Analysis Overview
SHA256
606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824
Threat Level: Shows suspicious behavior
The file 606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:25
Reported
2024-11-13 19:27
Platform
win7-20240708-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\UserDot4H\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4H\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9V\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4H\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe
"C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\UserDot4H\devoptiloc.exe
C:\UserDot4H\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 42312a2fa404ae970050ad1ae4519194 |
| SHA1 | 4ae93afebaa6ec910617d2dc3cef1dfae0c73a96 |
| SHA256 | 29b58678b20fa66d486acd90303b3544ae713dc13630913b987a9c9689d77ade |
| SHA512 | 118908b78e688ececad4fc4f6815b5544fd8553ffd9c0026c4a7357643af4d7b4c22866e00566f171f98d79284fde51aec62b4780de25011e4c11f1cb65b1030 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 803ef7ee4cd83d0d3ffd56dd992980bc |
| SHA1 | a5f958a1d29ad39d60bc1aa1195c3f88ecaba291 |
| SHA256 | 0487b4294cca19a006969ff9d54c2038dac41732ffdffc3e43b36688bcd51283 |
| SHA512 | fc2826d9dfad1685ab8a21c90459970f04cc59f891d380717151c843c40802e10913b227c80ec1c338fa1b9658ac198dfa9cef5a06d8734ebc7641b9c596c267 |
C:\UserDot4H\devoptiloc.exe
| MD5 | 19705760cbb21cde7868ca884dea5716 |
| SHA1 | 01d5f0c22283293e32af2ca9e709d38f2a6d4ae0 |
| SHA256 | e4330a2342f7c211e6d3c6d6df71e76acb5866a42c2e1052e0e8cf18b70e59c9 |
| SHA512 | dad65abed1493eea388cd266f0231d7a15b88ff947207b46783b1a530e6c3e62037d372ca281e816255fa0acb5b67166efaed1b8c0633d36ce96c775503ab03c |
C:\Vid9V\dobaloc.exe
| MD5 | 03e16f959238bf172b9bad92c120714a |
| SHA1 | 4c056d98aafc0266387083d1f5af8b0c90e39209 |
| SHA256 | 11bec999d320bd37ecbcfbc1c339539d72f3cb2f2964a1915b434b7b78c3daa3 |
| SHA512 | e6c7c33b4cad1b9b18a38c9fcc8438df8dda98aadd37c1e77bcc45655467b6176476b432240c216f3db77af066aa264077b57b6bd80d9c0b1fb69e5497637753 |
C:\UserDot4H\devoptiloc.exe
| MD5 | e8c4d5a3a20f53518bfa0a7b167b4832 |
| SHA1 | 18474b6ac0626ceb9c70230e4d35cfa00028da41 |
| SHA256 | c0ce43b748a5d7b7a9a12f6c944577cb54445d16ec51e7817ce77141cf63b20e |
| SHA512 | 126cfb6ee7f94bc8deda28e7f2f1323cc519dd96f1216d87cd856e9ba18ab167e590de1123e5ab161063a79b0bdd0d42be7712edfc91967dba75ed19eafd36c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3b0b0e9ba3cd4e2f553b698eb59e7a10 |
| SHA1 | 2417e0a1d84bb1fb8dfbdbf3b1e63892268d007d |
| SHA256 | e105c51ead8b43f9092766874ad1f5b01d3c3633b47a37a504ee6ab66f7d17d8 |
| SHA512 | 69e1da5e515a0995f96ff0494e28a2e1e5425de4f97b5a2287e178aab00c31e12ddc289354c3452af247e145fb028e3d8894eb2b1bcb19ffc4ee1a08eb99ba99 |
C:\Vid9V\dobaloc.exe
| MD5 | e2c45bd5461023d78b464ed1b0ce2ca3 |
| SHA1 | 5c1f5966fdee28885ba8dbfd8829607bd78dccd0 |
