Analysis Overview
SHA256
34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94
Threat Level: Shows suspicious behavior
The file 34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 18:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 18:38
Reported
2024-11-13 18:40
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\UserDotPL\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBN9\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPL\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPL\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe
"C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\UserDotPL\devdobec.exe
C:\UserDotPL\devdobec.exe
Network
Files
C:\KaVBN9\dobaloc.exe
| MD5 | 11e6fbbda35639f6f68292e9dd95c3b4 |
| SHA1 | 87f79d00b663be26caa971359ef6cc3cab9a6e62 |
| SHA256 | fe7eeaa9e7fa20a50d9f1afc214cd9a736d756e368b5c74113cf5f026742905c |
| SHA512 | efdd9b123e6d640dfbb8ca6417bb7898ec8aa2caeefe4b7d8f3614db15a68ac2f6e1e5cc58f7fde5d7c2c3926f967b6a11cfa6ff9b5b870818c7a7ae610b4d3e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c2872315aee735c12d57e0067d1f217 |
| SHA1 | f384d1c437256c2fdbc89c176a34d7057224ef49 |
| SHA256 | 28575d8ce386fa4711987964f6ab7f252ecc7182aabd317bca52b0756958e1a7 |
| SHA512 | 1ddf191f9ca8320df7ecf8868a6417bb79c8929b9e247cd7e4932e81f194e2581f5d99aacadd42914481901d9b9a09e8c2ccb79f8b9994aee8b512fee8239a3e |
C:\UserDotPL\devdobec.exe
| MD5 | 64d75451f679c581f5a93788746930dc |
| SHA1 | 43807031d80538183745ab8af5796a227a938069 |
| SHA256 | 9975259daaa6ba9ca5d4a369d730958a87b5c7a99559b94f5bc5cdffa8aabf33 |
| SHA512 | 28ec5ddfb34cce72f619142e74a141215f7cbbab74d607cc0c41a24be37efcd9db9f8b6f4801afb5f0d2b530bb517c00cf319640832e3e719b3ae826ccd2b58a |
C:\KaVBN9\dobaloc.exe
| MD5 | 7ceeaf794f8027abb6b1348f20fc95dd |
| SHA1 | bf42ff432a6fad26c674faab3b4200378dd6eba8 |
| SHA256 | cd1027b5e86e28336854a6a49dfcb1aacdc52d05f86789085d40618475c74909 |
| SHA512 | 6e5735bded2ac5d2651ca803552d555d54ef8a7b2627fb39bcf38e8b01002fa38494fb5a782397f149946db928bb397fea3536f3ef2823a75d9cc01bb9c4254a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | f3c8513f805f888c9261555304363f3e |
| SHA1 | dcd34a911a293d1879237897e0eb8f69e3b1e6ad |
| SHA256 | c923c4fe0c5c0896cbebaff7e37ca141511db9d11046c1f258213d6ec083f43c |
| SHA512 | 7ba528d9130d401227bc264671f2283fc5525df55a61efd6dc8fe77771f2331ca3915330507d583dc3114c10da587adcaf65d9a5d6b9139a05675490b859910a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 79f2bbcd60c59c9a35531d0d51d3f78e |
| SHA1 | 9ee33d9cd69a762018bca9b1431ca13324e37a0d |
| SHA256 | 887a9663bc141f3a78e29576dc0a660e5ec8e19803fcc8bb91a99b5e27b5ce09 |
| SHA512 | 408361f68f28a070d02e27f7bb81fe576a1e3d7b5343c87aeed948def3362ee27a7daa7eae1d3db7996586ab04a5e01949b5a6bb4eb61b125abcd8346d149f9f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 18:38
Reported
2024-11-13 18:40
