Analysis Overview
SHA256
026415047a7e2f7298c30621b252189851361948be4b32dc1680eab563976b92
Threat Level: Shows suspicious behavior
The file 57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:32
Reported
2024-11-13 14:35
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeNN\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNN\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintE2\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeNN\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe
"C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeNN\abodsys.exe
C:\AdobeNN\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 99777c99fe0234cbb543b92657b22c13 |
| SHA1 | b98afdb041dee5b84d0b8a672216eebbbdc7ff31 |
| SHA256 | 0267d30b2ad2cb4a0c0e815e8cd3b22468c0ed2edf94a36ca074348dd128a0c2 |
| SHA512 | 0a685ca8fb362ff11814e61208312331712c41b4b92de25f4fb0a8165247c39211d87c59d5f2486d8cbeefdb6b49fe55d3129055ea5e3d238c7215b58bf1fec0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c642aad4c7d63a675f31efb62bf0c9f1 |
| SHA1 | 331a335cfebd61b4931c8d3839b56e7d24676501 |
| SHA256 | 5c8e21f8199738efe2a127024871336903699bf774dd5cf64dc305d810f05446 |
| SHA512 | 50722a0aa974627de57dfbb95c201cd79a5493df3213f03ac73ae6be99cb289812536c47ea2df019292f14c48a025fce9ded8ff3aa82b13343349e9a5feb7088 |
C:\AdobeNN\abodsys.exe
| MD5 | 3eae10f76a8a4435a3e23e932f1cf3d0 |
| SHA1 | 0126aae13449d912e444a76f5031e29e3a732bad |
| SHA256 | 55da8ab2bae66f1627d70b9194e3f2981e1fe6c2fd1e8a221e3131fad2161fd1 |
| SHA512 | 3e6efa53c21485e0d01e7432f84ff1930a7f96df83ee15f1edb3ae105a40624084eed591c3626ed0fc76fb286d81e510cb87b78e3f2c3b1a921ecebcac9f2f56 |
C:\MintE2\optixsys.exe
| MD5 | ca7a01e38b94d6667ed7478a141626d7 |
| SHA1 | ac444159fbd8ca3f719fd2745d3a23fddc9c598e |
| SHA256 | 5321872281032d17cc3d1ec1909ce23d0f04b9c9476a45f19c41501c5b2569a9 |
| SHA512 | cd75c0a0d4abeeee79187999fdf8994b1b52818737f26031846ae7ae3307418b1a464fde80d29492ba500d6b742791408a04f6e34819a141bd3602e5ffb89b5c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6bf600e114410e8b20acae0350a779f4 |
| SHA1 | 224b9cba6296aa6bd81cd1e5f9a0c17b39994dad |
| SHA256 | fb19b29cdf57c6a5c7e5c69ea493fb141b697785703754dea68d0d034084fdb5 |
| SHA512 | 653d05302444a3119d35156cc0ecd858d076ea50ee53cbfd682bbb98e4024cc6b3929085aa62b07f2a18ed3ca7c7517d5f7500b626345d570271bcdf5f8cf14a |
C:\MintE2\optixsys.exe
| MD5 | f0ddb5105cbc59bc000a6904e0116790 |
| SHA1 | 5a6f6595194c0aa35f10eb66b0f6d2e648c85a45 |
| SHA256 | d175e3831e3fc7345c40ec5479de339614620fdb686bff7b7abf087eea975b11 |
| SHA512 | 4a3544798558ff543c06386cde69ccdb2aac71978ae3215fd4ffa13636c9102e353da621f599c499cef265e7c6dac67a9f587c2d6f1502ad0b37c83fcfb0b6b8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:32
Reported
2024-11-13 14:35
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocRJ\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocRJ\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxQ0\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocRJ\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe
"C:\Users\Admin\AppData\Local\Temp\57e389f40cf57f59eadaf9e0225d29e437d67109820c21f4e4a4de3f54fd3fc8N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocRJ\xdobsys.exe
C:\IntelprocRJ\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 7a1ade2670c6f76e20d2c62468985c8a |
| SHA1 | 4864412fdc1a6fb2d63b499a7c8efbd3c713ba92 |
| SHA256 | dd2bf19c52e240f7b32e79d15dcbbcccdb00c3eb8e2ee5be3b532f329b392ba4 |
| SHA512 | a3cfe540d288a8e2d909b99ab58d94f6d1a3acb913a77178353c0f3eedd7d9f6dffefb09754e0581f893ed0a3c0b8f953d10a959bad8f1040a9afbd809650e9d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f8e5ed85d78cd8d866db65db67390fe6 |
| SHA1 | a7cc2954b449223af26fb4186fd0c5cbc6fc175d |
| SHA256 | 2ce94587b2182dfdccc09edd1f926bdc13bf97973a8057338448681536f93859 |
| SHA512 | b2be38f58a7a3fdb65804eb26aa9be96faba3942e2f6f9c730fa3b9e53a6997f0c6d4d559344e67afd7ea5b9168852b0b45c375c8923a3d6b2824679de76668b |
C:\IntelprocRJ\xdobsys.exe
| MD5 | 277bc1d81034205fcfa8b4981e734cac |
| SHA1 | 2ef949523a99ecb9942f6a445b162a8d6fc39405 |
| SHA256 | 3de54fd35d82c6a91b4cbcdaa94ff0782ec0cfe5b7b4fe75736a0b6a2722966c |
| SHA512 | fa84c48afcbfb29378b7e1048889055e57f8d8908b65245de69caa590c51be1ff3de29df6d4de6191477ae3775d4f86f3112885e4d843d68368d99424ecee010 |
C:\GalaxQ0\bodaec.exe
| MD5 | c828d35e0ba6ac58e41eb6e743a774e7 |
| SHA1 | 30af081f8370a05a121a7753c352b4c262bcb47f |
| SHA256 | 9c8f049f21e2991031fb74a59d33337ffd86c0e79819a506320d7c8681f03268 |
| SHA512 | 5fc8f74e15f5da8e259e2a9acf54b38382f59042fa62a0152a22fddb972f428b9ed652433dcbe2131f45595ca6f8a9340dab88492f6f51b702149e11f06bcc70 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 99c3150bf2c763ff229c4649e2f2d11e |
| SHA1 | 6370f93c0b6c2f080fad8bcccd4977c19066f23a |
| SHA256 | 172dec725757a43d35661cd726cfaf8c18ca6c05c461a94bf59362d2d228556b |
| SHA512 | 7e11b7748395c37f54c969501ff3dbba6668fcbedeff0e6ec670c16f5fe4c7155b0fdd774b1f3fb394b3677ddc062b44fc7d6f9d6f74a4b0257231c2bd4ebfcb |
C:\GalaxQ0\bodaec.exe
| MD5 | 1b863ef4832b3b673c3e8309fe7a056d |
| SHA1 | c81447c199cdf32ba7b4e15c888c8c1a2245b63e |
| SHA256 | 82b05f0c90264b228c8a74e1ed883bd9cff86ef793e217704a0b608560c17caf |
| SHA512 | 8ee54bfe5199cb3b1c4043860dda8d942903a8338342123788bb9a6e7c04a8f9f94f94490cac6370c6fc38ec4aa4d0a8a523fb38b4f136beae33f1b03f27f407 |