Analysis Overview
SHA256
6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a
Threat Level: Shows suspicious behavior
The file 6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:30
Reported
2024-11-11 23:32
Platform
win7-20240729-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\SysDrv03\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv03\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBW\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv03\adobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
"C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\SysDrv03\adobloc.exe
C:\SysDrv03\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 356daadd11b214d1b22f9405c9849caf |
| SHA1 | e8871a9e54199c3524ac27008c51af2f285a59a4 |
| SHA256 | cba3bb5c58ab0cf959fc144c82ea81a091875a7fcfa6766701d8aa13d8e22ca8 |
| SHA512 | 90e805ef9df7d56ab43251562d5c7806eff8963f4f7daa378e3beb6fa54b3770918ff1eeb5b01b0bb4f0fd37cf972a58552d6ec9c06be5ec5c581869ce0f1eb3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3abf40bde1030fa4d785a187052dce5b |
| SHA1 | f13c8494c0ca25d6c81e5cbb3240d70187ac5606 |
| SHA256 | 51787751699452e4d2024b638327c945c7554177ab5b8e944d3828fcacb57bcd |
| SHA512 | fa46149d8de21467f1ece209e54659b7081139b70bb0df2c2a9caa094c62493ac4eddffa3980895f4181d979a015d5294f85e139f52869e5209a06bd7509f5e7 |
C:\SysDrv03\adobloc.exe
| MD5 | 0860ba7ab87e6dbf893e728aa4621778 |
| SHA1 | 6296ec6dd59bc3b8a68b647437f788d3632c62db |
| SHA256 | dae0dd40453db7d1814b71e7428dae76ec100c87d90429cfe275f635828912b2 |
| SHA512 | 6b72d47a2829acfcf1490f689278dd8559279bed5d5c4557d0d0a5168428051f1906438558ebacac45c8aee6d3c2408cb4723e18b3d3bcc087625db5239ebaef |
C:\KaVBBW\optialoc.exe
| MD5 | 640f7b2ac26336229373f2ecd8f1e3a8 |
| SHA1 | 8cfce73dd133747809bae24c696a802d971ad6df |
| SHA256 | 66baea018715e78994053487d660febeba43540f4d76ae24735f7587954117d3 |
| SHA512 | ef4e20d859152927a79e4664f7e94555cb4816cfc7746d897db81ec06b07015e8e8d2d096446d27e9cdc3935f8a9e520a00b2f9582f31ffd83a9c36f0ca33267 |
C:\SysDrv03\adobloc.exe
| MD5 | 6235a45acb96499db77bd66e914d1273 |
| SHA1 | e2a28dc9732eb9c2ecf801c3e85cb4ef7843616e |
| SHA256 | feceeaf26ea2c27eb2db14ea83a9fedb75d2b217aa4307a205f70313de2c9558 |
| SHA512 | a55a64c0faefaf80cfab5912d97fdfa165575ee9a6bbfb650175e8ef2281d825d70933c2953124d76cfe4b3da5bb44d1a4436628ecf0f1d122013dce97553c20 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | c24c5ed629617b315229b8950be5531b |
| SHA1 | 3d30fc02eef87c46cf38e8fa90bbfccf1325fc56 |
| SHA256 | 0960972f1bd3c9e3bcf8099f4ba7ac0a600039754a1475e59b5fc00a88c02cde |
| SHA512 | 17dc3fe14e7d13eb3d1572e498fb22afb763cd173ebfdb3aa3f40edd0cc712dc2ab375a0c52da673b700055ae72ba5418988f124f51d8a27fea955c61cb4c1c0 |
C:\KaVBBW\optialoc.exe
| MD5 | f99024660825aaabf4de1c919c611cbd |
| SHA1 | d08e12c41644b483b306da98d42470b83e597c80 |
| SHA256 | 17b4e470a0683491103148da3990c845fc8b375c9563fd69004b9ac5eb421493 |
| SHA512 | 0bfc8e55a70b993d21b8909a788fed7bf0d5fcd88661c66ded8b3705afcb40441dc0255b181dba3e8c0db57ca7669d54598477733c4d1ce2429d2f3309b85c88 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:30
