Analysis Overview
SHA256
6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c
Threat Level: Shows suspicious behavior
The file 6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:24
Reported
2024-11-11 23:27
Platform
win7-20240903-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\UserDotJE\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJE\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIM\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotJE\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
"C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\UserDotJE\xoptiec.exe
C:\UserDotJE\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 346a8d4aee7236db8c62875889aa54ab |
| SHA1 | e93bcf3bc2a956094568443649382f83c4c82044 |
| SHA256 | 8e62d6114c433f3c778a11a8c527142b664a1165887af03573fd37600710cca4 |
| SHA512 | f6034598ed031c92d72648eab6de3941070da5fd189c8b70590b5f89c29bb2f59d6e34ac3e7d1167135069f1a774d2888dd666b09080d68bef6f5a989f5d5929 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 80ccbf0c472ef7fdc919cb456b91923a |
| SHA1 | 4535910f03ab2ba6761966c025c97a7083d282aa |
| SHA256 | 1444215d6fb11b55d8f7cf248b19e578cd2cb727c805def619894c8bab56917b |
| SHA512 | 33b61c84fd7cfad0d3558a803f24ab93c970e106ed9a954045cac376978f61fb8eb7757ad7c380f3e38043848477e0787b0d686477bbc668286bf12890e69e8d |
C:\UserDotJE\xoptiec.exe
| MD5 | cd16fa8c4b01b0d485a48af1ac1aadfc |
| SHA1 | a3a22135b12eb98aeb06092748c58f6ccf27ae47 |
| SHA256 | 0708d04e6393144f128fa2e9fbde4148cc53a7a5030313b697cbbe3552e06dbc |
| SHA512 | 685b4b8b1099e99749cd20e4300f87921d0fdfbf313ca2c338a7918175da520cf93550ae39bab5f5cf78905165aee94a3d9f0099018451fcd74babd2132e56b8 |
C:\MintIM\dobxsys.exe
| MD5 | f020dc7e2095dc5658ba4564883c1453 |
| SHA1 | a06d9dabff25e6d44c78664670c1f8b3163d146f |
| SHA256 | 5b30be4646a2b9f6f81aa36c7dfe3661be2f3961b7e9ed39bfcc0231bc3a04f6 |
| SHA512 | bb09e4fcf3967ed0e6ff2df77243d949fc558154c693ed63df4c715fabdbdd62b08c3e841512b1be9cf0c192ece3ce079d1d29abe0df39315fd38aa8eef33df1 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 356c66ed7173adc9ebf03dd0d2bcc61e |
| SHA1 | 292f34aff19a8064652e1d720464ff55c0957a72 |
| SHA256 | cb0cf04ef9fdacb5097b3787cf23256b0581e172c93c22738d65cb7a77ef230d |
| SHA512 | c713d633ea137a81cde284b01fc6b6481eed5215c0e2ffbedbaa5e2756e5b5c563300816dc2cafd729537a33c62a79c36591beff5b8c05c5b2490e638461ead6 |
C:\MintIM\dobxsys.exe
| MD5 | 1a6aec8827946280048956765844777e |
| SHA1 | 8ce362d25645660f5be624b470247e130e31ce26 |
| SHA256 | 7ea08cd36ddb4e7deeba31aa66ad86c2217468d6eb8d26ff853621c308697c52 |
| SHA512 | 3cf8169b452c3fa31057204296e23cbe21792f92c47e2773969f0681fedcef2ce2930bdd631542aeab5036760842b5183eb4b0126c5699796b09c5e3b7e614c9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:24
Reported
2024-11-11 23:27
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeBV\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeBV\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZV1\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeBV\devbodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe
"C:\Users\Admin\AppData\Local\Temp\6d18f9542b95443aaf38e27bf9127471e0f0a0e37140ac58c967231aedb62c4c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeBV\devbodec.exe
C:\AdobeBV\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 8039c061ccf4b71cbb4483534236ff11 |
| SHA1 | c4af1ef91835ae3d56f917f9897ad8e20e17d184 |
| SHA256 | 2109ec743ccf74e4d98b41fb9578eea8c7cd6166af779559345f97c981a14163 |
| SHA512 | fdfa76fa794b6e2c6977c06fa48465a380718acb360b63ee9a2bae61a1b686b59226fb7b88037f3a17037694a7ae7b07fd52dd6dfd807543df55a6e92fd448e3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dcbe537276dd167a9057b36acb948a79 |
| SHA1 | 3500929210bb4f4c9f21e81e156790a392ba240e |
| SHA256 | 28cd43aa1f41d171bfea5f27f44f036ec30b0c693ce1992a01191fe5b2e0971d |
| SHA512 | 6bdcd253ce07b5b096c9b6473b6fa3230504ac858a726a5c997b4ed64d56677efcf2a75f1a5e81fb51f3289b86aeaef650b76fc6ee60397216421d945a753be7 |
C:\AdobeBV\devbodec.exe
| MD5 | 6f2ea52125b8a0cb73556c7043ca0f25 |
| SHA1 | 5c120d0a5b17ea5ca94cd55e1cc2eec8998cc333 |
| SHA256 | 412766d2a986160186b318061835cb590e423c81519c7e5b6e085f85bf68af45 |
| SHA512 | 2a56fae238f69199a7f9d4c6f513d976c87f530ded9764a544d5c39d35e4f07697998d4476e42f039b9784d46125fde1c3e720f27bce5db1a74dcfb06a15d680 |
C:\LabZV1\dobxsys.exe
| MD5 | f4b607f86090f06baed145c3eacc9b58 |
| SHA1 | d1164ece0173e7b46d4b81f790f0f978a446b864 |
| SHA256 | 0061458d3ddc80246cd94abdf5dff21928397f51d84dfdc53459db9c774c29a4 |
| SHA512 | ab514828d74638c637f1fcf22dc32b7c219442ae89e45bbf8860c67c206cf9cd1392c105d980876b589efa2f1f980c5b1d919cae3609dc6d0ffcd7b2091e467c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 04fe157d1769b0862d13c99f89828fc2 |
| SHA1 | 0da7dc3dd9bba784909071370f118b946e9663db |
| SHA256 | 6d89a56d113f0c1240b9098ddf4e3ba79484b1384592ea0f308a831c9355a19f |
| SHA512 | f54e6dee9218650502e57c94cdfe7dc14618b634ab2ea140f88f73804b1e07f4b580d2f6c66dbe88a063ef216dfbd1e3d568ce137cdcc5b406d11d54bcf0a430 |
C:\LabZV1\dobxsys.exe
| MD5 | 397744892b5d8f39e5182b54b2f2461c |
| SHA1 | 2df4ec700687effefadec70e755676fc7296c016 |
| SHA256 | d272e422ca81489289414b2a86b3b7a7a7826c1833fdd9756c9f1fde716fa75e |
| SHA512 | 1c30161ceaa8cb5c82cb81c49486a3426c55412cab9ece1790dd680d2c53ebfe25c15f0b25ea09232764a71f5e0c6f1ffe9b59cae844787bd078e2b39b97626e |