Analysis Overview
SHA256
60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1
Threat Level: Shows suspicious behavior
The file 60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:56
Reported
2024-11-11 22:59
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotBA\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBUX\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBA\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotBA\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
"C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotBA\xoptiec.exe
C:\UserDotBA\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 5a3c84e0b6f0584bb1d8feb3a10cc1fe |
| SHA1 | 912f1a245e64d158818dc632483fc761d88437e1 |
| SHA256 | b3d7f9a35a31ac1626cb07bb9a4b023c50fb223332e88c9dc5df19bc0e678dc1 |
| SHA512 | aff087a805b5726f4ecb297a09169c85474bc6ea5caf000a89db9b713400b2a190a323b2d01ec73abc7df6a14519ddc9dd4a8fc3eb18bbc38cd88f55a6bdd3b5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 768f718d2dc18968b98fee054eebafb6 |
| SHA1 | ef36404826868bf009928cf6685d41f89093ece2 |
| SHA256 | ba0b34b9b6ce221cc1f4d5982c95087ecfec9dce8cbea352975ea4b9a5371f4f |
| SHA512 | 3416c2a9dd0c9caf809a4ba2250bc6502a87f2fde43dbb789a18e3a7a9202de7360dfb229d6ec1111e348d251660fae11ccb2ae7415f6ac5138fa28fb9e0f2d7 |
C:\UserDotBA\xoptiec.exe
| MD5 | c2d362d2959f546278d3b7d897bc6aaf |
| SHA1 | a0ed657faa3ca589791dcf42484ff82da29bae1c |
| SHA256 | 5648f01596445059551a1d2ec14c000fc0bb6fb699f03dd2029ff3b099e70a2a |
| SHA512 | 93da57d160e8c85f5bff99b5faa5d2ae452929a0e2cdd2a0bc7db8facfb51f09bffed2cfcb40204f7afe3d8f036bf39e0d5e4a19f2a70c2bac5b4a764073cf33 |
C:\KaVBUX\dobaloc.exe
| MD5 | 15a24bbbb4b3da458cd9c81afe74a881 |
| SHA1 | 8d4e31ba6298e565e1011e7bf6b1a43b6d7c34bc |
| SHA256 | 2a64f9c9b8b4a6c35f9404de2a12a8e8451f4309ae41880bff7e8633a0e1672b |
| SHA512 | 0e48aa45fccb6f04a24d55852eae74434e19cd39a4dab64d7e824ed3eca0c0ac6a6f813eb8bbcbb09c8d3f61e03d65d67fe8b3d06ad82c583baf956bc28c41c6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | df93e2d4e1a5becf412d59010b87304b |
| SHA1 | c912f8f3eef09ceb215e730248d3181f25e75d51 |
| SHA256 | 65bb6227efa27f0b97cf4623bec93ca4c58aa647ff945036ca5c292de6358ed7 |
| SHA512 | fdcf83bd0bc73b5935fb4d9a85227a1cdc69ccb13bbcf331f0ddb8e39e72299feb7062ed86680797df57b96026ce2f9201707e6c315ef71c372e80e026ce8b6b |
C:\KaVBUX\dobaloc.exe
| MD5 | 6e48912c750d2a4af218228dfe476e8a |
| SHA1 | 8f0359cb3b03fc05f8d0ae4252aa2f0f938f5489 |
| SHA256 | 6b8e8492afa8a73802220d65a0081445b52649c7adb41c2a83e8b252554e2e40 |
| SHA512 | 94858d91585a291b7d07057ddfab384639fda1d9cd40f60502ac2f6de5e4385ada01e9a1a17288f7fa3c69de4f3c0817e5f1fa0a63251ef7975ea060e3ee05f5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:56
Reported
