Analysis Overview
SHA256
43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739
Threat Level: Shows suspicious behavior
The file 43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:14
Reported
2024-11-13 15:16
Platform
win7-20241010-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\UserDotMA\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotMA\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH5\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotMA\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe
"C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\UserDotMA\xbodloc.exe
C:\UserDotMA\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | da766b91c7510b397f28cd1c9a704e91 |
| SHA1 | fc0d9ce434ddb91d98d4b10eca2aba937cd30289 |
| SHA256 | 3a7ddf693072747fbb91a0cbbcc42d7df0322520950819aa0bb5554c616c5e9a |
| SHA512 | ad7a4f37857bb2fd7bbeed8a0f1cb6672ac4d2d4cea5c160b8e332fc968de9db1e61072eaa0cc135cca577b4357a35e095e57bc87adbd51fc28780ddf00d9f41 |
C:\UserDotMA\xbodloc.exe
| MD5 | 280fb74f6f31fb429604ed2e7e5ef1c6 |
| SHA1 | 99552cd52453a7fe2e40a47b01206d0e2a63617c |
| SHA256 | 4cfbf25a81c8ffbfd0e830eebc0ccf36176f234813a25c39c7ebf96c83073c06 |
| SHA512 | 450e11961c03037619ed209e94952d26247ac46cdd72e1a4ddf874692957883bb36fa2c968c08c40407547bbe5334d5771df31a2394b361218fe236fbdba193c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d6cff1d930f0b6c26a95afd4f91afe3c |
| SHA1 | c2be2b7e1bb87cb12debfaf243ae7d78053e8bb8 |
| SHA256 | 51089e46f72a1fac4ebc11301c67be4cd8f6dd9c6342eecee6d25a1e307a9644 |
| SHA512 | a80cec80f2c3b429fbcc4cbf2efbf9c3737a9117b29b94aaf534ea04c58702ec08786e17d284e3a4abd8a512af8e76c198b843eb299335a6b574208a441ce550 |
C:\LabZH5\dobxec.exe
| MD5 | ad658ecf40ca85021f3581f4976eefcf |
| SHA1 | 3b6d6f8113ad133cda4b1947821da67b4b66fda1 |
| SHA256 | 1add6d254f9ebfb1f78d1f2813e0acd913377fa6964eb803d2716b0f40b71a3b |
| SHA512 | bf913f6a64d4436f1f5e7a54fd84f58732af7e772dbf480643c5490377e0b0be691d048cbd65ae624b4c6036cd5ede41f24e684367f88ff4a368e3c74583c9c2 |
C:\UserDotMA\xbodloc.exe
| MD5 | 88e1735b4ed7b5b6d2801e766f9db156 |
| SHA1 | b230298d1b66eaf35b9070c16baaadbb5d01069a |
| SHA256 | daae9fcdf84ec450d21e6a5bb1e64c62a2d98104655db0740da93ac14569f3ae |
| SHA512 | e130f56e2f6121f815685a877d03e87b0b1f490fd2ccddb218418378ea4080b0c71e3c2237219a4ca0981cbb751f06047e50de671a84b0194227a2a15511250b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98efee698dcc5b1314498b54f31e427f |
| SHA1 | 3174e373170791072b969aa90f1f4c6aa03a14da |
| SHA256 | 19616fd9c68cb07adf018f26488ffb9fe746ba0ba981b6c4fa6b57fa87464c97 |
| SHA512 | 7518be278a47a27b345199f54f58952d6399cb2e49f7e24125724e2fc5eeb4aa7171583e014a616404e716bf326fabd438f0239b09fc118d0defdc9ef642a0b4 |
C:\LabZH5\dobxec.exe
| MD5 | 50df59c49c2bfbda3aa6d9ad4c5ceb4c |
| SHA1 | 09ec35537463a41705d42db7edb5a219d4e97844 |
| SHA256 | 8a7ef96b11298391bf3c70999f184407dc8d65b29e96aafe6d64878e86dab641 |
| SHA512 | 2e3c4ceb5617083ff171c543ce63d0b325026f99bb204491deb24e7f73a4d81899acdd01dc3ca4066e607e20c451f26c52d9c5a3c9e28e6eb0bbbb2ee8fe3850 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:14