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\Adobe1Q\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe1Q\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFI\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe1Q\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe
"C:\Users\Admin\AppData\Local\Temp\34b3ff8c2dddc48b302cb747879e0de4a603a3071e16b45c108d0d23ba528b94N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\Adobe1Q\devbodec.exe
C:\Adobe1Q\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 0fd7ab61df668958df66d6d16747fc87 |
| SHA1 | d47a70404014dfea285a1209981027dd7930322b |
| SHA256 | d499f243c78344ae9c34943cb23bff339e4f2327cc553e1550734403850d87ca |
| SHA512 | 51e72db61ebc48e2ca34e3a527da51f03bfbbcf50f055f4224ad6d56db754aeeca74f2ff004be659f1e78b8f2aa4d8ddff5a4a44bde22aafb131b2eaa351dee7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a17562c2f6e43b057ea26ceebc910eb |
| SHA1 | 12947b480fa54b58346adfeeafbb05fe1f1fb19c |
| SHA256 | 63961664404f38fc2408875dd931ed4e9cf1036d1b3bf4a17754afd03b6d5477 |
| SHA512 | ae691ef147f66e6eda594c4d424ee83b87e61a6cef0f5da330965d60e92ab6319208667f43933ec45c2c1f09305e67552c33d19ca33ca06b3d441ce15d502421 |
C:\Adobe1Q\devbodec.exe
| MD5 | fb8c075dc8c7c461b8540566887879a5 |
| SHA1 | 3f2c52563968a99f0f42334178a6907133ec371b |
| SHA256 | 2d4128094ec124064a4959babbf202b5bd708a26b96b7ddd3016875175267bcc |
| SHA512 | c69816080c189f5d2d2e3431c244c2b6b1dd581ac31f259fa8016e1585b267eded8a0c63c4686565d269a4efb7f239d0323457feda5814995f10be8b12c22840 |
C:\Adobe1Q\devbodec.exe
| MD5 | 63302bf38dd98a1389afcc3ac954b93c |
| SHA1 | e70c09d9aec504611217b65faf6802668b62aeb2 |
| SHA256 | ba76dab6adb928238faf2e20a77a4cdb97b334579b895deb9e4b48d61953501b |
| SHA512 | cd0b0de8f9c946ea40eafe8e458a2cb0f1020413c4cbbec602485afc2c4a094c020600e78469c791561c58571885c1ec2bd398c3815c718324a440ab4707dfa2 |
C:\MintFI\optiasys.exe
| MD5 | 8cf1d2ee4a5d2a9617f9a6800048f9ac |
| SHA1 | 02b01a0df16d98912c054589b909b78fe4b9eb57 |
| SHA256 | cfaed731e689d640781c74d0857e2e15a07797b7a429595a5ebcbc3e27fc84ec |
| SHA512 | 8e4110e16c26a951aedf395fa582ab5d6dfd65fb767025444e43a16773e43569bbd6bf8f38379ce09f15770c50ca13e005b381fdde3a5e30df5dc9eecaf60979 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 63efaa577d3dc32aa98cdf3c2537dc44 |
| SHA1 | da6dfd846708ab8387e6db5f7bac5e952c6adf8b |
| SHA256 | b943bfbd33e467075258c405a9cb7a989def9d008f1174f3367ba2aca8955bdc |
| SHA512 | ffe41677796abef4f53b040431f08b5a76d760be77e73060d55c9839ab521cb1c7ab691f8d64c06b1d8b516c5039ed1429a780b72930eae5d5aea8420d7b8ef3 |
C:\MintFI\optiasys.exe
| MD5 | 6d76e5c4c19a77e94be3cb82630b441c |
| SHA1 | f04762cac3a5030c98e2112465ba420ad6b063de |
| SHA256 | 50549cb7b5c97668fbfde51499af263690d7ab7c5e1960848e9f0fcde4ba8e5d |
| SHA512 | d33dcdd12c7fce761042747f5267416a7401d8cf3e9b0223fc1ae9be6be2f006b9569fbe6b11f562377e33e5a073b67f2a44308f32bdafb81c36fdcc4fbcdf9f |