Reported
2024-11-11 23:32
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvDH\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvDH\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPS\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvDH\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe
"C:\Users\Admin\AppData\Local\Temp\6f141446e54d54d6de33e0a4979588c23938258d4e43d95e82fca14b94caed3a.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\SysDrvDH\xbodsys.exe
C:\SysDrvDH\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | ad5570fe4eceffd36b721e261694a306 |
| SHA1 | 740ff3f3a24bf898b4e409f7b0a1bb457e7ee217 |
| SHA256 | f8e9672dd165d7676f0904c83c329ad8d3b873996ac509f80d8b54d29ef1301d |
| SHA512 | 4fc7e8056ebb47b1191f1363e1270e8323867d7d9ac56b3a14cdaa51606e716e0d540f7a717e8017c00034adb80f278ddb1485291433f24351c0cea2e6d65f6a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d21bffc757f7f363fbe447c4bfd29a87 |
| SHA1 | 8581dce6a5d9b4692b6f804765af491a0e8b0fd4 |
| SHA256 | 0a6bfef6bad1a072634e2ed0dc939943aec103ab1d80496a23664576b2b878b2 |
| SHA512 | 4d6be58f6e1ea4cff60d504f561adc33455449830180747d28e92a93bc370e12c8cb1d905aa29f07285e46c9b3196bd9ef0c3751a9a153c7fcbfc31f51935d50 |
C:\SysDrvDH\xbodsys.exe
| MD5 | 28f0ed0287aec4e9cc2ae10e181bd3dc |
| SHA1 | ca6df11b2bba9bf7d9d5488564b9672f61e06a20 |
| SHA256 | bb8b5bc6f61a61f94ee159453d19270ff84e6951c8784abbfb1b5ad6f980f0ca |
| SHA512 | c87e91dfc11ea9bac3f06c4451dfdfe0972efacf30ffdacf8eb93fcbaccadd467c0802f8c2df61bb0ad76142147860acf795b489c50283f50a9cbe34cf5c03da |
C:\SysDrvDH\xbodsys.exe
| MD5 | ddcc6359b12d921aa18ba5a05cba02fc |
| SHA1 | 889532262949ee84974b896d0c931d4253a6691c |
| SHA256 | ccb943d0eb73ca66df8dd8a31540d151800acfe79cae074282a1b84c35b3ddcc |
| SHA512 | 5c0bf6694ddfbd89f181677765e5353fd77f23bbcfe7e0e26b8a1af0e67197bf964ebf5eff5ccd420786883783f46fe104bf241e69e302e43843ee3994c53f7c |
C:\LabZPS\optixec.exe
| MD5 | a3600ce8427c98f5fc702a3163c07f3b |
| SHA1 | 0df27f879782698f166729ab9ac31f9902b34248 |
| SHA256 | abfd8f401d2e22e50872e86bf294f1c14de28da7366c17b1998f366a4a2ec7b5 |
| SHA512 | 84f2b4fad2142ab5cc5a21760100c7ae820635facd32556924efb57416a3e99aea64da3e42352cacf6d64791bfb5618dc9a408d76e622c7831580c3bbb41a18e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | af3b37676ce2dddae6e7fc0db4ad005c |
| SHA1 | 29ae69d1163078aac687d5aef88c130c70a681e8 |
| SHA256 | fbba108e73b5cf93d02b3c13ffd955cba8642f1f4687f8f084ddda2d5eb33cf0 |
| SHA512 | d2f219fd727e4cc3efda7339364f1661e3e69a015caa19d2456cb65235798c4d08b00d1034f5a4e44002a0137e0a5be1e7ae0d49f62c297434b938bf92dd5589 |
C:\LabZPS\optixec.exe
| MD5 | b43b0f1709ecb7510311cea79657ac6c |
| SHA1 | c15b037e0cf71b48820c4fe0b208c604587b3695 |
| SHA256 | fafbc4e852abd584f6d4817058ae8cc77cf07373969e0d1521786f1877bd1535 |
| SHA512 | a218c25f4bc48b44770ace08321c774657d1eb4676e0e70bf74882da6103ffb66e3e53d3a604f5a4b83f4c8cfc0a71a0012a93cf2d1bc479a755c92db2611b58 |