Analysis Overview
SHA256
d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825
Threat Level: Shows suspicious behavior
The file d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:21
Reported
2024-11-12 17:23
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDotMA\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMA\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH5\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMA\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
"C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDotMA\xbodloc.exe
C:\UserDotMA\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | fc9968f6e71cfd4f1fa06c0f9fe6a8be |
| SHA1 | e52b76a8e4fcc581716882e8ce58ae8a4d10218b |
| SHA256 | ebcbaa668fde0e6ed8aae8c532f86c68028fa6001e907922f43398df1cdb8c45 |
| SHA512 | 61bcaac7ed93b713f4bbf92960214f73f1de66518d2e7697878378f6d162d99ba8293d2cbfe08d0963a01d1be907437f8430e51572fd53122038a8d225b92118 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d6cff1d930f0b6c26a95afd4f91afe3c |
| SHA1 | c2be2b7e1bb87cb12debfaf243ae7d78053e8bb8 |
| SHA256 | 51089e46f72a1fac4ebc11301c67be4cd8f6dd9c6342eecee6d25a1e307a9644 |
| SHA512 | a80cec80f2c3b429fbcc4cbf2efbf9c3737a9117b29b94aaf534ea04c58702ec08786e17d284e3a4abd8a512af8e76c198b843eb299335a6b574208a441ce550 |
C:\UserDotMA\xbodloc.exe
| MD5 | cd3d3d8495b4c10ca847825b99214fff |
| SHA1 | 2a366450a0f29f8a55d544189eccce8f1a92262e |
| SHA256 | 7e5c3acd4625592a804e32bef2bf5f7aece1ff43c7e4deea1c717e8bdfca8513 |
| SHA512 | f8485fafe893d2045eaf14b02ce35dbcb976672f0cf939dd6a89f529c97e58dd566c33f2c99eca1a66095621066a2bc147de36d9319a720a91c5fea90851e49d |
C:\LabZH5\dobxec.exe
| MD5 | a72e7fad90474585c4e7d919654bc44c |
| SHA1 | 095806dd6f741b9e7ce8d54566bfb0caf487ebfe |
| SHA256 | 19bf40e02c3f03abbdfb042fce564c94751ba5e41f402a265727e5a1e2bd4448 |
| SHA512 | d47432d2b484e8440dcaa8f291352528b93a508ad7714de0a106f08f027b14474f70b062f55e6374c9c15ad8fe6c50e53a18568b9d6ef561cc7ff2b1159b474e |
\UserDotMA\xbodloc.exe
| MD5 | 94ae7d3b0e0ee6752c8befd9dfb4f566 |
| SHA1 | 7063135a6aa1066f842857843913deaaa5e24ace |
| SHA256 | 8a16a73de7dcbae0e1cf9fdacc0eef1c2b39e8a2540d6011553a05b8c1c586b4 |
| SHA512 | 1585789687df580c392eeea37699e61b3c30aa3257c80a97ae6a1d0ad817331d9cefbb48e275b6bff0d911467df7b404e178138309efe4da33e82f32c4a67d5e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98efee698dcc5b1314498b54f31e427f |
| SHA1 | 3174e373170791072b969aa90f1f4c6aa03a14da |
| SHA256 | 19616fd9c68cb07adf018f26488ffb9fe746ba0ba981b6c4fa6b57fa87464c97 |
| SHA512 | 7518be278a47a27b345199f54f58952d6399cb2e49f7e24125724e2fc5eeb4aa7171583e014a616404e716bf326fabd438f0239b09fc118d0defdc9ef642a0b4 |
C:\LabZH5\dobxec.exe
| MD5 | 14a710b464814e4f1d9d06cfb0b013ff |
| SHA1 | 43603b164dfeb009960d07484ce1b64c4757c23e |
