Analysis Overview
SHA256
5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5
Threat Level: Shows suspicious behavior
The file 5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:07
Reported
2024-11-13 19:09
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocUZ\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHQ\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocUZ\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocUZ\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe
"C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocUZ\xbodloc.exe
C:\IntelprocUZ\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | ea3dec1b6f5372c4231151c1d715673f |
| SHA1 | 0c3a3bae7e0ec328133e6a77c6e80dccfc3b578c |
| SHA256 | bc67a20e6f33a1e23387a4c973880435f0b62ed4e1b8fed00ea88fee1476cc8d |
| SHA512 | 0f17f8a75d353ba75e5f285743cbce4a1d73493651f74349d99fc1c504a9590f61bc8c361f29af09a5aff86f4b988d3938b8e8151074ed94e63dd61ede8bbedd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e5af6df0823d18bf8c7b9714b5e2fd55 |
| SHA1 | c9f68b652216036f122bfbc2c5d55c6c0f5f9a23 |
| SHA256 | 62f6e0dd1ee9cba93be544aad817575e14561fde6cb8e6c294f380f1650118da |
| SHA512 | 967e26aa4e3b4042d7184396cb39b9b6ded4c354573972c64d9d459bfa3164111f29798f59119dfe17f50347992197f49ec9dabe1c7216c5db1d96c6b537a2cc |
C:\IntelprocUZ\xbodloc.exe
| MD5 | b8d842afdc36995df5bda8308539827a |
| SHA1 | 60113320c0a2f4bc34300cebb1fdac10871518d6 |
| SHA256 | 4de71230fe83a00a6df97f52453a0e04b24debc59b48cb838dc67029cdc0c503 |
| SHA512 | 1c8507832090a9eb5853bad06bb1ce73b3c3d3db35f9eafdc34178c996e77c4ed1f628fe6bbc7a164f77380ba54498d00e2f3fb0cfda6e17055f6749840e9a57 |
C:\MintHQ\dobaec.exe
| MD5 | 009379c0e3efb9fabd3bf5d1ad6c71a7 |
| SHA1 | aefcbce94b5697be1bde230bf56101cb4e093065 |
| SHA256 | e691dd254cb26f7ba9aea4f6d0328e40eebc596d22d21c34c751aae372109b88 |
| SHA512 | 421d51f8dd6828de82826219acaa779fc94bfd431f7b244a23709a938ae940fcd6a345814eb2c257ead0abd64490e9c97f914e32acdc9a4cd0eb10b27edc43d9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | acf2c7f51b7700fd6302e20c93785319 |
| SHA1 | 704e6e1eb6adbbd51785db5e3d91b900c87c6bd3 |
| SHA256 | 67dbff64fe2d8096eea64d29651c9252bef3110f9423c17dfe2290b20c5f5ede |
| SHA512 | 8a5cea8d8bb2fbfcba05f5abfb167dc26540df04eff5fb3ab55dcb1766dafbc031df06dfd122207a6bb04e0ee09d067f14a3a6128de25c7924117341e9dcc8f3 |
C:\MintHQ\dobaec.exe
| MD5 | 4bf0cdc413621abdeae58b6c59691ba8 |
| SHA1 | d15b7194b34892ea1925b4a4a10ccab3f04ced67 |
| SHA256 | 29e04ccf6467a53ac8c1cf852f1503621c9a58d0a51768736e9952f32989cbfc |
| SHA512 | c0bc6146f2e4fd4d86b6947cc8af990ba9a90f86455b64a3d11e22490538c0aa10bbd5eccafab0e6f887661d7fa0ef94b33587f8fb48c43e33e896a38d200f6d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:07
Reported
2024-11-13 19:09
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDotSK\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH6\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSK\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotSK\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe
"C:\Users\Admin\AppData\Local\Temp\5b70b6117e723a878623f270a3cb930c7ac584b053435493b64d28206059c6e5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDotSK\devdobec.exe
C:\UserDotSK\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | e35273f26a794325e6f72250d0ffaecb |
| SHA1 | 7b26109358ee88fc8c89241d9cfec773dee3cd26 |
| SHA256 | 00a44925b277aeaaa57d34ec00c023dfbba8d26e440f35f1dfa4236289260dd5 |
| SHA512 | a068b9b1cc11f5483c0880d4b1a88d5adb15721930e5f72e79a5a0bb5c8e73be7cbf38bda9cdf07d7e7bb0cc527acb459eabf3798ba450fc94c2f2c9c95de00b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 00ed9f9ff6e0ed62a0f2933cfe06d6da |
| SHA1 | f622df359b3c6596f793edb5fc2bbd512f117d16 |
| SHA256 | e298fd19a2f6e3e337a1bf3beddf13c186566aeab40f77f4839a5181d43c597e |
| SHA512 | 3ba60e3793cc4c75c4b96cf959c0992dc9f9ea2159d423ae0b7ab0dad0346dfe5235cef61cc146d30d6f3d9a3f0833de50e3037603b9c49d8282e75c0ccfb8ed |
C:\UserDotSK\devdobec.exe
| MD5 | 024a06bb30f4cd7a2e7e810a1e509108 |
| SHA1 | 10ff7782fa1cbb3e7d873178b22aacb9a51199bf |
| SHA256 | 98b81a0ef4762a02a41abd44e9b3962a88c9bf5242cf06f9731f6a63159325af |
| SHA512 | f3756fa86cce758d4113dcd695cbea2193642c66c2830612bfa72d13e36dad349306e14e0a3bd035ffef330b09b42719001b51d35ceef9269c9a45590b7ea5ee |
C:\LabZH6\optidevsys.exe
| MD5 | 1277107cabcc016a5fd1f1042e36a2e3 |
| SHA1 | d7f8e8f7a16218d6bb1dce7bd03617500801eb78 |
| SHA256 | 8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273 |
| SHA512 | f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 070c8f7b5a3b772703cb0ed6332b8e5f |
| SHA1 | acf81a40d3f9a6d19e2bfc1c5cb2828602573215 |
| SHA256 | 2973a4caa19ec88d7dbb15bfbd1aa0694bae5156ee16c226cd52b2bcd9b15ee7 |
| SHA512 | 09c51f0629da9ab690a9d16669a7dddd6725bab69bcd60b6686a52dec11e406e9882b754435edbb0a8f10cba1633fbbcb865ce327f44b90174e81e88a41eb82e |
C:\LabZH6\optidevsys.exe
| MD5 | 7194af4ca8b5784e038c373119d798e5 |
| SHA1 | 9c114add88126c1358d7020ca7697c5b0528ea2d |
| SHA256 | f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050 |
| SHA512 | dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992 |