| SHA256 | bbd5a0479eeffe20b97c4b85486f14cb4c2f0774b2f59287c4ebd28f82002336 |
| SHA512 | b16fe0798a9da97fa9b13cf17e6aa50b24e2d760739dbce21f223861cd8bf5d7d2e56b7b4e55937f1db8539428da23af84ba70c3589480944d5f2d5f1718d48d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:25
Reported
2024-11-13 19:27
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\FilesHI\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHI\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0K\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesHI\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe
"C:\Users\Admin\AppData\Local\Temp\606b9cc25be22aec4f570c9f7d1f3e6d9c1f265545f57c6487948572a8838824.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\FilesHI\devdobsys.exe
C:\FilesHI\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | eb0f95405c12035822644dd8baef16cb |
| SHA1 | fcfc3f43a8ea8e8d4c4c52cf5d4a912f02feeaf9 |
| SHA256 | 0dc45f1952f05b35ca3a8cdc22db2cefa836a9e04d0c9a5cde131e8d8a6ecafa |
| SHA512 | b48dbf8f6811edebee88acee63323cf925a1fa027059b7df79da1179aca903b6009aee2e9fd63b9129307d33c233bd8103a533e5f95cc7392f9d1629246881e0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5516a4887a90702389fadcaeaeb31119 |
| SHA1 | 8cf3ef56c7bb67d4247c30f57328ab2a5b5cb958 |
| SHA256 | 18ce44bfc6e23814f74aea17eb25dcb8bb60f9cc9b05f4cba5d9a17fcc97d533 |
| SHA512 | 43514bd15a361eb767f8c4a46bb87c80912b7065cc52a4aac16f8b9bd0d53c2d82560c89475c99d27a11fbe69c6368f8c217d27df7f7e7dd7a34e90b32baf473 |
C:\FilesHI\devdobsys.exe
| MD5 | eb0c1f82ac99e341a1bbb37e781c7e46 |
| SHA1 | 90737f5032204340e7345d57d32459e9a55525e5 |
| SHA256 | bc8faaaeca7d8f2369cc7b3b9969df992eee2c6ba9d21df34e85d75b248e4b7b |
| SHA512 | e53121092357e52e626fbd756dbcb78a7a19d1c59db5f4296913b7294603bc7e5ec10248a63c181909a97f756c2456fdb9ff9ceeac2732fb096f454370480973 |
C:\KaVB0K\dobaec.exe
| MD5 | be91179c766a668db3863d6a776a78f2 |
| SHA1 | 351b756fb5db668409e6efe0618aa3dde1ff7191 |
| SHA256 | 58aa02b42537dbb56ead5a41e4b40c4d5b4d9b300c777e0717dfc58bdf25d91c |
| SHA512 | 6742659702de6cf64bc18bad15677dd490449bd9befeb3ba224d15eef23e1991b6cd582d6be82bb430e00c5460b3311bfc61a96acd40a450498e671d4bd816aa |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ab4d393d3bc1a80a039116e114c5c2e9 |
| SHA1 | d7977b9f62432909274dd229fe81e758e9522417 |
| SHA256 | 8a69bec2ed97fba52dc0f72e872314e788bf4c7fb090f9aba98ecbe0a1fe2a12 |
| SHA512 | 0192ec1e4a4a7602b29b6b9c07061f727ce2dbc2ec0aa6446ad2df022f966fbc3662e12f904de5cac0d8f6ef3e15d3a522410769f228f3d3dd9c35fd60628660 |
C:\KaVB0K\dobaec.exe
| MD5 | 17b398df2ec540a4a99c651e6c79fb0c |
| SHA1 | e84844c0dbc3c2b504427b50b4e5bf0d1131f803 |
| SHA256 | 7d0f37cc24fb3edcb5ddc7ae98ede490bb599fb6b9e0bc5aa1719a4bab03ba04 |
| SHA512 | 353e9bca38e949299279ac1474db632ae08da29f1cfe3e55ea9bcc08ecf7bc252c689454f4d3fe1c0d5920cc1f2700098bd783ad771c0579c1cce540c9d4172d |