Analysis Overview
SHA256
c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370
Threat Level: Shows suspicious behavior
The file c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:37
Reported
2024-11-13 14:39
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotCB\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotCB\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2S\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotCB\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe
"C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotCB\devbodec.exe
C:\UserDotCB\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 13772fcb9ee311d698c86f1ae2cbb2c5 |
| SHA1 | aeec5b58edacca6a28891eaed6bb51c03c23038a |
| SHA256 | 683ec48fb4f95428b65d6ab2e3a65c71b27dc644444886540d3677692d99481c |
| SHA512 | f4b46ddf7462543ee2b2ca66eb7e5f5e98f422909c671b5b1a72566c4607dadbe4983f49514cb2583bb3e6e99b3fe365c9d985896f656e3c0525310104dcc0d3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b2312dd16a111830382514d05e82a76d |
| SHA1 | 96f470df32115322e5613086efb33c7423797e03 |
| SHA256 | ba30d4aeadbb577f4afb54ecb1873be597fe9078d784f322c78ffa2fbb026486 |
| SHA512 | 0e58cbc568275a62d0956404e82670b843e83c52ebb390df9507fb4a480f77ba9dcbaa34907a0f22e562071eedb8d743b0681717deedb696c9880262836bf2d3 |
C:\UserDotCB\devbodec.exe
| MD5 | de66a531f652663acd0325e6864ac420 |
| SHA1 | 11216cbe2cde36541239374d7c820c7352499985 |
| SHA256 | 035fa7afe08564ea125d5e445dec01378a06e944a5d70ec1785a30020fe6fb50 |
| SHA512 | 43d01a2a141d40e67220516a5b6c63cf39cc6ccc85905022d91451a17b7f2136a36a9a25248ce0b33ed1e632b7d38b4c2ae326c1c40e12bc5439c00ad29f640a |
C:\UserDotCB\devbodec.exe
| MD5 | ad67d269b0aefe7a81cfaf47bdadcbb7 |
| SHA1 | d43b6ccf3a632ce70dc4df08523cfc7836f5d2b0 |
| SHA256 | 88d80d46fb6729d6d9723c9fcf572b443675d43c4745fdda42d8faca8e293773 |
| SHA512 | 8c926647ac8987d7ac04bbb98f8e0287b9a53d01c07303bb879d24532d6d5d3ef91894be1f48be791c8720f8cf6f5e1a666aea78da7f5a59055111c03260cb90 |
C:\LabZ2S\dobdevsys.exe
| MD5 | fc2e53999fa064f999fb77f0f25da6b7 |
| SHA1 | fb4a4a11ef29e14d18c97fbe3674afb404e3c868 |
| SHA256 | 336fc4f1a33e24159707312bfe2c286344c8a8a8b469c92a23239c4e0dadfef5 |
| SHA512 | c06ed327edec56a1dc90bf594115a84348a7b0c97c9c058c6ecdf84c979ee783de65da6cb413e0b31c5169187e3fdf3695fc1c9bd8c1167e0d9c71e390be137b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | abe4a61887f5dd12e13b1a38407911cf |
| SHA1 | 891f17df5fa476eb21fdec741c4bf24215713273 |
| SHA256 | 5fb0651636ad65a3d28185719eb0eaac141efdf3d00a923bb74c3e2614f607e2 |
| SHA512 | 61771ae3188ab3222b7d24c8068da6a2fada515cc6cd29271e5c20fbeda4ca56933cd2d97a6f449b0cb7c3a8c83cf10b0db810aae6f7b120486389eb9d693e10 |
C:\LabZ2S\dobdevsys.exe
| MD5 | ad8149efad5d2e4071ef3d63d24ceabe |
| SHA1 | d9aba9d78c1f933f689a38ea9c1178b3f6473752 |
