Analysis Overview
SHA256
d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7
Threat Level: Shows suspicious behavior
The file d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:05
Reported
2024-11-13 15:07
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\SysDrv7S\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7S\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ8Z\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv7S\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe
"C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\SysDrv7S\xdobec.exe
C:\SysDrv7S\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | c0e2c53d21946c7aeb7cc0833ea11656 |
| SHA1 | 6b1584847b8688868fd8e2d86edeaa91ea1e3484 |
| SHA256 | 3ac9cf852b37019d7f241f8359e11714125f093f800c6a5a6c8e99424382a2b5 |
| SHA512 | 2b9f1631e01e57effccfaff6909046fb9d9c9f2774068064f6d0f3dd3ba7444bebc374354bfba868c4048e2dff0f7f43e0e57f3ecc496408b2d58d0be4cbf3a2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7175f09b719e4478f9438deb328d4d3d |
| SHA1 | a532068dee8576c5675431593c49c9889f60bf24 |
| SHA256 | f7b3e7493ce9b2ba8a2bd04cf4cad934d32641a06b8297acfd71c9be76854701 |
| SHA512 | 782c3d4434b6c9fbbb28dc877cc8a67cb8befd28d39c223f72ea433e5568ee15b5970636553ad4242f2fd5a2bf01e5c8192160fdd941e8bd2eba0314561fd1b9 |
C:\SysDrv7S\xdobec.exe
| MD5 | b6a3be42755c871ed4a546b6cfb8e5e8 |
| SHA1 | 45db3ee8541418f154843d4a791071b3c3c65177 |
| SHA256 | 1b3fa51ede60d19459b442b532eb4b1d11097bb17170bf5ee14f3ea9b861a657 |
| SHA512 | a8da5f15c36d992cfc7ca775a317e0993eb466cea69d4ada5e081faf4966bd49fffeba4f7da600f3f85df157c088f8a8667bf63290d81e9aec5b08b27cd1e42e |
C:\LabZ8Z\bodxsys.exe
| MD5 | 53daca9a7ed49d43f6839f55c4a4a6c4 |
| SHA1 | 9fa08f3343ad522705e42530a20a513ee748a791 |
| SHA256 | 41c5b65ea5f6648009684993d30af8c3a6612cd175b5439f5ae85d1745d28eca |
| SHA512 | 894f9f7db055cfa92b2b0eb18b1759be8781ab113b7f8bc7572bff09336a0ae3da5087ef41dbd12b20abe24c1c24e624c6b909b17d3af76c46e9ce05b41c2478 |
C:\SysDrv7S\xdobec.exe
| MD5 | 80bac4d51d363b7208eb4c5b97d58926 |
| SHA1 | ce6f294c3c5eb45dbfed9f3836d0f7cd949b802c |
| SHA256 | 3eb7d30609d969a29cdbbb89bb817ee6161d0e8bb01433a99ee35a135a049e58 |
| SHA512 | d2a48079f2630b724784e4eb156e7bd9a195ae1c9664406e4b1a0c8775614110bc573ef8a465dfe53cc1df2e88357845b4f0d69fb715caf625989a7dee4e828e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | be6b93948a38e896967b174dc46a827d |
| SHA1 | 98f00b8a4d00f564a96d671e3a2ecce6818fc8ee |
| SHA256 | 605d9df642073cea6d6dbf7d137b900a4c69d45dd0e58f1a90cb6ec735817dca |
| SHA512 | 05d711d88817bd8f650611eb8d8b0009b780bf76f5e629fdc2f8231bf9af839e986e71b99c85e4f82e4aa6e4aa5b6fc894d3efb2b98b8dd6c78120fc2adb2bca |
C:\LabZ8Z\bodxsys.exe
| MD5 | ee86b327c13a6c76e8e027b124d56fe6 |
| SHA1 | d7ca07b9a2b078baafd24a6e8b427c82e2bcd2af |
