Analysis Overview
SHA256
a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890
Threat Level: Shows suspicious behavior
The file a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:19
Reported
2024-11-10 01:21
Platform
win7-20240708-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocET\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocET\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0V\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocET\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
"C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocET\xdobsys.exe
C:\IntelprocET\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 4545f26df325bb8bc5b1b3dc8286fc81 |
| SHA1 | c62481ce316d2e27b1a346840a045de984dff0b6 |
| SHA256 | 8e89c3c8efbc2e712a7c7c83f6c362be3587af5554d75cefb205d77f9b1e62da |
| SHA512 | 2d1da95806191716381e68216b50acedd12c50537211528c465bb482dc2bc5afe53c21973f21c823afd05140aaf4f9c7b66e01905eb4f0a24cd04d0e2bedc71b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f91b2dca6439425c2cbc210698b9c449 |
| SHA1 | e3877ec3a070b4dd248b49dbd05af3f3a2e09016 |
| SHA256 | a3b57dff8a8be34716fecd03099d8af0eb3cb68ff07a414fd8fdce502a75abce |
| SHA512 | 2af1deba4116333443e2575428dd001dfefde2e80d53f3918cacf4f319e321b91f612a3ad0f13a1906459f0603997f21e203beefe8ab79e4b6e778269cbf7e5c |
C:\IntelprocET\xdobsys.exe
| MD5 | 2bacd911df1a49635b46abba710bd824 |
| SHA1 | c5ac80d3b9f4766c6be1c17be84ecd1a3c3a0093 |
| SHA256 | ae70897c515d5f59fac6a0f3b2b20537f770dc7e528280579628acb84104d9a3 |
| SHA512 | 67341b1fa6a40236b79097bd7a7aa16effd27ca775dd21cbb11143f7fec7e12aa2d1182ee988278641bdf949a88728c30264939922f00db01f0e5445e2c84311 |
C:\Vid0V\dobxec.exe
| MD5 | 7365bb9acb86142af5e636feb89c014a |
| SHA1 | eee0acc99d329cd9d231ec63b9ac6c47287dfe3a |
| SHA256 | 830841886b0efcb5ff451cfea0465677017cd21b2733b0599ca73c2769c0a202 |
| SHA512 | 839e146b0ae091159e80e4c8ac49dacca1a58f0f053bc38958058541c22341d280ba6f7dd39251514f1ad1ad0be2c566c3784c7d89130793b4f493bb2952dfb6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e75f2b5c4bbf0ec2dc65177cbd0e7591 |
| SHA1 | 539533ad6606ec281eb7ae2a1ed7409d05fcb668 |
| SHA256 | 2eaa548b8599e7b31f6d6ac22f3907df3aa681142cb2e96a21dcf257e9488f3c |
| SHA512 | 13491af895687aa18be519a9ac004bc0ab842879d295c5221beaf05f4fc9eead531c555e517dd7dcc955098793678b3d8dac130bd0a61750624caca9fcdccd97 |
C:\Vid0V\dobxec.exe
| MD5 | b6a3be42755c871ed4a546b6cfb8e5e8 |
| SHA1 | 45db3ee8541418f154843d4a791071b3c3c65177 |
| SHA256 | 1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657 |
| SHA512 | a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:19
Reported
2024-11-10 01:21
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
132s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\IntelprocI2\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocI2\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB45\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocI2\devbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe
"C:\Users\Admin\AppData\Local\Temp\a557cd5ac46c6d148cec24ad6e222ac96353e52070fd61dbe991d4ec8c307890.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\IntelprocI2\devbodec.exe
C:\IntelprocI2\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 51711671764bc1db3aee57c437d3a781 |
| SHA1 | 454da0fe0073504a43d7c3d77399a4c6834d90a3 |
| SHA256 | dda6fdcff90b22c0ea4c89db3daceaa908f12b23480896c6fa26f2b5ac3cceb4 |
| SHA512 | f460caf8e75c7ff05d0619578f9400c1ae43243b4283ebba09ea9ff64bc048e7a61dca4020e1de138895d6576aea17fd64ec56e9321b5c2471f4dd887e5ee6b9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1061add7fa4a961c4f15c503cf927e83 |
| SHA1 | c673d110e4f324aa8bac4282835b3484d2043bd2 |
| SHA256 | 3fb5cb85f3c49df444d7da8e0aac9a698bd09aa71c0f999c6c3f2aaafd5aac07 |
| SHA512 | ccf3e18bcd71a6a44844303e1df57ef9b9e4fc9667e8ff0553c5f07511cd31c1d0ee1cc7727eae5d653e8a5689f21e3bd511e572d9325dc11ef083197c65403c |
C:\IntelprocI2\devbodec.exe
| MD5 | 7881f7b78a318fa8511dd4bf5af06cf2 |
| SHA1 | 6426478f139a959aae92d4b3b17be37c8617aa4d |
| SHA256 | 4d2109f75d1ab1ec6bf791c9e84533c6e8319c89d1d61ed9f45d09094eb7b8a3 |
| SHA512 | 1ea19ae343a92e9c605a43cd97b26c3e00a0ddf3cf0adcbc3c12009973e6c4a7f3616440788ec91dca7504208e9c385122458df85e3d6448a00f14dee7a6de44 |
C:\KaVB45\optiaec.exe
| MD5 | 0cd612c6dac88cdcfeed4d16d02e91f5 |
| SHA1 | 6635f247dc8698051428af8f17e266bebf9a93be |
| SHA256 | 0ad3c3f909294d3dbc80aa4e713ab35ff0a31c6ddbf83a77f44c06d3e9a51467 |
| SHA512 | a7ee43d5001aebbed1b570030ec6c6a86195d628abb7f68856d568554796406a22fef47ccba19630817ed76e45af54ab5ac76fb2894c74273925bf9f7bdbebdb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fbeb177b9ad7e8253c5c0991fb78b90e |
| SHA1 | 678464792e954828a82bc3d1c8dd4972a78180b2 |
| SHA256 | 7a6802ef9c599f5734a51d03bd3f27a1d458f9b5373f800930ae63d0ccd15873 |
| SHA512 | 4ce911743c2336077bc88c91b77b21d80088246c2fdd7ac09afe4bf6e9a4ab5afa713e5526203712432f82d0670a2b68c4183a153a9479801c741fc7a1399f80 |
C:\KaVB45\optiaec.exe
| MD5 | f1bd19beb5b738bf08bf84fdd0448b3a |
| SHA1 | 59c3ae42104bba7dd3775e896ecc71986e5e7827 |
| SHA256 | b53c6195ef84564ee9b88106e29b867987b60901df81115200f2b54a33186512 |
| SHA512 | d5decd97abc1cfd936e7862294b87ffb46a34acfa6e73cba463b2f2503bbe5f44499cba03ce9f8cfb31bf036c8cb26afe03aac9933697d7695d01b82feb7cbe7 |