Analysis Overview
SHA256
5176155f86655f989e23071d0faf656ee8d09890c0b52771cfff45dc93053a85
Threat Level: Shows suspicious behavior
The file dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 22:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 22:57
Reported
2024-11-11 22:59
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\UserDotMD\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMD\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0V\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMD\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
"C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\UserDotMD\xbodsys.exe
C:\UserDotMD\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | ad4b324e659e4dc64963ce1d32bdca53 |
| SHA1 | 83d67b82511aed7dda30c174322ac0138fb40b2c |
| SHA256 | 5cdb35bc46e0890602b6e2cb181955909e6bc621f6b0cf9484fadb1f7998a849 |
| SHA512 | 562920c8b96e54a5e2957b11615b89d1fe46ef774eddfec459255ab0996cda4a375e7d5a904d2d7a252c6baaeacf615c610c97b4f90da4239219573f34c59862 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 33e2ca8d6abce706be89ac75563e4559 |
| SHA1 | 7ee1a2eb366a3514f7bf851befe031aeb99d4e13 |
| SHA256 | 02531be458aa3443e2b1c6c532a4656a8077c5e70bd8df1d9087b4d8a40c2566 |
| SHA512 | 890bd151a749477b6f353e7f709b6984b97fb397684dd117e4788d5ae2cc30fba86a4803d960410b9db10f8eaa7343c78ffec5c65679424ea05cd4443d3c1526 |
C:\UserDotMD\xbodsys.exe
| MD5 | 5d6235788b46a9dee1986c1bb914ceb7 |
| SHA1 | 5cacbe494f799d5568fac60050410e7967dd47ef |
| SHA256 | caf390032316c251e7ae458b55349a876a2c9d24e706b1c54c9bde2f225b744a |
| SHA512 | d02dff41b497ccd2a950baf208370d40320b920c15a81bd284f0d4167b7c73414c6e7efef2bf698b402e7864901d933bb6366b99894e384f05de656d55ce74c7 |
C:\Vid0V\optixloc.exe
| MD5 | 2a32e378fb6b8725b7e720353b740465 |
| SHA1 | 9d6cda576a0121827017718ad74516497b538f93 |
| SHA256 | 3c64e8a27955021f9fbd4dc00270fd6ab490d03422ca91995674a7440a767274 |
| SHA512 | aad8a32a99580541556eb61775693a0099156dc65a32794ffb65769c4e1631c7f3524cc86a5b260b1cab8ea6626cf75e6e6772ce647318b1795fab95c6d3b3b9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 02cca08b61899ca1cabd9ee507ed9759 |
| SHA1 | 087617c854574d4496a105c3a8bb424db3835b2a |
| SHA256 | 7f87bd4e7c4a30bd0c51a1c8debb4c312d1f3c259a5086418bba08dc51c325c0 |
| SHA512 | 7fe92a35d73b927b2b7a1cb36fac78ead7e54f7cb019b1b30fe6d0cf20e86afa16da83364398712137f19929c07e3371511b13a06fd56e5acfaf21022a9993cf |
C:\Vid0V\optixloc.exe
| MD5 | aea195f125cb1ffbdb6fa52bf4899825 |
| SHA1 | 6c6cbe889de925c6e52125e079859d32d7bb0d88 |
| SHA256 | d79a627e9224a256402bec615f93c5bc1079647505b5e09ab4fbe6b1076f4a92 |
| SHA512 | 194053527370f4d21943e58c07c7da2cc8f378405060f6a148d6fd86c094d20f6b42403ada185a47e7658b0da8f73741c32b70440fb8d5c7d8a4e42e7fa3a415 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 22:57
Reported
2024-11-11 22:59
