Analysis Overview
SHA256
6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6
Threat Level: Shows suspicious behavior
The file 6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:19
Reported
2024-11-11 23:21
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Intelproc8V\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc8V\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6U\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc8V\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe
"C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Intelproc8V\devdobec.exe
C:\Intelproc8V\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 5b6b9a24fced95ddf565891b0c1fbe6c |
| SHA1 | cf6cbd00dfd5a9a64473c5defc507b8b8bc9c6ac |
| SHA256 | 6d65922d0e32564195ae9f36d1ec00444290e59eccfa92d6972438eea6fac52d |
| SHA512 | 259827c765950acf6bf79d4ef4081c3d54c2b476cf5f62ece62e40ab139076ef5e1a61302a23e9f40b2e4cfa11235c0cfc1b426b03f8d70ce021696cd6845ff8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 35a319cc911d78e5712a34f16726f1e3 |
| SHA1 | cad2ee2387b55b009be9242e52573178c3caa952 |
| SHA256 | 5b1dda12a357dbd0086635333d5a25638914c48b755a2aeb2809a03b0844bdd9 |
| SHA512 | 6a065c6ed26fe2b37f4e43af26d21558c5f69ed2743581473757da577303e75e5ed17916541449ce2cd821a378baac7d6dc229a545a5f22d8f69f5399339083a |
C:\Intelproc8V\devdobec.exe
| MD5 | 2afa2025d57712a32da2762389c01587 |
| SHA1 | c18f673af297d7389f3182ee893ec7db169ace41 |
| SHA256 | e503066a8bebf1a4fb659bc1a03b7577a16f6a0480aa6866ccf38c5e458fc0ae |
| SHA512 | 515fc86095c002d16ba518c5bffcc045592bd3a5314ec94b2a8f6d0f93e48ea765e8c27caceb6691973adb3e6a8e810f2b9e3bd49cb53c189109d5b7f1772bb2 |
C:\Vid6U\dobxsys.exe
| MD5 | 6e453626922be3b206056a99bacb151c |
| SHA1 | 676f330c77ae8aa2702dc6f77f70d8dd6b0a4e86 |
| SHA256 | b99f4359b6a26c7595f2d85cb7e5a0e002e2bb490b35ac81c5de0e0108ad5be1 |
| SHA512 | aee39ccc26245bbc39cae91dcf53ea782476ee1b874a4d6e33211375dd664241dd4c266d3a38dd2b07dd7eec039018373c35b7410eaed8d84c564c6ff8236edd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 49dd37c39f2aaa5ac208238b4b8893e5 |
| SHA1 | 7605aa012aa9cea743af2505404c3ba112cedecd |
| SHA256 | 7900e9867b2bae5f75fa648b2e11d4e903a2b147299421031e077f07fb9c2dc9 |
| SHA512 | 69e553b1c81d015c122947b3f2152600b4d53a7fdecd33aa4017fcc0994ccb44286e51096bb782b810006892b77bfdf10046812328eb4e09d1c3c7dad810509d |
C:\Vid6U\dobxsys.exe
| MD5 | 529ad000a8650f2a7996170d6d78c386 |
| SHA1 | bf156d4f30d3f98347f1a856c257f8007c024d83 |
| SHA256 | c8c51e0886c2f086c5bc3a7a62b25a57ad884b11f27fb489978d54d0ba36aa5d |
| SHA512 | 9f3250d54bef4c8d04d1f970342500b74d248a70099e6af7589081355314567ed24b5f9955fa5d16f4034d576cecdc5b94405e14fc0bd2eebd43c94f6cc402ff |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:19
Reported
2024-11-11 23:21
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\Files20\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4O\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files20\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files20\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe
"C:\Users\Admin\AppData\Local\Temp\6a37b981b49f45d14cdb5176ded05e6f299ab3ad6c38e4dacd5f46c05e8feac6.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\Files20\xoptiec.exe
C:\Files20\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 45e35563d0b5da95ee2dc90d3cab3977 |
| SHA1 | 48a2e3f77e7f08a755829df4f3472c5fe08c0ae4 |
| SHA256 | dc4b224b74a227e2f47574faae6321e7f776aa73b87a2478bfab53187685676e |
| SHA512 | ed9ba7154ff93c1032cc9eaf23ec4e799babacb44e5037f2ed65eb0a6ca6f1f37a863c5cc7fb4b15153a644c7768fdb8910f16ade3c2f718ec7f9c04e11aa6e0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7c8be1cb4a67eb05f0fc4ce24186cd42 |
| SHA1 | 9bffa052d87b4040efd7dcaca9fbf7294ee85431 |
| SHA256 | 6bf3ef3c33de1249b2d841c33172027bff00051cb0beb72e24f69f993e60fc5e |
| SHA512 | 3b50aa48fdb4fe0af3cb64c60a13859618edf0c10a669c47a73e5f1081f6cf749ba9d874e29b1b909673e76a4237fc41df363294f2e13e4a02d5c2ec8039a756 |
C:\Files20\xoptiec.exe
| MD5 | b20f7d4c54036a30e64cb6be641d07eb |
| SHA1 | fda800ba1216c059f35465e06becab8c38943f4a |
| SHA256 | 8e19ae92639cf5099352183254d421319951367cbd9ee389d88f0a83eeae12af |
| SHA512 | 4de1e1d1ffb07d3de603b44bc2cccbaa8ef0ffb3abb593872535bf98425e2379f5d93465a36072fdb9e0d9f93d021361ac947646c93d034cf92ac7f9834ef4ca |
C:\LabZ4O\bodaec.exe
| MD5 | a20764b45de737e2ff7f8c8185ae2884 |
| SHA1 | 9d9567e4ebd6aaa7ca456e7a5f8e983d7e3a8558 |
| SHA256 | ecc8bbc11197e7706faf3d03423e670f3bcc6289d9bf1929f32be90dba395ae5 |
| SHA512 | a101fd43ae6ea56db83e0b9a6a5b3e5cda16eb6529b6a15c4aa74330c2f65f6a5e660eee02d724299e3829191ad320adaf105324143f7f4272f5c525fce5abd0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c91d76b769c1e2800b0bce2bc09d8fa |
| SHA1 | d8e0e36e1524ff137c82776e77b601ef2b24745e |
| SHA256 | 65fde389716745020d7e43291be9f4e05a75cb80aed55b2749c7917a076de0ce |
| SHA512 | 56593151cda26b37ef79395339d552bedee3404225ecfdbdb1a5c37a6a67db3e27810a8ae3e1cc8c83d24381ea8d56b6064ec9a384511530ef1ffacc0456d585 |
C:\LabZ4O\bodaec.exe
| MD5 | a3f83ac2a8bbd00bcea91a44438cc75f |
| SHA1 | e3e824ed6a0267ff6d979f43f0a16f924de9346c |
| SHA256 | f77c70e7a04f94e44d7d6fb48008c1117343f429c731cc77197b8413b64a83e9 |
| SHA512 | 02a5a2303ef3a31ada99d7ff19a9f6c2c033384806ab2b85a9b0fb780924a520c8ca969a6673e2c9266ee54c7fc3f4aa3342fe63183f6584758b735c44b9341a |