9537c6a5c16ebfd543a4c3ecf7c5b494adab95726f006b336f85896c77ba68ef |
| SHA512 | b845d14a93dadd257fefecdd1ba98fb56c0bac9ec25f010956e65acab9641564aaeca57ae60221488c649c0e3b0862347043547285c56aef0fc8a4d88284a181 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5a6e3c1c9f7e1a74059f6e6a015ac58e |
| SHA1 | bb24d48118cf4e43c0d506c3a883c83a7c9419e1 |
| SHA256 | 26025d00e054ec13b590e57a487b67c42b301021e7991c2542ea3fc175e97236 |
| SHA512 | c8603bdf93f88e3bef96ebd08d533638cc6acb7e32677153894573920312ecade51e92cc9e94b3965f8493d2c09ae258631ecfe2b7f30ed382f70e8e7711c12a |
C:\SysDrvDO\devdobsys.exe
| MD5 | faa5e30d9a6425f82c4a43ad3f7128c4 |
| SHA1 | 0b1825d1f380d1df33cc06e56ae96ba7a96b2cb3 |
| SHA256 | 2772dbbd7b43364cb32b4201cc955b0f1d49c73579227cbc34e5c775d4e72847 |
| SHA512 | d6dc8be14930f203be718c5d917a1b70addc34da493101c296044390db25cebb8887dd385bb43413bf3fbf9f978c379c2f5d5704040d599737eaf9e7bf81cfc0 |
C:\Vid96\dobaec.exe
| MD5 | 74f50117c9488fa9586bda35f94b3e55 |
| SHA1 | a51137d6e0f7689cf84394f0b8f23ecc36024406 |
| SHA256 | 811039afd9800f5ea38fee610ec8bcad7eb66f7dbe6a9ed138fd21944ea0abbb |
| SHA512 | b3af9a45b3812463a302d5e6775fa15c37ca8caf2c5765c4618bd2d65781a7aeff7957dff37ba93913d949bf226f741f8518dcd47f857ed23d93e5c20642547d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 459a99a71e2d8e9cc60a4563b5f52fe9 |
| SHA1 | bb50a372d9f75e246489ba311cdd623d98f2b81c |
| SHA256 | 6d5080d9e23adc45756388f15e565128853195d8bb0cb768fcf3103b36015700 |
| SHA512 | 3e3c50b72320b0a52f6f903ddcaa37957b27145b3002753660a9c772d9d1fe854ed5952dcb0dedf34c2f130fcbe608abfab6790968a4753210b9aa058412576d |
C:\Vid96\dobaec.exe
| MD5 | 34ee2b334e40e599e0c77af66aa86d3e |
| SHA1 | fe88ac75f08e6ceea4c20bbf39cb37ab06a404e2 |
| SHA256 | 0140b8d5126ada1ed6de6db7f40090d8cada8143c22f7edb37e219f6d1508f37 |
| SHA512 | f3d35584f8561de5f026de6367f19564fa30ba8a8de347eaa1957d8fc4235859239078eecb69051ee833a936a7b5fb21738814bc6e6641581dca7a56fd32dd73 |