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\UserDotCO\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCO\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidK3\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotCO\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe
"C:\Users\Admin\AppData\Local\Temp\dc0906ecbb0bb97cb0ae3773f0c1a071f892f0939047136385f295ab4fac03f9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\UserDotCO\abodloc.exe
C:\UserDotCO\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 797c6c23837628dbd55c18ddabf6b317 |
| SHA1 | 387c05cb3c1bc5de828b162cb7e6ebc592ae87d3 |
| SHA256 | c9c6b9326a6e3d8107a34011402e3ffb5bd219ff294405a5bdc5e749a7c47e26 |
| SHA512 | c745769109417e785da991716b414a85faa0de023cb6b69afd5afdafbc522759a45abb0e9ae8a67921bf8a72069629f2eaff6943bff03e73798718579cd2f780 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b5fd6c4342da1afa99627d879a644dfc |
| SHA1 | 0475b557d14c4ea21f926f7f1064814efa335896 |
| SHA256 | b4e9c9f405e3993fe943b67d75a220c9df9280441a30a73d32061e38b41893b6 |
| SHA512 | e7b55b63b7f420a8a7e0f53e80a50f3a2f320d27868e55904609bae7aae5116ca389cc41a8dffc28912a3fdd2ca49c8e3f217b4b793d50d36aa7e6be00f05771 |
C:\UserDotCO\abodloc.exe
| MD5 | ecb86671afdab56d722dfdbaeb1dd77a |
| SHA1 | c42c6de98e313d5aebd3a56a590a090001722241 |
| SHA256 | 061f4d2321acb2815360a70045dd2e0e9dffa26d8a1cbbbd53e3975a2390366c |
| SHA512 | 91f978d46ae705fcf026ca97f2ee273c416495cc0b6d41178aabb563e1b674914d8f34cd9e07b832780c89ab0ac2d5762e9299d9c73c888132f2fda05dcdfe5d |
C:\UserDotCO\abodloc.exe
| MD5 | 443855c5857c94fabe94ca66d577eca8 |
| SHA1 | 9e93dd454341ebd6cadde580084cee79322d86f2 |
| SHA256 | ef99ff242eac57b88f586aa522becd64d9ff3d332324a1864ce8db9e6a1636ea |
| SHA512 | 8a0c2b37a378a25542ce7fb6e771dc002d75978ba2485c3a19ae369481567e96d3ce9573899c55bd1da9965f23e5657847a0774f91af7c9c68d050208a161fea |
C:\VidK3\bodaec.exe
| MD5 | 90a958f21a4ab169735076960458620a |
| SHA1 | 6ff165f5ed17e5b805ad4e0d69db4748ce9bc551 |
| SHA256 | d72b5c17982e729ed1d069d2f62e2f79827b4088f3d98aacad9730705189e97f |
| SHA512 | 3d5c83a3f6071c2b98765ae3c6bb3686591605d4513e0f343e633f6046ba5f8d3d32fc5358760a17e6c898bfc1dd0d1294a2d9c4c8a6379cc25cbe99798a3205 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3700d6613d85833a8e2738e5a8359e8 |
| SHA1 | 78e06c6364601d9930503dbbb6af78e97ce34bc4 |
| SHA256 | 8ce9a1cef82f7d0b93fc4bebb1eb8e020cc2c149022e396f5f64c4e397e26249 |
| SHA512 | 7e0e1dc76e4d2548ca06f76c4efbc8d762e0f178908d3fbc2c07964626d02ae9d39ced61fe17a072485af305432f959413640bb24004bb810ce86d120499d556 |
C:\VidK3\bodaec.exe
| MD5 | 8fcc8739408c0e50387d04fc8217c0cb |
| SHA1 | c3ed4cc84043986c74e25f1b08f66e248578e162 |
| SHA256 | 8afb7ca3de15570d981252c2c9bb3f6340364fef6e4ba978a407d07161fc7715 |
| SHA512 | efb0a0d3522e558b2e98925a82a15a7ce82b166ec31d111b08120a852ed1afd096ea4e8fb4cb314b36230af1199903ae4987e85961945a2949db94e33ca10638 |