2024-11-11 22:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocDD\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocDD\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint6J\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocDD\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe
"C:\Users\Admin\AppData\Local\Temp\60819512252861e5237bc6274e275eae2f1060ef95082ae524734082a71654f1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocDD\adobloc.exe
C:\IntelprocDD\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 77f7f1198b96b71df5200a3f564a7435 |
| SHA1 | 65695c0ab25a4022d9edc6194f3deee92d272ef4 |
| SHA256 | 41e4f47ac0a499d9d560e56f11204e09f873afa695da1990d53037cf246f5f7c |
| SHA512 | 4563de6460fd2cc052a398bbdfd6d2adb510aee6979a0f5f4e84d163f4959e4c17379c557f397031804e725aa33e447832abc3fb8082a3bde7237932dbef07b1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 404a763f5454dffc34c87c5843c6e2b4 |
| SHA1 | f7b5715aa668122315019bfc34c0405ae0e03f68 |
| SHA256 | 905def7c98c67f454c831ece74e600c9c7c869474b5113da0a05a1aed63ccd3e |
| SHA512 | a597ef4cd67a2357b416ec2649b58489959372d45e433f5e79ff8ffb27f945619b2a3c78d7e2b4d2071e5602458b66d84a98affd40971d1f4af71172aa92c997 |
C:\IntelprocDD\adobloc.exe
| MD5 | 6e2e2ae06d4965f9ae7e4f6d61d39785 |
| SHA1 | 5557808b1ec9f94485115a5bd5dea041c85fb346 |
| SHA256 | cba157ad63dfb08c88245c7791db8dd4c670fa782d3849d6fc2ffc54a51c84e8 |
| SHA512 | 43e32faf52b264423328f9802f2ed336d8e45b30e676305ff0eda27e4dcecdacfa8d0ffbb7edef908078fb297a0787d5ac8155f7ae4012aa66c1dfa387371234 |
C:\IntelprocDD\adobloc.exe
| MD5 | ffff156d86136d0d3aff1fd02be3a5da |
| SHA1 | 1783a766011fce713e23aba621d5598e748baf23 |
| SHA256 | 30fd6b54df04d58c3027f09e512686972e9530a14b176c37e65450f8f5850abd |
| SHA512 | d88a6885910bd2e6236678462d6dc0340de32fd2c9dfd7f84bcc75f734659354cb8f738bc6651f7134d22db189dc6c5be3eda906f97df1f82a50b2d1defc0fb5 |
C:\Mint6J\bodaloc.exe
| MD5 | d5502f1df8d13b8b0e87be198f8085a9 |
| SHA1 | 2b96cedf210867a0077934dc884d375f5f293d5e |
| SHA256 | 2c226d4283aba2a14323a347774b1048b57f570f6a3b8d8772a3024ee25b26c4 |
| SHA512 | 666e660aecdb6d50d2b66a299696fe2275bdb965d601ac88a1f86200b00849461879df1c35a1ae3e63e7340c9da40480f7d0e1187cb3081d2f956369cf9ba1bc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6fa69b52149d1b706645cda60606ba9e |
| SHA1 | a0049173fe2add3d31985a0b5d4061845a415d0d |
| SHA256 | 8c6dcc1a7a792189f5b0673a16c7bebbbbee54e30fb5c69ab6adb7db5afe6784 |
| SHA512 | 4196d3820984f9ec1a2a632908801b81f2ec2b16acb4194f51bac965ab048b1a40813afa20dee21cd30d72d267686a72a916f1d165fede41e84df9d798dc48fe |
C:\Mint6J\bodaloc.exe
| MD5 | be6bde58cb6cf4840bf2f369216e6ca8 |
| SHA1 | bebe32f42ee735ab61615b73aeafc8ee34bd033b |
| SHA256 | 3ad7f6033f2b1db728c3a4b5c97696b4937d8a8e6f48b2fc59fe0fe3b42b1125 |
| SHA512 | 2cac71141edb08665138751ac2e4c07afb181573db67b4fb52e2fcff3eb94639225e88eec03aefeddd29debf271a301297f474744cb4daf8107395735533d1ba |