| SHA256 | 67b85e829287838f0fb31906993e768879f03b3257d86648e7d9a741035c556b |
| SHA512 | 1d2afdd9ad74f2aa25dfc158895c3f575613df8cb9554e60294561691de23aece18f500a2e8e00c21e7a3253111878187a835c87fe1514d9bd45127177a6a9d7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:05
Reported
2024-11-13 15:07
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobeDI\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDI\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxCD\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeDI\adobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe
"C:\Users\Admin\AppData\Local\Temp\d3a2b588cee0ce7fdd53f002dde95bc5f40b91d14cb54622f52a4a04f679cbe7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobeDI\adobsys.exe
C:\AdobeDI\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 56afd3c35c8372c9c09643af35abaf00 |
| SHA1 | d0b1403f0e9b6efd741ec22519aac0fa0072270b |
| SHA256 | 6ab975c5acc1fe564e41a144dc23883fcbf4b594a053ea07822c2c15c0914b89 |
| SHA512 | 62345b6cc90b441a4e5c0538da3331e2b2d407ba719c7ba7c443d6d47e50d9c10c1a6b01a3ca3f512addd2b9b6c964cc8d9e01fd1815327743e55032ff891db5 |
C:\AdobeDI\adobsys.exe
| MD5 | 28ef4de362ea164d41127498634bcbd4 |
| SHA1 | 91ced73712977128bca29fea13c14c9e1f153b3c |
| SHA256 | dc6d5ababdf7a2012bd07eba18f5dd637f4dac2e47b0c0f939f16af1d3be5a66 |
| SHA512 | 19840977aa7ae4682833155eac65b5f821445f8ed641d3f639b9a9091d56a290f05a219011f0da62f69177c6c24b73cf45598d1e47a150946e4b4616368947b4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e5d120f28dda3f43a07df5a3fe9161c |
| SHA1 | fb5510e7069471b491c213032196ae5372b323eb |
| SHA256 | 23205a571cb483c95d6c1c5739cf339597c164da010ace8966b005d7a2b30d49 |
| SHA512 | 5b075123e3463008e93484f6c6012631da32d1385b3a8b44dee000c3ea090ba7fad9f24d376dac1d90c6e8eb3d302756eef7543743d346d5dc436ba14d587825 |
C:\GalaxCD\optiaec.exe
| MD5 | 54037a101d3339d73873015ac57337e9 |
| SHA1 | fe4bc081b2bda48920a91bdcc06932db5560f6d6 |
| SHA256 | 21c9e53edac56b2e640fc7c5650d4c6d0da2305731085c3c22af4663843d5224 |
| SHA512 | d26ff40d48c24e58a2a7dfd3106f1247af99f4b2abb61e297e0adbc869ab68c7087e34dc5683505bf85146bc122c4cbc8c0888197738310e47f756123066017d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0bc44eea92af88a8c0d85ede58c9c9ba |
| SHA1 | 4174f206da897e723857fc3db072d2eafc49664d |
| SHA256 | 7e0b98d70082c1da844d7b5455cbb1882f01d5a256dd52fa550b92f1253c18cc |
| SHA512 | 36bb0231a4b64e20590bd59630d50ff7c1f089c199865ed8d4192a3943ddeccab2c8264751da1025783ff744e1e8210e7deda630f61e7ad242788d5a8ab9f131 |
C:\GalaxCD\optiaec.exe
| MD5 | d007227483fff2c102e3be6bfcea7af4 |
| SHA1 | d23c31e0aaad89c71aa1766069ba3ef3b591eeca |
| SHA256 | 77f327a5ed3a335d35dad3bf0bd41510ba7a95b9700464b5242534c001091d9c |
| SHA512 | d6660f39891759b8a86f0a8bed6516bf8115772fcd2dfd72d20450c7825f0e032c9f2978aeac9262772c5482ab0804decbdd1d8b4e0e55e30fbb7173236ac689 |