Analysis Overview
SHA256
75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468
Threat Level: Shows suspicious behavior
The file 75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 00:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 00:00
Reported
2024-11-09 00:02
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocC4\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC4\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLF\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocC4\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
"C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocC4\devbodloc.exe
C:\IntelprocC4\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 8ec5fbe4531477a2430367ff50b8ffb6 |
| SHA1 | 812a942428116b4ac3a4502ccf949bf7ba04e547 |
| SHA256 | a56b36da9e2f53a8de00463a96f9617f413bdb521b38c6cd171990bed3e828b9 |
| SHA512 | 6e837b4f82a6daabafc3dcdb4ad5d2b47ae827372773e681b2f034de18ea032d70c51529cc180c6b8ef0d7e6611c49cbf4fbaefe8881e5b4a22f1b59da5312c5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b86baf64a2f4d6dae072300ecc0a48c5 |
| SHA1 | 0d3d2c42bd88180f830fce202ea54a81ab5cc7d5 |
| SHA256 | d6c06371c0e1afd014888effb8b64df787c6ea7616e6beeeca1e552646f89eb9 |
| SHA512 | c5201bc6a7933aad78b0108bfe6e4fce9b1ffbbe529232bec2961e4c8d8e77f3125979dd16eab046d3d6a439d63a6692a4d0dcb054ee2857e53b6b08ab03700c |
C:\IntelprocC4\devbodloc.exe
| MD5 | e949aac111dcd395eec4a142f3332bb1 |
| SHA1 | e1d24508516d15627032074e860410ce92a12b4a |
| SHA256 | 06d25477ced35acd1d2bb7455028e22fa3022dbf444bf58c9f08a5874733ac88 |
| SHA512 | 0a2dc02137e6950a044e77acb3343123695cd64bf6fdda11b8e5884a32b908bfd504199e24aa737294e4c4c716e08077cafe4a55b4966b1c33878a1b4dd4b84c |
C:\LabZLF\optixloc.exe
| MD5 | 30d86b2f18ca72d7970aa818a2bfab37 |
| SHA1 | a3ed21409a67479a9d3e25c9b90fd92a928c652b |
| SHA256 | 5bdaff641f6449a6143984dd990c728d06e832295e70dd9b3ee709e920640aa9 |
| SHA512 | cecd24b346737a1cc95a4410f525200e5c5afd34f2c6d888ad18e9220edce62f2b74996574d8c2dd21ef83a349cd4263187a779976de5c8e2ebe1c30a27119dc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 98a6560369f2524829837f359bdb9dce |
| SHA1 | 970a25a3f94eef59a368d6e548e7c9edc2080d0b |
| SHA256 | 27edc74e9f274d3c9d121875559587e126c6be196c44251710014ae5dba50a89 |
| SHA512 | 09c694fc468569c402ea11528ecdeaee672a6a76f5f7b668c725be87d0ba8e47dc498ba5be7af5e9a2e05abb0c9e5e965f80ebdc4de030794fe88a4c7ec499cd |
C:\LabZLF\optixloc.exe
| MD5 | 386c67999881567c208e295421e5e1d6 |
| SHA1 | 06e502c41a69f5d36593f5860e791b434fd027f2 |
| SHA256 | 0a65a23ea064fc5399cac8151da22b013cd2bbcd766e119042d0f02cdc7dbbf8 |
| SHA512 | 8003bdc79042f0f95051c4bf55a5c8c651822d80f31083f4f3857f8e39aa28845d1ba73c051650248e4744fd5e54c1d11c4880dcb8b56236ef04c76035ee030c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 00:00
Reported
2024-11-09 00:02
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocKF\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKF\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNI\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKF\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe
"C:\Users\Admin\AppData\Local\Temp\75c9304de617faaa87ab1fa1acc9a8198c8d633bc46774ff6e8283c1e4c63468N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocKF\devbodec.exe
C:\IntelprocKF\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 6bed96784cd83a7f5a13bf1b1d7fe72e |
| SHA1 | 8a132c167130ffcffe1a55b79424405bdf8c1d71 |
| SHA256 | 6899223834386d94afb3445b00ebd3063e113f8b844c010adf23637749682d83 |
| SHA512 | e67171fcbcdd487b4ad66ddf6da2bcc3090afacea4b9540ff8e7301d38b9e0c4446a8368f32d82f2a4cd5dafeaf286eea4f4b9dd45c9b4b0e724be402a45edc0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 56df387be03c9b6b4d354b6023eec656 |
| SHA1 | 49b1264550a3491f71c1b7ad89f091e434933e7c |
| SHA256 | b7d6b84cb7032058aceb2d886edaa69cf102bcabf5aebf05be8e8c539e4c168a |
| SHA512 | e0af618115a01691d802d31e2ee05b5a03d3ecde674cd528dd29acbcf2e19a9a3c09a8c767271bd81d1efbd7fdcad415191b5abca13f5e7d5bc9afc5ad8cf495 |
C:\IntelprocKF\devbodec.exe
| MD5 | 66e188db09a72c219fd145f38939b1cb |
| SHA1 | 30b057116311de0a61d07b14e24b01421eb647ee |
| SHA256 | 45dc162769c3541006cdac120e7792222bb80f0e28488ddc82828ea85e453018 |
| SHA512 | 90b0553f0847628f4151310b9513128b1aa4ef69a84f6bd3152dd04046e984120e2b1728ea2cc3082f3d9787a0f93d3db90ea317ea1d2bdff2ff28e859639d8b |
C:\MintNI\dobdevec.exe
| MD5 | b00c25ab3ad6003b6cc2e01a039464a1 |
| SHA1 | 64a88d29e367901d1955c349bc916b192e942f66 |
| SHA256 | aab792bf0342c29ce944bb1387acf03ab9d0b0cebdfc5963fde36124b861479c |
| SHA512 | 72eaa219fc788fa83663f65670647f1b784e4a6462b6b6c0a5cb379b9e816b5a8809efb86e332959e1ff604f163fa0b23c6800749cfc00a4f78bb673e8a3f0a8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 820b7e4c56ecfd1e25960daf10900037 |
| SHA1 | b991cf770196bd29a85c1ee680e691eaecf83c9b |
| SHA256 | 06f971e1701e9259116d7940f136cc372033594372e93414ac9e7fb7822bc793 |
| SHA512 | ba5c7a6ea4064f22ec1bd016b47cc822e22a7862fd8fe3aa8b874ac43bdb4d40fb5ab4b03051b7a45de7d52cbbb4e24684631dec759fac593c8877d055530895 |
C:\MintNI\dobdevec.exe
| MD5 | cfb381df98a1b38894d18d5319a541e2 |
| SHA1 | cdac3159f495a2e468e1461653f1ee7dc1e5e9be |
| SHA256 | f5424cc8894309e5e08da525401cd005c7c8cba598ca0260ad6f45086c31506c |
| SHA512 | 8aa13f2068979bf22e0b60a1c6602dde31600e28f788e8b647273fb9bf8c999287674d64b69d779e95e1d514c492633fc4c33c771dd54a2f1958fb440fb940f8 |