Analysis Overview
SHA256
1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d
Threat Level: Shows suspicious behavior
The file 1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:46
Reported
2024-11-09 19:49
Platform
win7-20241010-en
Max time kernel
149s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDot4N\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4N\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBW3\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4N\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
"C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDot4N\adobloc.exe
C:\UserDot4N\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 9fd8a9bb9f08394e386b41a0c260df4d |
| SHA1 | 90029781c44accfc5342ba5b317daec2fae19949 |
| SHA256 | 13f47561316a13097429cbb08bf4dc966236f86629520ee6155ffe68bd6756df |
| SHA512 | 258d66dfe52d450810548910ec785d925bb18eee246fc0784882de0288f98ec790e775658188dabb466fdce69e3019704cf975caca12cff6e31891c9843dd6c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5ed5f607e3160309103f88f4162fbb3f |
| SHA1 | a5d425cfff5fd231d1c74f23c60e005a5b426547 |
| SHA256 | 8dbce2cf1ed3f4e6d789fa4c4be59899b049811433834ff70548520f32c24a79 |
| SHA512 | 95fc2fa26f096a11695f8be36656f88eb2e897f4742d2399a7dcb62cb09828ce10ff6d74bf95d89ebdfce1c995da541916c72dcf88980383652e223d4c114d5d |
C:\UserDot4N\adobloc.exe
| MD5 | e31a65ae579441b45f3c309409ca442d |
| SHA1 | 63363ce16cb0eaccac734e53dd40cf7e5f564770 |
| SHA256 | 5ee8b287c5c39e452fe2cc9d72b7eb544fe1ce8b9c73f0e997fa0438ddbcd9c9 |
| SHA512 | 82e350d3f7b0ab7c5990407200b3a4a4a0192cb0eecd49665233f996a4854794b265d176ba653ec5ea2bdf1d6195fe832467e078eb5590b426bc85028d180b07 |
C:\KaVBW3\dobxec.exe
| MD5 | 5923515b3fce01ebc92e0c070146cd6f |
| SHA1 | 70322451010207b3477426800f83c2dafd955477 |
| SHA256 | bf6be54fbd76564887bc3a7586d35c86be31d7e88eae308e05139ff4f27df8fe |
| SHA512 | ad194aef8a0b362b4706e7ebf0b22cafaf3f28426e539f0f674d6e3b0da8a1d9a02c464a57d89cd9790d16d72f4cd7a2b7a4f5daa8064d86edcbfa0225cc275a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 71a4f1220e76772077eb1839f81c463a |
| SHA1 | 10177d9db956c5f8baef38bcbe8ae91fff06c895 |
| SHA256 | b5f33c220a208c189e62ed02e41a1c2b09eed1bedebe71a5d8c0c69ef1dc270a |
| SHA512 | 5fb9c45aa84ba220941713f6089e7651c1ee9c99c6730b1a55e666e269374223f7fa278677ee61e5d6b7da20441ce196fb5576fdfc693a6af8d2462eb37e6b65 |
C:\KaVBW3\dobxec.exe
| MD5 | 313500da59f28a965bf6ca399fb560d9 |
| SHA1 | b26030fa4e63bd01d27b57b3aa11a7d5cd7100e5 |
| SHA256 | d351fa1fb8ba789289aed52c4020c0ca26e1958178480caff086344baed18e21 |
| SHA512 | f6df5ea3cc4f2fc83c929a0ebe2c808b5775c4801c5a3977330193ed6cd8b19188cd60c8bc63eaeab43783874b75d7ab87ace56efbe422e15e0893d69b583a45 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:46
Reported
2024-11-09 19:49
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDotFD\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFD\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVF\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotFD\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe
"C:\Users\Admin\AppData\Local\Temp\1181b63507231e2b1c4bbca464cda990d1ec030e2ae15fcd3e0a6df73f57cf7d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDotFD\devdobec.exe
C:\UserDotFD\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 65bd24bf44c8770c514f5c0a3d2b6ca4 |
| SHA1 | 58e7449c5edb2bde903d62e8574941cfc877cf18 |
| SHA256 | 2010a9785abcd9890279ea3e8716f947566adc0f1af9fd0e00d25622ee09fa82 |
| SHA512 | 741a720e0b6eb8caad2bd3a04b598fe0093f2c1dec7baaf73f8c09e990b8f2cbc9c3e3a2fd90fd60effa9bc046b6e3e3786fdfb70bb750a764dd43fc1bdf81c1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 60576ccfc73279113a7b17797fe56f9b |
| SHA1 | 412827d5611b58e2e45aeb3f213889c41cfb8968 |
| SHA256 | 8f536f61bd2981a945787cce75d01966ec36c2e6c30a09c6a8e07978f505cd00 |
| SHA512 | acabb940cd0673c701238b71933cd82665f92516f1d4849bcdd921bc7b20da572b096f735671fe71926cab9f3d7adf98d07562a599c22c13d6d9b5d73be81735 |
C:\UserDotFD\devdobec.exe
| MD5 | 8b7b8c4f38cfcb14c6d7d9af767744a6 |
| SHA1 | c9608f290f316c122f9214cc1eb982b2090aaef5 |
| SHA256 | 3f093d1c0e403b29a6f8f3b609d3563f7e304dc9895ddc576d4a32d41abbf488 |
| SHA512 | f14da2852e41fd566a97ed99910303115012247f3e0c6b8a7c6803b10a102d5b54a1b86ceffea8318fe86d4e6548c45a6b58d7e64188c5bb8940d072419c9089 |
C:\LabZVF\dobaec.exe
| MD5 | 49145a78b75a9970005bd5d260fcee00 |
| SHA1 | ce4b444a95de48a53c7ff9bd9910c5a185b16bec |
| SHA256 | ff7379e23a4970913b937004e8da5cdc6a4768bf2dad0d5f5df344b4f1ae73db |
| SHA512 | 0d695b581f18c2000f1d6185e8954ea8257093064fec4259960d045796881bcd0303d891c020ec9b7764897925eb0b323dcf81de86914e7824734200c67b07ce |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 76672c7a2a8e5954bb110a40d3362e23 |
| SHA1 | 405d4a078248f5fe35db2c4a902839c6405361f4 |
| SHA256 | 041a3ed7897d9c8b508e5b4d2013470a7ff791ebcc92cb8874b669af9d029380 |
| SHA512 | 7690af1390ade6e92169501cab5ee7dd3befbac05a0de526437e15ad955d4ca31adb01cc87111c1d307fc6d217c1ec1f2fd39fbf1396daf9204c6ee930a6664a |
C:\LabZVF\dobaec.exe
| MD5 | 4dcc4da5f3ba5e92b9fa638971bbc513 |
| SHA1 | b4a298d739d70f7dd2209a4040c2d27d8d74c9da |
| SHA256 | 2f26e66611a6f50c141954f8fbc33b9a1f781a5434991aa5a3ea004773c23c8f |
| SHA512 | 646aa93c3806bd723c8262543f5d055e1502094d0b70dac64c6a6e29922746dec17e4237c39cb6038c8a20abdf9cf2039bbf75ff477dd21278d6118e9955a7d5 |