Analysis Overview
SHA256
458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69
Threat Level: Shows suspicious behavior
The file 458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:31
Reported
2024-11-13 19:33
Platform
win7-20240708-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\UserDot9Q\xoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot9Q\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHR\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot9Q\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe
"C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\UserDot9Q\xoptiloc.exe
C:\UserDot9Q\xoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 722d1161c86e2da1a306eb1a62bd35c8 |
| SHA1 | 16e9964032853659acd16789617955b9bf75eb60 |
| SHA256 | 7701b3056def3b4e331fde4516feacf6cc5c140ae58785ad8ec48891a7e6c21f |
| SHA512 | a0df448d0643f55faedf0509f0315dbd9421a809f62153a8ac6442a849ad94e8639c57a0d6ec05ca3fe252a6be019f4ab3d7ea263bedd0cf3cb77ef61184560c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f7f8b2a26e125fdd0cee39db7980336e |
| SHA1 | ed72a84440b1645ee0797da68de95cfb4ae33178 |
| SHA256 | f023a1b8796764db3c235eef9d928649413d72bb5fea9e390b853544c1abbfdf |
| SHA512 | 45671dd3bf878e1dc7f9787d5aa0c12649f839cdb30adadf30e3a05229d3c5dfdd7af08349d10d7db330c8616799fcbbe1411fc234001617baec5bb6a8bcd94d |
C:\UserDot9Q\xoptiloc.exe
| MD5 | 24ce6287f495e69d5ff0aece79b1a726 |
| SHA1 | 60ef682727be340f4ae71b8dbecc91d1560db980 |
| SHA256 | 0f58685b4c2e075cfe5d8785fe6c8183a318c92734205664fc65bea9ba383ab1 |
| SHA512 | 9e234d1b521beab1d9ac6b0375be003a0b53e7d4ed0e5fb532b0517d4367010b34c31f0d58a5fcbf076c1bff50cfc792fc998804fe03004368c85e327f721298 |
C:\LabZHR\bodaloc.exe
| MD5 | cd8313cf0e229526c38d9c6469fc81ea |
| SHA1 | 315cf7c800fafa11c695e82ee3181759d4b86268 |
| SHA256 | 0a37c86d4fe0bd93b689dd2a2a7475ff5c5c43139fb4700f1584660c3c45a417 |
| SHA512 | 4a5b4b9ec85178d24d4bedad81486d66eaa80f3a7eba820c1f3dee1384931e87de90322666601b3f777098906eafbba7385690760163a9f28a23684ab5074df3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 718018af6632d60fe97340b979ddc5b6 |
| SHA1 | ba61d33a417eff7acbf4d321be08e0103217f7c5 |
| SHA256 | 038481d3545f55a1e3d51eb490e985070f1c7f179057d1d9d37018f1ddd18483 |
| SHA512 | cc77aa25b92f82d821fb58471a726b6684db48ccb3a9b8123226d46ecd8ddb94e6cba5713d5edb7022fe9a4ee7c1e2219e4cc21f1a702108341f65492d2ba7a8 |
C:\LabZHR\bodaloc.exe
| MD5 | 0277f11aff3505fba08ad3fa4fd9c5d7 |
| SHA1 | f11eea73dbe553727aa236251e450d3bf27057cf |
| SHA256 | 5cfeed92dd1bf233377efc4995886b4d7e49313779cda7dc48279aa089e486f3 |
| SHA512 | 65fac64e003bb4779e94db8d0f287fa6050f798c3128ff2c5c54e6b579e40592344a91dac0adc7ff1fa3c97d9cabf522d804cf01d673dc3bf427cd24b95421df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:31
Reported
2024-11-13 19:33