Reported
2024-11-13 15:16
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\SysDrvXM\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidXW\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvXM\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvXM\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe
"C:\Users\Admin\AppData\Local\Temp\43e3d327cc97d3fe2e2f2e0602e7dbf30f68dab659fa22401e75c49768ce8739N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\SysDrvXM\devbodloc.exe
C:\SysDrvXM\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 751e316e8f5124ae50113a26f83845e7 |
| SHA1 | 809bb53cf62402ca3d3bab78c01ce6f8e2a1e835 |
| SHA256 | f928709b30543086288a395c506d667a089054b0669d484b095c34e550b4af4b |
| SHA512 | 018867e0c23fe7a4ada4a499b58583f7e27b6889c29fe770737d0c5805e33b4f8d94f02c406a13bcc5497d8e1d190eedb3f6702c8db0a8acbd5a11246b2820ce |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 13594c8ea63bc52cb44fcbf28d1746d9 |
| SHA1 | f80f6e36afa64e9d73d7ddbf668134db2e15c446 |
| SHA256 | 0c2fc86c194e4370fc30e85fce50694339bfae2f4b09f19c813b2f57c7d0b90c |
| SHA512 | 5576439a800edebd441cb0cad71819daedf27536b929bc6220cbcd639f4c51d1a61b6b0f2498478651904b52ff13928c7c9b3a043ac992ede7feb64a54c2010a |
C:\SysDrvXM\devbodloc.exe
| MD5 | e4c3b64fcedd8e2be082125e0287c8c2 |
| SHA1 | e6b71826979f9d40981780fe8419f7c9b79bf83c |
| SHA256 | ba35a7794c7b3437fa887553308604c897996dc320d4789f8ba4838d1db5da7c |
| SHA512 | 0e8954077f47610919e36491a6c0d672d0a7c041f7ae8269b389612195dfe659cdabcafdbea40afc4e1d1dbfce766724ee826f776efc650dafa0f52ae350288a |
C:\SysDrvXM\devbodloc.exe
| MD5 | a737e9485423873aa1719c812dcfdf77 |
| SHA1 | 9a7825a4d08f44d216e7dd8cb44f0666d8d83c56 |
| SHA256 | 549df7c71cc5f72e2ef9653d70167e2bb3006a01bd54f95c94f32e3f9a009d87 |
| SHA512 | 70a351ec6c0848cd769f8f807fc86b04165de3f7453177ae52215b3681ac9302abacecd518dce6bd64223e083b2ef3b6088fb7cf09f015d8ce37b75c813d6139 |
C:\VidXW\boddevsys.exe
| MD5 | ca420f759f7d3a8d47a4b0006ec027cc |
| SHA1 | 7b77b159520c00a151f25d8aafd395d389bd00cc |
| SHA256 | ee8dd697378168224a687006c2b7e68becf20ff753b05df7588838155ec30b83 |
| SHA512 | bb0e6f3502b2a63a60ede9471ce9a5d0a1f5ba764d20fdd61caa1b30f4294eef0d7dac2d07ae6748cfd6dcef484be26f2b3372504ee45e03dfc32d0c5e428c30 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0f4835295fa5eb59678fec4a21b44f06 |
| SHA1 | 04d1edf0a676026b1cf03b91cc9b26294079c9b6 |
| SHA256 | 9c89ff2304a03b4a9aae04c528928e6e78dbad80a178ff4101552223ff330c96 |
| SHA512 | e7e6aaa7096c32a23a3cdfbe4d6b05cf979d4ef54c26ca52a6f581e523e29827a5a5d7067b97a98ccd020b1aad089558c23206ade0b2ad58298a17fa6b5b3a9b |
C:\VidXW\boddevsys.exe
| MD5 | a918b5cc7e1c68a6b35da26eacccaac7 |
| SHA1 | e681ff3da1b72c70f1cc0e1f0e2d7c45375ac63b |
| SHA256 | 47b86309b43904bb796c65bf3285e7933d2b78f679f699f2467b9fa3d1e8a3af |
| SHA512 | e9296b96c6ef3ce92f23acfe3195f2a684e0c658cc1ab315679fbf7776897be1e04b7506f7b1895927fb2e9bb4b8acaf0c2e99521d1c7d09d5336fc328052f97 |