Analysis Overview
SHA256
03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08
Threat Level: Shows suspicious behavior
The file 03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:34
Reported
2024-11-13 14:36
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\IntelprocQ9\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQ9\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN0\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocQ9\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe
"C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\IntelprocQ9\devdobloc.exe
C:\IntelprocQ9\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 1611f3b51d8c6765968671a13eb81368 |
| SHA1 | 4118641e605ff05420dbda540ee4be7b07927af1 |
| SHA256 | 6de4742b2af13ea8faac8e152a9345da9b10277e4d75cd65860d98e3339d30fc |
| SHA512 | e2a23c4ccd76a001540428a7321f2d034d6a393e8ed84e59688b785aaf4315353f9fba65099ec65445ba0286790095d950f416b8de4b1dbc26d128ecc0cb7f2f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3199f8561a75440f05006c3a341ba7ba |
| SHA1 | 64e7f21c93edfce590d354ca76a60d82251ee213 |
| SHA256 | e34e0068785a5ac100eca91c3c68f5a5add4768d198bb1686149a257281bb637 |
| SHA512 | 207390f78c8f3020ac49132d5cf9db84819d43503e9211fbe326b9be3fec5b76a3cc09ab50a8bb2286aee80260127c1f8868ea841bedd16a961ed3f0a045cbba |
C:\IntelprocQ9\devdobloc.exe
| MD5 | 077f6ba58214b68d46977574827542cc |
| SHA1 | 376e63dad8bc77c4ecd51e2988f533de6ef801d7 |
| SHA256 | 3c9700eb618158abc0b116f2d9116d137fd5d3b669708a0813ceb5170d128851 |
| SHA512 | 1cbc6e5db97986105f59d766a566f3622e6890bba5138998046e3ff14211ba3546fe9e72829f9b8863501474103aad482478f337092cd04eedca8ddb2dc8a4bd |
C:\MintN0\boddevsys.exe
| MD5 | 177a2a277f4d10e6cb68b6d8b6728dbf |
| SHA1 | 19c1fa314692505afe8f11917b5e7b2341123635 |
| SHA256 | d2c5d1e751d8ccfd59b78bdd336010a5e44206081e672a0a96960934a054f042 |
| SHA512 | 41d06bbf5fc8bb3c957031784e151ac084d097bfa1a874af66ac70b47715f5fd20e182270a9455892dbc88cb154b2052333d4e4eaf1333d181f3219ae9f224b2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3f044ae583317cee9f6afd71da1b6072 |
| SHA1 | f26e88cc8bcce5f130aae7c951b8807c170695f9 |
| SHA256 | d1d4d28d98357fedc04ce43458fc04c7d54dd296611b3528132263d2cc4493c3 |
| SHA512 | af060193937d10a3595a458daf72c122abc9495f1016d7eee02b2f11c174be70195f5fd9093f58dfa3ee19d0b1da3994b1d5ba821409280e424c954890cd2364 |
C:\MintN0\boddevsys.exe
| MD5 | ca883de0460390720b9823e0e4318be0 |
| SHA1 | c8eedb997c3cd0994f1e96fb269b37315e0bb954 |
| SHA256 | 726d2dfaa0a24f6071954c1f8bc4281f5c3644a2c6456ee4771f9e060939cf7b |
| SHA512 | 36316b84a365d345e4d7cc03a63e5fd4584cee088f865e73369fe8e28037f53d00b370bf40a0da33ba31f3bd740b8723462fcbf17716bcf2e3d8d6d65b82b892 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:34
Reported
2024-11-13 14:36
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\AdobeF0\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeF0\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7E\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeF0\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe
"C:\Users\Admin\AppData\Local\Temp\03a36c6102726577e6e2db85ec5fbe77bc1441da0c529143b28a39337c731e08N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\AdobeF0\abodloc.exe
C:\AdobeF0\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | ce793ec0e1927aaceafc5c9ba07d44fb |
| SHA1 | 4d8a460f054442d1090b8074d4451a4100149864 |
| SHA256 | c27bcf68337cf696a9d5ee0af9077570a90dff5730bbb2b3e02d61643e838d70 |
| SHA512 | db57e470b5e7aefc8a2c80a7d5068a5b262db56ff0a5fe7233b1a6ef3ad51aed1996e9811118fd0d61fa3a9dd6789884a956042b6d169ea393487e23bd9a72d8 |
C:\AdobeF0\abodloc.exe
| MD5 | 454c9442e2d31731848c17e6c1e354d3 |
| SHA1 | ef26427582149c4640c4933e037131bfb48527c2 |
| SHA256 | 5f6165033f9bf78223dbc6c74f4fbcc2fe916cced312efe139cc0face6a3f200 |
| SHA512 | 1dc591df0c5b3bdf938346eb23e9118fc362a3c3e74d97d5095cbef3dc00c44b1f62313a780158a961927eb19e5f8e144e2468866b806933d30925ac9b50f814 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5fd2ed02a87a7455b7ae5876a14d07d7 |
| SHA1 | a79b15bf8ac7af1f6d0669ecdb8c194c91baf65d |
| SHA256 | ba81e3dc4a456df85ebc318a34b74c5efb2ce76a5becbf6edc22597b41f25884 |
| SHA512 | f3cd749715e378d6d08b03eb13115125a6c0111c71eb2ac6f350b31e7da1048bbd238a2afbdeb95172ca227893d76e670470124c082a7125f1c4ba6ff59d309d |
C:\Galax7E\optixec.exe
| MD5 | 7b3d2133ea75e9cb8717fcf23e8a1e90 |
| SHA1 | 3b06fc157781703a1a992600503f75754383e6e8 |
| SHA256 | 6b88c006fc7b40af95626ffd00f5649c6e21df8719a9e68ef412055c6fb9b509 |
| SHA512 | 95a6ec7b0f5516496df32ad3f2017a6462bee65a81a24a7e3255a742ef2b167505d96a751b5d4ce362728fe59df8e6250f3c420423c9176cb9879cdd01581234 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1add4a72860a86c8593250b2c3780e48 |
| SHA1 | f4937d899ef272071243285fe999e0ed771b4666 |
| SHA256 | 43a2cf1430471ac992b9d500bee66740e0b0aa4ae64b44317c828e5f20bd9f1e |
| SHA512 | 58f804162a5fc09a512fca0b8207916628820b7cb1968a6b1ff59ccf1c5f7715b200d888551c1b6b3dd16b1c3dc27a307ac497d4cc27dc9c2ea19e0d1d3c0d57 |
C:\Galax7E\optixec.exe
| MD5 | 5460b10c42b06e262412fc3e28bc22ec |
| SHA1 | 293983cb6589fb09095e36026a8b83e08a005391 |
| SHA256 | 8b5ce7ffa24e877429ef276eb2d9700eb12ccf478560a35a998ec5c0ec97522a |
| SHA512 | 08a31e3d00c6c398e3b1468e024fe769c128129c510bf226ef2d306b7123844e3dc77b234b498bf5f6922cc9b4818e578dec1fd4ee858cda5d2a5ab5b21dda14 |