| SHA256 | 0b75cd512473abc0595c4d46a26ed2c3158f74c79c7f74160c120bd6abb36e24 |
| SHA512 | d0d7498e3bd1441918fba41a2156e4abdc18beacc9a028c9fd36ee8d8efbd50fe0994a984cc4e4f1e213cdc302fabc9d3feaba7a0a0846eb854cb8f6b86563ac |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:37
Reported
2024-11-13 14:39
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobeNZ\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeNZ\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCL\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeNZ\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe
"C:\Users\Admin\AppData\Local\Temp\c172b5601be026d4f6e9fd7954d7068442205b752a8c1d467ddcd69fc1f12370N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobeNZ\adobsys.exe
C:\AdobeNZ\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 81ddb7f5a80123de6b7c40b3a6019c15 |
| SHA1 | dec3a99ad53c85b5018de01bad306caaa0298af4 |
| SHA256 | 9a197c02d518f923e287f22fca297a908f9f8220b095a7c5f26c4f6fef2f0db5 |
| SHA512 | b79d9f678127f500f6c54fc8b72e461d7360c2f82e95a3946de40f3754370d60b28b87bcf645f9aab8079fb38db4d44e4e4a0a4f9e0d7d8d73b60991efc9cc65 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bb8f482e8b14e0771d0e06a6a9ead244 |
| SHA1 | c6b802bf5347d5df61316d42ac5e6619968944ab |
| SHA256 | 28e7611e6e929ce7ba3965453d1296a968aed625409199883ee3085c2ea8dd80 |
| SHA512 | 14d8cfa352d312f8baeaadd7bc00712eb0d71ae1638ec70506028599527d605e2a3cdf4db261a589dccdb3317e935cdefd68e2ee03c1a6f2d0f5822ef6d074b3 |
C:\AdobeNZ\adobsys.exe
| MD5 | b06107141346fc1f21de8b69df639cbc |
| SHA1 | 4fc8fc3ff808d893471882c466ea2eec3a7fab92 |
| SHA256 | 51e8a84583154e12f041a891a69472c9f2061d7244315dd027865cc02f504f55 |
| SHA512 | 05f1d025d31a00b3d6409b215ea4c42ac864d9f74073a50a2bbcd1af62b80ce4fd1521bfd827dc52cbd96e176a8ce923ecabdcf3a8da29210520bac65ad4df92 |
C:\GalaxCL\optixec.exe
| MD5 | 3c48645b155a6614ef3f91f7e8f4c80b |
| SHA1 | f1341b7e83b033bd08b58b03cf38abde86339fe5 |
| SHA256 | bc852ae10d60d0f4423d0e8f671881506a5b6f8eaaa4f73b8484fdf53f8264b1 |
| SHA512 | 9f6ee933ccaba8ac7e1d88b6e1cb26c0de35b3aa837e46674c3c7c9e7ce572863935439a129d3717418eb7c88246833101ec0b08a62a239dece743e65d69baba |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | caac2ffb9a3c9f207a71adfd87b8a288 |
| SHA1 | c7228dfcd4145cdfe1e1f28484f6a5073eb79f64 |
| SHA256 | affdba1273d088ee14f278ab06acc7fbc5a6dec559bd2e52dfa80e81ba76aeef |
| SHA512 | 7b1b7fbf59217bb82ecc15811b228ae420242e6667a9a155aa4916681167e8326b445924b015b84b19ee378ede2128911ccd65f411f0dabf10fcd81c86333400 |
C:\GalaxCL\optixec.exe
| MD5 | 40c94e64b6967b094115abe4ac431fff |
| SHA1 | c62e499e79e6218db00609b953b4ec1b69168341 |
| SHA256 | e5ce10c68346c46e4db28b6138c6bc160ac56bc12402ec6e8cbe395d2f5c65db |
| SHA512 | 0a377e9b332291bd9f7501f8a518672750d85b91676f8ad002cb3e55eb6c512ad90cacdd104597b2abfaa782c31ffe6c073e117351b9f539f9a3dc02ab83fc91 |