Analysis Overview
SHA256
010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111
Threat Level: Shows suspicious behavior
The file 010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:05
Reported
2024-11-09 19:08
Platform
win7-20240708-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrvG5\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvG5\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxV3\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvG5\devdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
"C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrvG5\devdobloc.exe
C:\SysDrvG5\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | ce9805bd16cfcfda238a1a42573d6300 |
| SHA1 | 50ddf1a060e6493764120a5e84712ee8a6ec24c2 |
| SHA256 | 58a7bed7fcb09c5ac2f67b10c6c60603290f1c30625731efc04c1f8231ce01f3 |
| SHA512 | 37347a0a5b24c2af6bbc9e9837f8762742474c55e0c67f2c9276bf682acc36ded2fb83441691a21374ecc323736586a958a55a822b4c51bc9f9851ce9cac168a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5026441d728cc76b2b04f4d90f87a6e7 |
| SHA1 | 27b633d2bcbcaaf02a3a9ee88373589568acf8bc |
| SHA256 | 6ed41d72c0ee34db214ab8680578f2711ccb382f6b6f8629f1cd81199d002fde |
| SHA512 | f2d746a2758d6bce6b2326df36a2cf24bce6176c0efb331614207f2b3ada6490bc8ecd79eb607f24a2d2bc96762bc2e2ea6b983d3acf7b4fd7b2d68dc70c1bc1 |
C:\SysDrvG5\devdobloc.exe
| MD5 | a1ed1585f27394a6fc24b456f780823f |
| SHA1 | 691b3f888c6b6325cdbd9b856c608055440a12aa |
| SHA256 | 25a29a05767c888bfdfb16282fbb8bdbb75eb678b4fd6a40e98cb08ae56abc78 |
| SHA512 | b09178bb88e9a9065ef112539cc2912bcef63c1df7ec2fa392b4629526dcb5dc37e3725bfb4c5549787221cdf7b49b14ba88a03621503a8582bac4428c1b00d5 |
C:\GalaxV3\dobdevloc.exe
| MD5 | 5d46f1583e8f4b4f3c31e60c84ed4477 |
| SHA1 | 00fc9f97ff5f01d418d6d2e9158546989b8b3d46 |
| SHA256 | f49b02ee5f5b8bea5ecfd150c426e399d32bc8f9e03d4bae4bd5ca4801b100b6 |
| SHA512 | 0cc4995b86bfc065c21b581d0771bc5778dc0fde6e4ded7c6d9c62e5437d6b5d02e8557f66f07ae7ecd9dfff6004f9c0f10c93b2c31384a8539b1b7e014441f3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9fa69ed3efae6dbc34d31b8da980d2a7 |
| SHA1 | 2989cef3bb0dc327a2339e3c7eba982ca5177e7d |
| SHA256 | 4e44d56dc9d7016d93edc4a3cc75164bd8fbc687c8cbfe10cebb2ea037aa9ea0 |
| SHA512 | d5171855501119e58cd83ff486177c003f5093b2a8cd140a3b22743976aea645ab2495a350329f4f572d87f771414b70d7f2e05bcfe1eafbcd04c531edfdb4ec |
C:\GalaxV3\dobdevloc.exe
| MD5 | 81ce1b81c873dc78212b666a9283272b |
| SHA1 | e29201ac69cfad4064f4e5b21f35a36f82faaa37 |
| SHA256 | 1a8a3dafc167fce8464ee1f461fa97c3305c74f8e96d65fc9ec1e3c5ed962e8e |
| SHA512 | 8174ec4db9d91f50a4861bd4f7604c8bbe02427e961f3af38ecca0c37454f0b596d83ef7f0e3006ff55dad9167cc8b91d93a73a526039d0725f08080f08d4744 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:05
Reported
2024-11-09 19:08
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDotSN\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSN\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint57\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotSN\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe
"C:\Users\Admin\AppData\Local\Temp\010549c877a7e3e7624575d5eba260ac8126853aad02251e66ead1930c8b3111.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDotSN\xbodloc.exe
C:\UserDotSN\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | bde87da5c6d7744fa84365a14f4c495d |
| SHA1 | 197c27cec879917ad8bdf60a383ad9c54eb4fe99 |
| SHA256 | c85cca32a0e49659f75b30f99e271fa59e606002d61db5ab622bc8aab3d1c29f |
| SHA512 | bcccbc12e2f62a7f702cd76c7d624d7148d07bc867ee98651d4f8d7edc35368e37fa59c2f0a165b2e723c907377120cff4328604c731453d95049787303a9a5d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6aca7155222b526ff79b7c3d945eca02 |
| SHA1 | 3f32d5821ccb482669053ebcc71aebaf01a790b4 |
| SHA256 | e278a6c1da1f3ae86ba343f5128771a760ed18b7fbf0fc35c1d2fbef29633c3b |
| SHA512 | 51add21cce3b3336e33ad6c5741760104420bce1b5abaaad92a5881fa52b4495495e4c909420d3092b5abce61ebde1d6586cdc7e144532d9a2732974696648f4 |
C:\UserDotSN\xbodloc.exe
| MD5 | 28c552a60403152971ec00b8deef5125 |
| SHA1 | ebca3f4ac61aadbb6957ab51bad57762fc9c4883 |
| SHA256 | 421e9247b0709ae843cffe2f5e2bcbc096e4401a0339e3edccfd0baa3011c767 |
| SHA512 | aca93b5939f6f19eba1831bf614aba055b11c93aec40cd9c4606229bb5e4758d000abedf3ab95bd038a6219faedca7c50b696ea967583cda4caf40756db13615 |
C:\Mint57\bodxec.exe
| MD5 | 984b9e9b5d28b5b00d95702ebdf1f6b1 |
| SHA1 | 4c45f4935e06a287dec7463775bd44507e37a397 |
| SHA256 | 02cb9b97f4cbd6c10e92338c3782b0252312052afd61c21091fffc720c8d6f56 |
| SHA512 | 5eee150ec11092fe77242f02feb9c1859007a2ae1d4f0aec2b184a4cb57a37fc9af1218ed223a6c3ceb69f98f253f2514016532473b5be4953ee7fc8fb42cbbd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d03626188dbfa5b30c4095b58bd0585f |
| SHA1 | b66fe4235651fa049bd8e7362f4a4564a4cafadd |
| SHA256 | dfed6466bb8caed4b0048584d7869ef3471dd085aae220d7b02d4cd2e8336dc8 |
| SHA512 | 8ee78de66f36c43a9f576a583adeab6af788fbbb544834ce97f177d3d4ac94eddae6f7e9b047f8b214267916683fabcbbfe5e8eda9c1ee112f927ffaf8c15e90 |
C:\Mint57\bodxec.exe
| MD5 | 694f7e6f60fc1bbd7c5f139df913960c |
| SHA1 | a7c1cda14b461f46b55c060fa6c397e8804c0003 |
| SHA256 | 851012d6efdedef5822ad7c81329b307f0a8f4abc21cd91cc8583bcfeda42e94 |
| SHA512 | efc25fbed8ab16cf023eab0b95ff9d402a0dadb5cc8f3738544b50db4c9f341ccb5ce4ed2721d01f95f61d76179240abcce901e6f9e0cc0caf7fd03404e8c1db |