Analysis Overview
SHA256
84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855
Threat Level: Shows suspicious behavior
The file 84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:39
Reported
2024-11-13 13:41
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocWW\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWW\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax6N\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocWW\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
"C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\IntelprocWW\xoptiec.exe
C:\IntelprocWW\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 68a97ac5d8e549b69410cf595a5fc77a |
| SHA1 | 8a962736ff67d39c58fd1e69744685ba69a1d394 |
| SHA256 | 79cf4253be718a385f584e03286609263dcb4ac5393d01fedd1975f1b8941085 |
| SHA512 | 6ac1600596ad3d4909f221e8870ded1e111cd07b9f0766ae3b668e28789042f8913056c41eed9595b599d5be60008d4cb2f449173c66bafdf998921f2dbcdbb3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9d0805f24d3b515ade1c39b8e3c25fac |
| SHA1 | 207220ae9d0a03e2f4b16de5c5f250f01ad111c2 |
| SHA256 | f25cec10e7162f09b076d176a92e96776a1a206f667dcfa1697926719ffa6d3f |
| SHA512 | 2a7043951c1cef0795dcac75997efcc29d3e3239a1590ad9c84085dc44c1edf55083396a9749cc173065f8ec2f64f4c58c81da5eca7ac5f23fc9a6e7b0cbc6e3 |
C:\IntelprocWW\xoptiec.exe
| MD5 | c1cf50fe1f971a4f3f331e4368f94d2f |
| SHA1 | af87af81edecd7f82dbedc78200104f7b3e8d25a |
| SHA256 | c9fa26ee5d6762efb29314abc5e48610e1ceec0428ebb53950ec98d46ca21101 |
| SHA512 | 460cb26f8499a55fe20acec84b2d15a205546835832061ccf8777c4a58b168aa9640370ab9436d2f8a3ed47d3990795e903e9ef0852d8198ececad5d48be3377 |
C:\Galax6N\dobdevloc.exe
| MD5 | 62c2189129fab5c593617f1e52ef586f |
| SHA1 | b6c87155563fa20de416377370e780dd495ca0b3 |
| SHA256 | 33d79d9180a9aa7023fc9a2360309f0d5e5182f3ca5ef511da4e9a0418dd4617 |
| SHA512 | 5b591f381844561cd5313e9dd62d2793052879781a5e73351dd137d92e5849731b96a5b884eb7b25a52792ea32cbbd6d47815e88c32c783e904cfd3ff3d62b67 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 711d0b2e6d825efd62d5c271a3eabf91 |
| SHA1 | cb97d3bf1aedccff9b6488b8236ec510baf42ac9 |
| SHA256 | 4eea5d3befe24f8946c5bcc09f4e329e7ab92e1ec1dbaf2fa80aa6d3ccdb11fc |
| SHA512 | 0af3d0825d57e52eab3f35fe2b031dd297eecf5c0908bdccc96249180c28fb9979058a40e1535fc14b4ee6b6e7e50467b9bf710aa19f658e9322d78f26e2f8a9 |
C:\Galax6N\dobdevloc.exe
| MD5 | ed462bec0532d4e49525e1664c5d8840 |
| SHA1 | 6cbdb1974be3f3b61ba9cdeec6e7d89a45a2ec92 |
| SHA256 | 99fcbc4e3e0c2e574f510444e8a0bcd470ec9f23f1033d08001b63076eeae80e |
| SHA512 | 2127794ab6479c5d060b2800d662c91f145f2d40188b3ad745ceb3855a911ba8a37534e1d9e18cebb4325cc7df8e07abea977bc8e02e66cfcc3076e24ffa9d19 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:39
Reported
2024-11-13 13:41