| SHA256 | 264a01b598952d34d7455ec9fdd5a4d6d21f35c5453d4005bbe1bac4045846d4 |
| SHA512 | 576d2e6a35d9f9f2cec00b72e56eddd9019c83010c98498b3ca2d62fda977209150b80d66f616a3b56d88e1b31a309604284c55539ddce6f40f78226abe4635d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:21
Reported
2024-11-12 17:23
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\Adobe65\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB24\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe65\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe65\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe
"C:\Users\Admin\AppData\Local\Temp\d4927b8c43e91200562b92a1f6bc9034f2ca26cda3c3167e6d5eb2dcbc045825N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\Adobe65\xdobloc.exe
C:\Adobe65\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | f74a6cf39a57abb3fdb5b0cf1f03afc5 |
| SHA1 | 282e6330df78bb548ccf58378b876eea51a93c80 |
| SHA256 | d9c1a96eb49a9ae315b91457dbb607bdf51e406d057dd7a1f6bd09a4530dd14a |
| SHA512 | 59c412a6125c4459a41be4e8b231f3f838385a76f6b5449a20e92a7d8a5f8f8eb9cd19f0ea28809b7b7c8ff66b18d6264367733c1e1efbb363f82c0972d68cca |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8616775d1b303f9c7cc6b6697e26df13 |
| SHA1 | 98883ea5281dbbc790c8a31352a388ae53cf4b44 |
| SHA256 | b1110957034016e38f3a124ec2c1fdfec861793d3fc0fd306d20972de0cd0805 |
| SHA512 | aecb5fa03c56abd2a259ee47a2291234549ee300c33c6899844ed7b7579c066de861153b05735342cc7a7e1dbda15d0b055c0dd37948a0e1999a658ff1946095 |
C:\Adobe65\xdobloc.exe
| MD5 | 95ab4c216dfa422e2f9bfe7bde8097b2 |
| SHA1 | d351bde01c0a05ec2766bad5e34d032524ec681a |
| SHA256 | 08fe99f5d793b308d1e437223ec27ef58cc1f745c52f6053d9d703fb6caec87f |
| SHA512 | dd2e6491d429861c21fe92233b843f182f2a0c2b15014f756a9c8a252d7272831104fd8dfe8735a960049b903d3ede1aa7a93b54903dda954de3f58ab54d6ffd |
C:\KaVB24\dobdevloc.exe
| MD5 | dd441a90b3929e379b5e687c40e462c1 |
| SHA1 | ed8fd1688fe952f3c4139bbd554a7dcc9e4fb617 |
| SHA256 | 398c41f2868f122743f609b0ee2e6e0e4ceb264eb56f10b8426be5607653aeda |
| SHA512 | a37d5c21bc1ef4eb8a29e0a73193794141403a89133fa7bad9236123025a080b130191fb93a5f915e0fe79f1a689c67eeaed99ba453503ad3c6e7fe0f4b0855e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d0dd4e5183a95065048e679331b77239 |
| SHA1 | c8f719c7655ca9c1128d54287c2743358d14b9df |
| SHA256 | ff7ba338ee00acdb24699b9b4e9870af905fe493a6d689c7e7b268dd56a58186 |
| SHA512 | 893c73748e613acd97eff565cbc9d4d3e4ac619f704999ba41b398975c14dc8db709e45e3c74cef189a0d20a2eb0a4d9c0d4f2fdc2ee8e74a58aa51e80b4085d |
C:\KaVB24\dobdevloc.exe
| MD5 | 0f44e2a3c0551a5e4fe9193d05c1e0ef |
| SHA1 | b4850d426fd963665b1cf1c478c7a11f0e1398c3 |
| SHA256 | b15b1fb7549e37e66632af877cf9154f8698d790ef00874bfe4367901dd09586 |
| SHA512 | 508be8d3b425e7d30b214b4b76c029abae2a2bc344af4aefc02a66e714eb932fabedb34cb0a4f8b75195a5ebe0c02d8feea35c8f593996d417e65bbe49c6a611 |