Analysis Overview
SHA256
4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068
Threat Level: Shows suspicious behavior
The file 4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:04
Reported
2024-11-09 22:07
Platform
win7-20241010-en
Max time kernel
149s
Max time network
128s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotYW\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYW\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax8X\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotYW\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
"C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotYW\devbodloc.exe
C:\UserDotYW\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | b322bf339455139248a52159b49b2c2e |
| SHA1 | bb15fa0e524f3dd083c6c19f730d2270e62e3945 |
| SHA256 | a19e40b56f2ea2606c9c54985eecee40d7445e68b7fbf820d93457bc28b7691f |
| SHA512 | 4050ae9ceeede4a113fa36e0ea307043d0670e2a2007a094988fa710897a7005f598aec8b3bee8973fb3a112c3c9aba5cf6567119971e02589f5187fdc14716c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d13a9d458bcd2c8608ed5180207d61d5 |
| SHA1 | ff145e5bbb886dc8a2daf075a16f5aa95889358c |
| SHA256 | a8b989fe084cc41f79d8e9af519cc6aa37c9e55a310569fce4015c8da4a2718e |
| SHA512 | 481aedf7dd3ff1d8daafae9ef0e234be67666ce58706abe6afbd3815368bad3faa893e09563545403acc80c84eb6c02cdde6f07282a6fc4742d94a4054a14f4f |
C:\UserDotYW\devbodloc.exe
| MD5 | 646612680e812de985fe8f60c2cbba52 |
| SHA1 | bb66a888d8a8daf6687e64e4929011c5441f803f |
| SHA256 | 5e2ff79cbdec22f0c166833f3ceae77bd859dc0dfa7cb62a3f895b8c3f1506f1 |
| SHA512 | f9b35d9a96c7d83de80ad74a886b29ce18b29360979ebd90b7132a7a934dca8de8c755211496fe13d1fbd2b9a6d8d3f96ed2257d81ddc160b477c5c8f9bdc79d |
C:\Galax8X\optidevec.exe
| MD5 | bc92ff2c466662d4a084a9e369f30cfb |
| SHA1 | 315e6781f7c3974404334fd6b7f17c7d8b08b5d1 |
| SHA256 | 96e49fae039353ede60ab7ce4332d9130b1b718d888d67107b044403ef58bc71 |
| SHA512 | 9f37b87dfe9763bcb2187cca521dbeb82376d048ead13b3fb3a80641e1734cf1d1d830535c9c3bc607d5e008e0d965074fe8f10e3aafd3cc93a82d89ec5a5e8e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c62ff5db21ad9566e0e502f4f7c59cbe |
| SHA1 | d5f25f95509e9660358673c7c6a61286f452befe |
| SHA256 | 12f86de19d3e41c074300798d4bd30b22de7cac3b8bcab9acef02356dfad1aea |
| SHA512 | 26484f2633f843c4c7e98ac003bea8b2028f3a6deffe97590c85dd7c0a5a22e640f2a2d2f9ec689d214cdbb89a64b23165ad9ab991555e58c139407f93d96ecb |
C:\Galax8X\optidevec.exe
| MD5 | 56302b181d9d5cd7703046aca93da057 |
| SHA1 | 71453145f8d2ea7b12d5022793ef3ae747caa8e1 |
| SHA256 | e55f0fd4043f2637b5b9f2dfc4a8ed72bc400945db6017fe51cd8e0b1e567440 |
| SHA512 | cd342c7b2cccee6372a3bf0a7dd69eeba6441e35dfa9396cf65f8f99c5ab0a4acfb0aeda14dd00be3c0fc2019cd0bb167a45bd15a833964778dd95f803a90773 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:04
Reported
2024-11-09 22:07
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocFT\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFT\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNC\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocFT\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe
"C:\Users\Admin\AppData\Local\Temp\4cf6c70fe68e7597be536ca6508fd8b1a9c3bb1de9dc0a4df0091e037dedd068.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocFT\xdobloc.exe
C:\IntelprocFT\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 56690dd23a48c7a54907acf4f61c5dbd |
| SHA1 | 506e9c8752ae54212e6e93e8e24a6c87a80ff908 |
| SHA256 | b3207eea01dded1bc1f6b2a9d69ef50450eec4c381f8708c1cc335fd1fe96948 |
| SHA512 | 1834782796d498fc14f55c51a1c1a3b46065f063fc12a11a66e8c6c220cb3a09d8d145f0ade317bab9d2a4b9d9ff1bdcfbdcd8a4923a1de2b0c3f32e50ef1aa2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 701dbf1ecd0054eedb47cd021b9cc453 |
| SHA1 | 162423eab564bbff4240251d14f2f0b698529519 |
| SHA256 | 7b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578 |
| SHA512 | 17f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283 |
C:\IntelprocFT\xdobloc.exe
| MD5 | 43a9ff379e2059c3f8158a2015110341 |
| SHA1 | 66434c35a5dfe8f0d61827d05d96519b7d4eeb1d |
| SHA256 | 5c6aa7b84ee01100214edab111886fa290c429b80f17bbc93404d860e1f281c8 |
| SHA512 | d4060775ff6175eaf8b69442399af9219f9949cb23185d8e767b66ee25e8cbf68e34ec268da9dca2114f9fae502b7835d46d824708f13b4b226ca924dc0abb0c |
C:\MintNC\bodaec.exe
| MD5 | bfc585b53c251bc54143bc3b7997c02d |
| SHA1 | a3ed085fba1895419b27dd0ffc23140a7bb7dc44 |
| SHA256 | 7d562016c25f92016c69e012609f0e64a52a7d884a45acbecd16e11aff0f7b72 |
| SHA512 | 37a995eea7a7fa82a0089ef725cc1a7790e0a5356824ca115b148d27d800a466e51c783f5863558c58dd10b6dc1631f673357b0a4a8dcc62c4c05ccbb9decb56 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 40878f1230354d0fd041f4f470710fe0 |
| SHA1 | 11aa86d24de207762e1e586688f64e3cadc9d37f |
| SHA256 | b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca |
| SHA512 | 45007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97 |
C:\MintNC\bodaec.exe
| MD5 | 0040f3d98ea9a5547c37d0e61b2c7348 |
| SHA1 | 93bf511b8d9006e3b4062cad086fff8646963303 |
| SHA256 | 964a8efc97359944c4636cce27c9a8ecfc8b4ca7a2f623d5506fda5e7df15977 |
| SHA512 | ed41977cf0299a656f98c58ca69186b2ddd9c050ab064311ae433a75dc86e5a9e74021260b6628d9011634bbdce490dea0908071ab59936ae095f2bf2287d328 |