Analysis Overview
SHA256
88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8
Threat Level: Shows suspicious behavior
The file 88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:49
Reported
2024-11-12 16:51
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\AdobeCE\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCE\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUY\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeCE\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
"C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\AdobeCE\devoptiloc.exe
C:\AdobeCE\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 258d1995cad8073eb5ea858cbbfba193 |
| SHA1 | 45c4a7ab456c4dfa5ece696dd542bb011078f312 |
| SHA256 | 79a140f3c8036c231f0f0c42df119b262c77ee67682cdb2ee1913adf0dc1a442 |
| SHA512 | 890cc6a264d6506cee3ade18ff5456e5f6419f1bf1c5cb9e3d97fd079dcfd72f4c03f675dbdd8b6e12d330839c079d5e217debbca2881eab0ff29f1db52dae1e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bf93c5ccfc127d9f88bc36c78e039e00 |
| SHA1 | 4706de13ceabf412b1e718d183427be6ebdf0275 |
| SHA256 | e29a7f2d0f249a6ec13b79930077a15de79c633b0b61282926525eb45d2e46e1 |
| SHA512 | 70d91e684561199ccfd0bd0ee7a151ef4ea2c6155ada5ed885a9724419891dc5d2a225c861cbafd0d786f5acf202982c39e40a9e5e33536890eebf2c61ef064f |
C:\AdobeCE\devoptiloc.exe
| MD5 | 5224dced10ca195c0c1f5d2f3f097354 |
| SHA1 | ef6c4fe0d93bf6cb737b53a7784442d4621a032c |
| SHA256 | 488a002372c907ca582f353b130d7c72b22f55cf96a5b44ef4d7d2c0607e5162 |
| SHA512 | 4cbc1ed2a50e1d3d34a70b033e3e3c689ffb57bb030f1a8d0c974da3543d7aaf42672cc66e7c1347541a3741568901c83314281ef5e98b9217a67fac39026741 |
C:\MintUY\dobaloc.exe
| MD5 | 2769c24dd0c2f540e4ff534fe89daf33 |
| SHA1 | faa13070d33a61e578f2092432a6bb288af60723 |
| SHA256 | 51b977011134bf5e69ac85a9e8b52eab905390d339d0cc8af1b25df5a3e8eab6 |
| SHA512 | 44b5f01bcaaec6aa12710e7f8d08f705e727d79e3c3820e5ddfda72b22e07458513dae61074953d3b65712a35a0639f38c31130c30ef2fa5268bd9eb0806522a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 14fc9dfd6a4eff5eaa5c89d430af3be2 |
| SHA1 | 36a1b692f3ee139d2738a219424cbeac6c22bc6a |
| SHA256 | 57387e72d27fb500f9eb8ee398e5e62e2464976f8cb1a2c8746e9412cada0abd |
| SHA512 | 9dca8cce7d58e165470a8e091a8c9986c49120a7c1a370d7a2112275e04e3fe95b5863a77515d78982ff6b42cbefafc32d38ae66ac15597ed641f8dae57b6ccb |
C:\MintUY\dobaloc.exe
| MD5 | 23057168dfc154d1ad9a3e5fbcbd9d0f |
| SHA1 | 7e6f6a46a229a5fb7b527dfe0d27225b987c97c7 |
| SHA256 | aab2d129940037b5d66cd3096783c7c7f11656107c892dfeec303da725c587e1 |
| SHA512 | c806b15061f5d63723bfad2915850ad90032e8793c4d50d25e5c4c6bde90a41b6c5198c711abafbfc491233686f013b8eccf7921cb711b3e61dc4831278f3ab0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:49
Reported
2024-11-12 16:51
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotIP\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2K\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotIP\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotIP\aoptiloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe
"C:\Users\Admin\AppData\Local\Temp\88359f06ba44282de590c8058d8c1c3a64dffb0381a93ffe3d2d2a05a0f493f8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotIP\aoptiloc.exe
C:\UserDotIP\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 1868be1e930162b4549fb2347ba53ee2 |
| SHA1 | 860d3434c512efeefddc95e1e71fdd7915d6658c |
| SHA256 | f9638cd0ae18341e617c205f1e820947330437165cc1eecb975f9606549a7660 |
| SHA512 | 3deefad36469a80e013d1dac7a64a1234f4c0c5b764b3ee7c803da3f89982fda9f9e84b738c6f829d1fdd9a67394587d3b6559dfffa50a8b96547511be6b93c0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 69a183cff34416725afbc7d921438a47 |
| SHA1 | f9d1ef1277f79192dd16fb501ecde4a27f39f29d |
| SHA256 | 39151a714e0e211945e7915c76f29399d378472fae6bfd6daee304915ac63519 |
| SHA512 | 25bebb3b3adf2274379ed0d0ea1390e6506de25160e5091129691b168b4bf65602f3faaa0016cf2eb32e686c61b7882c2c0fae57386fe2485df5fa3f68c0dc4c |
C:\UserDotIP\aoptiloc.exe
| MD5 | f2765a5246afb6d56fa8ce37dd894523 |
| SHA1 | b5b9aa1b3606a0ee557dee98efd21bd4ea9571d1 |
| SHA256 | 31fed3db65d3ee8e83f210900bc39671f9938763fa3f35741302a52527b7cae2 |
| SHA512 | 1b133fcd4bbf5722c94710f4c3382bb793f37f958ba1632e8dc17b86475b2fa880747f9678894a95ab819805f276533af55ef6da46c734c5e0f1a40588b586c1 |
C:\KaVB2K\bodasys.exe
| MD5 | b612536a69426c62f07a81d28343052a |
| SHA1 | c8ddf174d82c2872ec7e36e7796ab4237b063b77 |
| SHA256 | 201bf89286f5f1250edb9c59d040cfe8ea65588992d4a67d7fe63c78fb921959 |
| SHA512 | 26b709a53db7e3e02dde2cd9338edcac9d67aa2212bb9f096be01f48a7e30d9a6788fc4915bb6d30e2a88b5cbc6fa86e85d9bfb1c0de9d078f09faf107643f22 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 04feaa1d4f81483c9a2f5482753019af |
| SHA1 | e1c3a09f0480eeeb31de4ed99ffffc742431227c |
| SHA256 | 1382d4d1bf168cdff0146fc604ac88135c8014d3f41caa2aa4a6feca19a902a1 |
| SHA512 | 554815da60b126a8784ad2d042d5a9aab7e9678d5e2f6b79e0abfba213d2b465ea424c7bf7da1d53af004e0ed14d5a990cd851472dbbdf2d5eee38f2ae0870e6 |
C:\KaVB2K\bodasys.exe
| MD5 | ec404dc607a7bce365c371372c732d22 |
| SHA1 | 4d3414b75d79d8d911c3947e95add02806762e93 |
| SHA256 | 8f1145e98e4e5b5619503e16422f9cc17157101ff54ed5b081106ce4959f22e2 |
| SHA512 | 25f87b1070bb1946e262d5ff4eaf91a6ff170c9987f970ecc4f02a7e9f7ef3b5355d6f693edce66f6085e5bd6279f612d457449cbae352b4654ace8c35e2c55a |