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobeKP\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeKP\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVM\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeKP\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe
"C:\Users\Admin\AppData\Local\Temp\458f42647aab27159c891dd7616a41fcdbc55802fc322c1429b3d414b4b14e69.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobeKP\xbodloc.exe
C:\AdobeKP\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 9c22cbc3511272d2419f7cd3f556e15b |
| SHA1 | a3bd2a1a7ce5e0cd8f7287d003159ee380fcea98 |
| SHA256 | b25457f201b50c75e5eae38e1476ee8ca60bcab5ef7b69432ccb0c2a8a153c25 |
| SHA512 | ac9714573a6f7c0cc2b48fc0902731d5690e09ff9455db3cfee30643a570e782c3451bcf902d356bdcbb1e9f2b6f7f9b5261ef9d90d461f0df9ff2981a4729e7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 75914ec5f28e1ffe8b0b6d6c7a12d09e |
| SHA1 | b99e14d4e4d9975a6b30311cdbea958ead71c336 |
| SHA256 | 0fc280959805515cde93c541dc36ed4bb7c7d01d690d9177ece69992feab5d5d |
| SHA512 | adeb776b949f699fc032d72e6c86e22141b98d527ad52c7723eb3e4a3209e6702665c01265e77996403f250beb6bfd2305917a82139c627a20cfc98d67cd087a |
C:\AdobeKP\xbodloc.exe
| MD5 | a235109712a800df96e75389947e0893 |
| SHA1 | 49522fdfafa343f6c7cdea2d6e35c60fb347d490 |
| SHA256 | 9838878fef62ee2bbf7f86498034e35ceb231e10e8d79dadf05cf2cb87e89832 |
| SHA512 | b493730c0d7426b5aa19ea9b26b0de40769c26e591e14d5b92fd3546856a9e532055e118df2c193d7fc6d4bf6418de6dd655c932c5584819bd778f9383b2afdc |
C:\AdobeKP\xbodloc.exe
| MD5 | 4c2c29a40b900713f2d4a634ec60a995 |
| SHA1 | e92ae161e105d7885f2c012bce369cfef0efa42b |
| SHA256 | 40a2b6c074e5fe620f9c21141d117a2fe7f2cf0a2161355aa2d1803d7e3b699e |
| SHA512 | 835a9257fbae9f852b1f09207955178b5b495a894696caea5c19239bc1d5c26fac4976953aad1b5c59ae78b7251c56008dbd5d0f33dcd3cfa2502df61c0b7660 |
C:\VidVM\dobasys.exe
| MD5 | b976474bda2a5680feff3084ddc68396 |
| SHA1 | 5eab5580cdb296fe321f0617bac2836d0392e330 |
| SHA256 | b50f453e399819c05e518561861c25cce337ee22a6ee2b34a43f9c43a7dc1fef |
| SHA512 | 5172e810f205a4feaa8e1421e3c40c862ce771a92b1e02b63864facb1538e026893158148a863555c1047b685b3e8f8385e0510589fbb0e3d3677f378777bf35 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0b668ada093c59ab54cb04e2d2156ab6 |
| SHA1 | 7fd6240427ccf02c3c567ca56ccee3f6e2497c19 |
| SHA256 | dabf9ea1e32488aa3e8e1d02b621d0a6ff2cad91401cb56d9da08b84237af27a |
| SHA512 | 45391a00884125a1fd3cd9b748dfa09f0c42f8103fd1765ed3675231d92b180f51cc90343f6ff764b3c08e3ce60135f8c7d2cfc808e1fcb85f663639a275924c |
C:\VidVM\dobasys.exe
| MD5 | df666b3148f37c4a5a8cf741c8d789fc |
| SHA1 | 9ab94913335175c0aeba86756f5e3fbbe370349c |
| SHA256 | 2248be6063b781093212a611b318f305c62bddca3a7cd5f98652921e4467c3e9 |
| SHA512 | 599d4da55cf8ab6b76ef1ab504bd7351912cb41bafd1a579fb1c3e76f531582f605798398b957953b19ad67818c45f67c51e5e7a5fc64ed35a330ad6da6060e4 |