Analysis Overview
SHA256
a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdac
Threat Level: Shows suspicious behavior
The file a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:10
Reported
2024-11-13 15:12
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Adobe5V\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe5V\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid3Q\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe5V\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe
"C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Adobe5V\devdobec.exe
C:\Adobe5V\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | ee7b25c45eae4885c8aa763184d8db87 |
| SHA1 | 94e88b824b599d6492c61a4ca98f652dfafe3368 |
| SHA256 | 69dbdc293962aa14447c448f51a4ac14b078ba8c88b8be5043de870bb9a1ad9f |
| SHA512 | 55d363d703550fbec869cc1d69d2363d10171650a6d8da7becb087a20f2e7dfe326c3972899d153d56dc4ea420b298d410b0f8930444282d965cf03d23e8c9a3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fe8ec320843e23fa4e728f20f618d30b |
| SHA1 | 0a00a85a946a12b48c44cefdf564faf4fbdd5155 |
| SHA256 | 4badd3725c1166d3f1dded45536ea077c7b4816e26ba4c9e0958da14858843e0 |
| SHA512 | ce00c9ad308820e03e519045303a832b82693df4cc6fe8aa39ffd76aca9f4097ef9d8e8eb34fdc773ce33e176ed0d9a123263ca51fcc0a13dde4bbe7f4d7e7a0 |
C:\Adobe5V\devdobec.exe
| MD5 | baebd565738a73b1785d23f85b9b1880 |
| SHA1 | 3e776227196d9cbee3a9edf120876f20e6af105e |
| SHA256 | d451bfb56a9629b7c961f22f94e615ae1d66d53c909dab9ab26f8c2232159dd7 |
| SHA512 | 3bc0de8b170643c38e93f2b6c116204a135a96435b5202c60c580af12b14787eda2041a92b0dfede92dceb5ad1f7dd232671d472556ccdd7bae26dd1918902a0 |
C:\Vid3Q\dobaloc.exe
| MD5 | deb8fe0643d238bb18eee0998e4f1443 |
| SHA1 | adeb8fe8a7912f2083dacf3cfc98315023bc5a2d |
| SHA256 | e6ba90ff729c8b9930fb672b1f72948388846bdad429e577048b1d9ae971390a |
| SHA512 | 652979c487c7ae271c4fd0cbedd5d7861ff5811dec0de823a48b7b48f0290f2f14f366a68628db620787bb8333687d4645fb5b440dadeefe165558380cf55a93 |
C:\Adobe5V\devdobec.exe
| MD5 | a255b72e2ebcfad9d16f7b65bd69a077 |
| SHA1 | e429733f7d7ee2a2d5087542bc1f5799f6bfbc9c |
| SHA256 | afefba5b2893497654b607c4771742138d0c88ffd4e0f3d2829fbc4ad7239940 |
| SHA512 | 25e6c4ff3b004b3dfcdb26f45e8e691dde3c3a9b098ad213db3757678826ba241c140d8a9c912014533996cf02fb1a3afe72317b21c280ebe8548cd3f90090fe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 111a6085b06aab1aa9c057ece6a4e603 |
| SHA1 | 5dd387c99f63670afa8a7c28e764ae7c6269a527 |
| SHA256 | 40769a844faf237947135506eb298023748c6641c76f1e150d0db730a646c50a |
| SHA512 | 940aa451b1d28eae21c346eff4a56e16aa7f9efa1b46d1001bab2144ba5015b700db66ccfb800f330850eb27042989917c49a6eff895b47329ed9159bf17f351 |
C:\Vid3Q\dobaloc.exe
| MD5 | 3462d0c2635584170979be576a21680e |
| SHA1 | fc120beae35b897474d326c7888d66ad8ee30667 |
| SHA256 | 6e84b13bcfd7d9078abda43a97ad75f97857d3b3a0b4a2c83fae1f2a8ab3b1fd |
| SHA512 | a9ae6fc348e81d6d709dc46cada6d725a7435f8454c82640a5c0c0fc44a0eb9b6904e69c0c3e122edd9c54d9b6b3230a21b2d15279881bc16bb097004e3b26b6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:10
