Analysis Overview
SHA256
38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288
Threat Level: Shows suspicious behavior
The file 38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:35
Reported
2024-11-13 15:37
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeSM\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeSM\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid49\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeSM\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe
"C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeSM\devoptiloc.exe
C:\AdobeSM\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 9126545409f754d782e2116f6fe9d648 |
| SHA1 | c4b60ed3766851259a33623a0fbda2f07f5f7874 |
| SHA256 | ea9950adf981005dab8ad2dd6d2d7001286dbec7024b2408992531b36336acb5 |
| SHA512 | d53b05c44031246063d83ec76f0ac4554f7df7f8c11390b5fa466194d9fd1a188c467ea46baab8a414bd4c3d3cb3a219f07d694c3d8741e522d7aaf36c014870 |
C:\AdobeSM\devoptiloc.exe
| MD5 | e9ab64e7b22f5c90869ed3265e0cac3f |
| SHA1 | 392097d686b6b468223655925c4cff4732740bb4 |
| SHA256 | 5dd49b696cf59197c72d54c09077338470a12cc1d21fc724489fec128734521f |
| SHA512 | b89610b98c341f0c08933fc262cd7892ab2f84838a2070d2de666135b69a428a575a2bd32d8fac4ed375256a6acb0df195125c33e0b021bbd4659f8513903fb2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 117180381311c76a3f23a5a91c37e9d1 |
| SHA1 | c6d1629935dc9f2e2767f73b67b629669405c125 |
| SHA256 | 60a62210c2a5cd8ba48ae5fb440d3ceb260bb2a0aa4777cd6455ba6317e4afe0 |
| SHA512 | 225060b71fef1a08915d2ff4a4db986dbedab1491ebc90793983d48bbf6dd9621dbe87c19cc1904e4aa454a9d78cc759e95b89adc677661b9f26b2c5bffce14c |
C:\Vid49\optidevsys.exe
| MD5 | 1ae41dac81aec23c1d4f0a3d3fa4cce9 |
| SHA1 | 17f0305cab27cc128380b56c723c97e02b4af3e1 |
| SHA256 | ab37ec9abb0f9924d37dad0adfbe50f9a2988a80e664e1f2f6314fb7e026617a |
| SHA512 | f57279d5ac3e3f64c66b4d0078d0a296699125d34e77509504a4da8ac72cdde84b65efc2fd996069c6b672adc1063f677d0301999b33c0ca625421da01728481 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 492312f2de1fff4308cc1890b995138f |
| SHA1 | e12290207aa9e9e963efa85c3df4714ff7435d6a |
| SHA256 | a390a81493015f027efca4cbb2086eb240d1d667b326e7f6fefcf8ef25ec6405 |
| SHA512 | 7927337446057be208ad4d357d9f8b6029e71758b5f81c0edebc2b64687b847179d4848054a6b529221332350a699947628039f09d4e1fc03c5f81113b239361 |
C:\Vid49\optidevsys.exe
| MD5 | 6ec97896a5db24fa49ad04cea21aecbf |
| SHA1 | adeb6921f0f1a5d586756972c8beae6f3727d6f7 |
| SHA256 | 0aaea9b5390d7252c4d9ee6ef3c39275c6e34907fbb261f9e1cbcf0adf1f2b49 |
| SHA512 | 59aaffe7d943eb9f9f7477f7be2960429574fe1c5127ede5feb033aaba71e4d501672fa46a07102c27e7e471e4e2a112336b39dcaf56b19646ac416579b70cb8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:35
Reported
2024-11-13 15:37
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocE6\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocE6\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQB\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocE6\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe
"C:\Users\Admin\AppData\Local\Temp\38cfe716f428dea19c600b8f14424c2651610671620beb95f649f4a7a00b7288N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocE6\xdobec.exe
C:\IntelprocE6\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 3868d8e314b57c687ae8a655cd5679f0 |
| SHA1 | 9bad64e5b5917f3decc35912854e0cbfb13cfbca |
| SHA256 | 0c565abafe8710d0178f0df8b8d64466000ba051e08f35972d3050a705a48310 |
| SHA512 | 0ad05977d40679e01da061e59339b75a3b47a9ca4793c4a82267ccb4a7121e888f7d6c20bb4aa62ff30983f71d64a71adc373981f7abc203a5b02edd822b72e5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3c41735be421f0031c173266fcab47a6 |
| SHA1 | fa2d12e75806e73c57ac769b074275e416ab1457 |
| SHA256 | 2550ece781fe1249c86c2d4ceb36f5de964c49d6b648eb64a01e428809a2c0f1 |
| SHA512 | 9d6de2239d5389a7e49a747a48b4ffec3fd1ceff5fcab47a25f9b2f243870164ca1a2b16ea30cab2a16e4805c4d1f5875866fdb57838c8816f9c8e31a0a5ad6e |
C:\IntelprocE6\xdobec.exe
| MD5 | 9a9f90c0f539332d5b9d5d98fec2f08e |
| SHA1 | 6b6b2527de965195ddc55f99fee6803dfa6485f4 |
| SHA256 | e68903f6a0907b2f5eedb50315652503d0c62c76979704a5277bd3928779d476 |
| SHA512 | d7fd807f4c713b25c3bdeeaf85e1308d7c7c36b1390b3146692951a8bd6c425d093a09efebe0b59ec7ac895890efd540e4caaf54841000728accac6e0501dbe1 |
C:\LabZQB\bodxloc.exe
| MD5 | a05e25e52ed4afc01f3be47f337330b8 |
| SHA1 | 0d452971ea70992988665924dfc6acbf7af09c6a |
| SHA256 | df9bedc83a53c88335481d0a67f7e6bf1cd54d7ed01347d27c5dc0f9f9c17bed |
| SHA512 | 6d67729fdb637d9e80bb251c0475226c489342def182f4a49c4d5729bd5206a66ca1ad54fdf08864f9d6db6c8354ea10ddb0421c1a946e7d5540bd53afda48dd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b0c2889f4af3df2755ae627aac2905fc |
| SHA1 | 67e893b26cce1be707d15a1ca7ae5bf1ea6fd8a8 |
| SHA256 | 662295bb5eda94fdb0a1e0db99832d902ae864b46f78058bdd0a2f1bebd5e269 |
| SHA512 | bd35f5f8b203004893c948f4a749c02e76891b3514c7ecf7c45099616cf68a2fd43cc15ea489a597f7656c9218087953f308bccac2a8a99efb4a8078ad349597 |
C:\LabZQB\bodxloc.exe
| MD5 | 0f0a79738b6b614360d5e3e0a450150b |
| SHA1 | 0a09663d9e31d143dac6400c13d4f858b66809ae |
| SHA256 | 6d0fa5cdd0f9774a7a73809963cea452c9de5a1f444a643eeea83e83ca62a18b |
| SHA512 | c90bbada3daf0ff6672af4069eec6577d388c1d538d40ff9da637e0971f7be73bd8d5a89c17103665d9360c8314499b0842b1663e6edd0a317e3bc955fd94396 |