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocKO\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKO\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIS\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKO\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe
"C:\Users\Admin\AppData\Local\Temp\84a3efbb0534c1c1187d55cf8663a54b0bb3f090bb071c73f196217852e14855N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\IntelprocKO\devoptiec.exe
C:\IntelprocKO\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | cb3ce4d489f2b888c54f910dcf98cf63 |
| SHA1 | 306dde41b9a3d334365df4f1b3dae07db5d1fe58 |
| SHA256 | 45fbe833021c134c890756472a0988eced345424c4067a897163b383e1c88460 |
| SHA512 | e95c81237c6bf4082f37260e3c5340d79d14fbfb71e83e4f3175742174a821b80e7755a8691568b4c11d94e21cd2aff2eb93c58c452ef20bca8258bae0148c2a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 158d8352e255d1ca9a49ff69faadbf10 |
| SHA1 | 80d9ac37418cc0dfeba5c2191faa9396fea118eb |
| SHA256 | 1e8d5bd2966143d945dcc7d3902a90e9d6fb3dabd49727f75dd08a663efc5c15 |
| SHA512 | d9d56bfb06dda38e8b318b77f3ab35aa2a2c7b718c866b9377a8cbed2f17116783c276d2af2256dda50f851f2c2d1a8a9fcdf1c1b8c1ccbb23ac191cc0641e99 |
C:\IntelprocKO\devoptiec.exe
| MD5 | 1158f86a0845ee6fe9ce7b682fd51439 |
| SHA1 | caf9890ab05a6eef87827bb3ab60eaee3b254faa |
| SHA256 | 3d1f80bce336609701c74a291ec5f27ae76b198dfc51fe6615349996dcba8ab1 |
| SHA512 | 3820fa06d8911561113535b4e01a0e4a3bcb87a566762f0995074fdd561e824454613a36d5347004f0370ff27867df4f962f498ca63e8e4b5e82c935860d3503 |
C:\IntelprocKO\devoptiec.exe
| MD5 | 7d947ac6e57ac0730960d5596aaf34af |
| SHA1 | af45b18a78f9f3fe3d8a505b167d137acc41d324 |
| SHA256 | 1923128e1cf75b23cd9ada3e493a628aebfc5e31f37dec27e5dde76028f269ba |
| SHA512 | c68f0ac1fc1479d72b3a94ca0508cd820ab03e4b2fbb2e8867c51ccb5b5c0229befd0ae6ce6e9fb7509e77b08f16890b243415f848a626e3e3dfd000046408bf |
C:\MintIS\dobaec.exe
| MD5 | 8f9f7b627add6f3a754ed22ff4b23011 |
| SHA1 | ba5682ee646fae8e19b380426cb82833d2478653 |
| SHA256 | 8dc84ceb78c8d499f4edd8cee3f693b5cd1e8ca217f83b26eb245d8deddd5ea6 |
| SHA512 | c12be76524eed8b00d0a43f1f9112de169feb013f57b189d60a3013974bb12fc389139447da876a05f7ca8449cf55f516bdb9d4ca6916c1a43019913eb6d456e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a34208f6f96ed9c762187e5ba7716bf2 |
| SHA1 | da6792f9264ff6c326e6e17fffcb4c5ce2941955 |
| SHA256 | 3029128fec2068bfc746445ee8d57a630d33b6fa035bddef2e08bef5139e97be |
| SHA512 | cf4634af718eff51c0675df5b72c172453d531eb672573efdc307eabbc5a18b56b27a3ae9ed20539d14b9b958c651aa699cf81e0cdf656077cf37cdcac37828a |
C:\MintIS\dobaec.exe
| MD5 | 815707e9d21e33dbd3b5e23e10e9c3f8 |
| SHA1 | 0e0b4c7554e5dcf0563a1642b84c5de9cd3b405b |
| SHA256 | 57589ef6a591e5817869287df50883dc76404650b9dceca07cd4d3648b12fb2e |
| SHA512 | 0cb334eafce6258c3e2ebc48bd676fdf4275a458c820f5acebc14979b791895603f0ef5cf95b618fe08f0786bb3ae66df23cf05ec7134f27b0b5f5a386649fd0 |