Reported
2024-11-13 15:12
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\IntelprocYF\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZDU\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYF\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocYF\aoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe
"C:\Users\Admin\AppData\Local\Temp\a75a6b229ab2f80b37f60a84409754e4c680ccdcca993d6c6e3e74ae6725bdacN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\IntelprocYF\aoptiec.exe
C:\IntelprocYF\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 75996b9fb1ba9ef904347ebceb2bdcfc |
| SHA1 | 6293a8b05b41399659a948cc10efb77036b60c1a |
| SHA256 | daa0e8533a783e5751a6854c52e2d49fd5c78beae42fe24d343c9cfa65b598ac |
| SHA512 | 92f283aa80a7398840e7c72f83a3770d30798ece330ba3c20c85fd66b94d6eaa8c3ceb2be58fda416d7ace29dece11e524b4bc8c40ff392707e6715838549b26 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5cf7699c3910741e4fe0df6e7c5b9ef3 |
| SHA1 | 94b44d03fe11407151eab72ea329d6483ca77320 |
| SHA256 | f9ebf3f505bdd5028d2f8e165624b3718aae236eee3732c24b935edc9bbacdf3 |
| SHA512 | 3a06e43b401890e8ac203c21777f2e23ea18d3b460bc6c143f7e450b5864612fbf2d59b13635b28e927493421eadcce23122280343d98ecbcaf3cd774171fb32 |
C:\IntelprocYF\aoptiec.exe
| MD5 | 2eaff147ee4bceb37471f34c83059fed |
| SHA1 | ae8b50055664ad82b5f66502bd48e3aec0384e83 |
| SHA256 | 09c482fb33bccd647ba61966eb7e82fa873370e149a2aab5c35cce234844de14 |
| SHA512 | 29bcdb601f8b0b55077d97fbc3ed1ea2260306f98a7ddae45bfd0062c7f00699a1efc8dc4c111abad187c6ab95778d895bd30c6ce480887096b8aa78578c1b71 |
C:\IntelprocYF\aoptiec.exe
| MD5 | 68f8766e1ae0b47b611871ee8be604f7 |
| SHA1 | f324402dd81472574b82871961e993ad59106fcd |
| SHA256 | 1d38c8d468555feca8bb7efd06579642ecfcaeed9810dd56dae7d7859ce38e95 |
| SHA512 | 45f2043c387701754b32ce9156d44e16408b32b991c1380500fc0fb58d01f5628bef3f9dfd538f8ef7a39a20bc8109592fe3167248eca7d9ec8d163419bfe93c |
C:\LabZDU\dobxsys.exe
| MD5 | 579f8c92f242849b50f30371556cc8b8 |
| SHA1 | 854c73feb49999e33725ad6ee0617ab95f23dc1f |
| SHA256 | f0a9b17cc466a4fa298693dd446d41cbb400ed4b89e98681f92cc2bf2d1b85fc |
| SHA512 | 80125d943cb1d351828618318912452cf5c6812a30ea427a2c3d393f723e57d7f63acadbe6cb3e8905892d6ed5b306a4e3b80d8c92c26a8ff35ec7f5ccb1f846 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 378dec78b2ada74e8b9ad101bf0808ec |
| SHA1 | 54ae57dd286d16984b7fb5dd1d24c864880e4dd6 |
| SHA256 | ef8d3675780002040e13cf3ba70ea7c2132dd7af44bd87e58532a9fb3f24b537 |
| SHA512 | eaae62258e8df83242c9b0d25565c45c7f9827357e92d4c499214479223a9b3f6ee737dc5192874e3eb3c3210929ac3e0477c0112b8c4e6c7ccd317020962208 |
C:\LabZDU\dobxsys.exe
| MD5 | b03fe94aa3cc7661f2e8b21a85ed6dfd |
| SHA1 | c36ba84f8789444cbcb64c3e6a929afcc00ce1c0 |
| SHA256 | aa2b64daa9e18da87f9508ef3c4dbe2d58fa884df562f6e97a915b2e62316397 |
| SHA512 | e8eb54b7ee24a7eeae4558923b210b3b1f6dcd324e3a07b89ca8d44e9154f9da2cb5b017288da4eaffe9492a25a07d95d3cef387567f50dd061e7ebb1d2846cf |