Analysis Overview
SHA256
d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa
Threat Level: Shows suspicious behavior
The file d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:51
Reported
2024-11-13 13:53
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\FilesMB\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMB\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFZ\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesMB\xbodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
"C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\FilesMB\xbodsys.exe
C:\FilesMB\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | ec8a9e7a3ee232f2def62ead2aaa0061 |
| SHA1 | 7cc86174c45d28da4582c3533a2793a57551b527 |
| SHA256 | 81ad83d48c549b48abe065fe2949536bbff32e06ff57502f02ddf18c6e846818 |
| SHA512 | bd1acb4c1c3d10aff30a7f9b1bcfc5873f0937a5b5d75ff1541606995f26c5b295f47976643a2a8a3005a39ecb17d40fcbb59c3e5285f3093e8501df86a3f8be |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5bf8c635793da44279bc869fcdc09200 |
| SHA1 | e4cb5e5b0192218e986679ef6fd62e50c6b2d24e |
| SHA256 | 6453fdc8718d92fc01c84099b536387f7afc91641bc46464cd44970b477c7982 |
| SHA512 | 62ffd842fa03cc1fbe0b67645da132d17cb131dd415b8bb1eb7e5e481d96d6b884da9c6294cb536a6f2c00ce3fd71ded8e00622c12fbdc4354384be6846cf922 |
C:\FilesMB\xbodsys.exe
| MD5 | 35d5f2180b8da2eaecad0679e66dc251 |
| SHA1 | 3e782e20becd6567750bacb04faafd148aadac06 |
| SHA256 | 2060beef29432b8908a388df4a1a966c34d69e51cbf1f836ab07935d52f94700 |
| SHA512 | 15f574e8e815c44b4444d3eb87af7e00b262eebc14f1ab886d4912aae01cf910dc7d4f769f884a3659bce05e28faa5a23be0190cf13a203cff0f3afdb951c493 |
C:\LabZFZ\optiasys.exe
| MD5 | aba5f0f333201565c2c429be92716b14 |
| SHA1 | b60fbae703c10e223dda9e6c284d126e3ca51d2c |
| SHA256 | c8f1affcbf78049e87681848a12345417a186ca92b1a804672fff75df9b2e268 |
| SHA512 | 4f923dc2a20bc6eaea77a056694516c685422ff794397d93f968b7ec02ee43eb4dec4b606e988d323aca5913342ecaf08fde40e0aa7bf94d8b828b02a4846c52 |
\FilesMB\xbodsys.exe
| MD5 | 908f94b9fcd7d9e50922ffcbbb8f1063 |
| SHA1 | 50202d53abda9dedb5f886625328345fe8b5d69f |
| SHA256 | 27f15496582653257d53efee3cf499e4201791895674636719efd847297c9ea0 |
| SHA512 | b8173a941d78f899cfaeaa0e948469d7dc64b529539eafa5680332ca91fd78750486e139b7b017936316c9b463e008627b85b5d31d0c47d3febfaa9055ea05bc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ffba3267a1c07a318d35b69a51637dda |
| SHA1 | bbde65a99a8e7d1060690589ea01a7c025d5d808 |
| SHA256 | 4309bd60b6ecd6f4e51c94d9997a9998bb7eae89b1a641d6813ae760dd5e4ba7 |
| SHA512 | 3e3b8ece8f2f3d36eae48d65b3afc4a0368794e255266a3bf368f5af601ba3e731791ab7517a249326ea4e409e59ff2fe152fd185fa988a9fc9e99706d5b8578 |
C:\LabZFZ\optiasys.exe
| MD5 | 61b773990ee27e9e908970e63b267f79 |
| SHA1 | 522f4b8bd8207fe759634142fdb72607b71380f4 |
| SHA256 | 8680f82d44553da0b976a373a4c22a7847b75edeed53a8fcb3bab73b13c72c0d |
| SHA512 | 6a34405c32b1ed6c0070d4c054d00db08edd60f126246e30755b99cdc98b0de4394c89b066d72ca1b9f4c4ef554bf4713874e94aae71615254c3d79bc546c29e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:51
Reported
2024-11-13 13:53
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\UserDot28\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot28\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintU0\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot28\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe
"C:\Users\Admin\AppData\Local\Temp\d4547542ff14ea9f2b1b7b43ced5ff63a855b17a5d8e808300532cc4d1758ffa.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\UserDot28\devoptiec.exe
C:\UserDot28\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 02ad932016415ae33db41793b5de29d4 |
| SHA1 | 580c7abeb0e3ac7caaa0abc8e8751682d44c4771 |
| SHA256 | e3f043f681ccf49edadf2ee4b765611bd5f4846e358c8ba0976f5c28c819d16f |
| SHA512 | 2a11be83d5339f5a7281f4918b695dc3cf7fb273474596c82d96f93de70ca74c8f5dbea569d51383a794c825fc3e058c1a1648ba46cbab247dbfac2ed0da7f69 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0189ea19fb1d2ecf1120e2f93e29b0c6 |
| SHA1 | 318163923f0fe19a34b86c4d5528b8c5583a3d6f |
| SHA256 | eabd56d9aa0d41130cf70db02c0304aca8f633d894cb3464196b408208ea56c2 |
| SHA512 | 638634df4ad370fdb2dd3f657945ca35f01df649fbeded605c26c1418dd56819b1fb44c26f06cea93d3f0b2142df2cb3d1e4da0ce337c0155756dec50eba015e |
C:\UserDot28\devoptiec.exe
| MD5 | b736750331a9edf63fe4c708b80662c5 |
| SHA1 | f5b3761b33bb51f28c30ee598f44afa419f678fa |
| SHA256 | f7985d64f9f8b4884c89453da59ed970d1583ce1c0b69b7f25e9a78414ce58c0 |
| SHA512 | 15648e88d4aa83d23a534c8223ddc6fb97653534704d42393f2519d488e63ac68f655fdc2182f91de15924f89b811bc7369efc1cf96b7c038f12eece37a70a53 |
C:\MintU0\dobxloc.exe
| MD5 | 32bbcbab3419e834435d02c0275fd37f |
| SHA1 | 98e418dd90c189398b5924e334eac4015c15faef |
| SHA256 | d728d4abb6b71bc517348f4add2f8461986a657d58be8a825ab3850c40eb0b16 |
| SHA512 | b4f3c39a75f864d351e8a58232e203c1d06c2d32d0c94608d5ca27e9c93aafff543bf2530cc2d31226aaaf5a0f97bdcc00e104f58401714e65617241d601ffe1 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9b3030154a2365989dd732c4b03c3fda |
| SHA1 | 6ddc70be610b9f14839d826db01fe84ebcbf5d86 |
| SHA256 | 69e2c0c4e04a281a68a4a1e4662722825619ec1f37291b233ffa73b1872854ac |
| SHA512 | 7738221275bafc102c68ddde9cd3dafc870e7f0999c916e079b388516c1670ad1d3783f5df4a08af06d9d8151a1385ebf0394e3e16334e20bea5aca1fd416930 |
C:\MintU0\dobxloc.exe
| MD5 | db46af80db043749659c82918a3334b5 |
| SHA1 | 65c7052a6b7d8fca322ecb61c9ece95246068ee9 |
| SHA256 | 0adb23abd425fc6794de9cfe6a3cf74d43e37279cae6f134782bcd51c0068313 |
| SHA512 | 5160e51941d2f0a098e98ed4303537654458434fc6fefa670104ea82a8c03f3faf8572179b71bc2bdc763551d50476f13007bb590ac491a0a97a927695817645 |