Analysis Overview
SHA256
f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829c
Threat Level: Shows suspicious behavior
The file f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:12
Reported
2024-11-13 19:14
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\FilesKA\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesKA\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ39\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesKA\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe
"C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\FilesKA\devbodloc.exe
C:\FilesKA\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | e9703e62bf9e81943bcc54ea4f1326fd |
| SHA1 | 1c2ef0359a644a3e413aa7a4bab5523a1d3e49fa |
| SHA256 | a8477dcacd83ffcd3d8e6343d68050638409821e42070d76db606492e7ba9889 |
| SHA512 | b6fd0fd5f11aa0203a5566bec531f1af3e83eef14afa128e6ec78de46819b9cfcef7abd86ab4aefdf6781b8e9e195ac83d8ac130510d672b84e588d4d8f425bf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f2d665e47cef793d5b1b75115a643ba1 |
| SHA1 | 126dec5d4c2375c3937919be485cedf11e72e771 |
| SHA256 | 07619c2978ec94a6c7005b0ac38be87f38436b56dec48b783a604d4331259986 |
| SHA512 | a626e08dfa777c0b426637a045afb225b2f11be315e82164b5f55eea78ea981dea4c8f4e3e2c015de7d1f128e6f421cc5cef25264b4496c3441b7629dcd949ba |
C:\FilesKA\devbodloc.exe
| MD5 | d7aa7dad943c5107427c16bd6da5de7c |
| SHA1 | 724a9d3d30ad439d7481870c97e925938b9d910e |
| SHA256 | 5d8fad1734eb9674c55bf15dff0ce7a5315ad73602f238be443fb159f564b3bd |
| SHA512 | 4d6318eeadf8a59406cbc5b73f4e7a09fe3cbea7f966e697462673b164a114610988b162200fe61bb8de5e1a965e46a973d3e15aed478199ec4ffe5828d0b732 |
C:\LabZ39\optixec.exe
| MD5 | 388d2ab38d10f2991f8574f4cc54c3c0 |
| SHA1 | 16e2c694aac066058525362bb366d5a98602be5e |
| SHA256 | 479401b407a1a65b0614b7380137ea38f58f896d19804e440213651418c1b0ec |
| SHA512 | 2a61e06c4244179da0e231905a1323508ec2f71c50c444f430a780abaa7c64405997fc6c391cf3f978f2a35f4cb1a12a5f82011478519c17d5ca59d711352a7e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 73104921a2b4c2ac15766b1fb5b36b62 |
| SHA1 | 7242e6f445a8b7421fadf75845c4168de7c6aee4 |
| SHA256 | bb6c8a335566a94919e116a9a8331bb92ad6404031472120f3e94b9c40603749 |
| SHA512 | 93507e862e381acb077a718ce569ef972038f0277909238814dbbbca851eb47c9e85030ef64591167e2f3cd27b58ce2a0a29148774ec9db8ac95bde186e10112 |
C:\LabZ39\optixec.exe
| MD5 | 46ca03f790c97230ea92324d87598d1b |
| SHA1 | 3b9d69a83b63b137b7ca1fa36822370d2295a66d |
| SHA256 | c429dd08df851dacc2f32112d6132df3155f4d5ac055a4d6b90087c546d0e52e |
| SHA512 | 58c9bcdab1b00931ada0256b4cef0ffa98418b7fea99591ebf8146772b0fadb673a6340a32081ba24740c6dac988b64a4d82c1c579518883877a4c6f1d2fe304 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:12
Reported
2024-11-13 19:14
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocSQ\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintD0\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSQ\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocSQ\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe
"C:\Users\Admin\AppData\Local\Temp\f76c1d49bde9fa3a834938018f2526a95a5689f5c28ae9fd0182df91edd0829cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocSQ\devdobsys.exe
C:\IntelprocSQ\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | e81eaf1ddf20bd1c0a645d6628b11adc |
| SHA1 | bddeadf25c695dfb1580e702620590a88b186f5a |
| SHA256 | 888d04214f2ed22914f7708dd901a30305728412ad81ad7f2d3308b37b018cf7 |
| SHA512 | 12ee52a230a7235f59b65855711a260f3ff404034411a1115750acf340e12483705cf6acfa5bc631b38f60af77d1640436f6a136f5845e476551227083023447 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6a6e4e0e201a753354278376ec8e4ac8 |
| SHA1 | a9c0b8c0e5a470e31b671eefb15f6ea83a33caa6 |
| SHA256 | 3e6e64ddbcb87c06fa11c5d16162ad7291e929233e268d81266f46ed1815f39d |
| SHA512 | d1f8ac33af29f0ae97c2718402a1fcbec2a87308ef729ea3ea2c47a460f7ac320951d938cccd077709112136d29ef933e96204b0db0c3596bb560e5f922b5681 |
C:\IntelprocSQ\devdobsys.exe
| MD5 | e4c0383d527e5ae6788d3f6afac6e842 |
| SHA1 | 8c9e2fcd3bec655ee810806cb82d6e01fd28b6f1 |
| SHA256 | bc8c27c23ada4f530bab22273c6f97721d138eca6d9b628a93b54f983dc7b170 |
| SHA512 | e9ad5f2e4dfda5a8fa14ca170a16d12e43aaba0243fcb7a49b5f15ac95de65347c7815c09cb23150177756b8e3c7cb3b1050e4f36d107e926f208f7b2714186d |
C:\MintD0\dobdevec.exe
| MD5 | 4436de933f66925037a620eb44d06e51 |
| SHA1 | 2e0824dcace12493cba2db06b7ecce49de01cde3 |
| SHA256 | 4e039e78e347ad2f3e44a3b48e0c7d538ebd62501e178b3bebc05933f111e0eb |
| SHA512 | 843054b5c6a128a4a65e5cbf10682371f207e3f016bedab184ad87eb35d03639d64b5f8bfde29d7251deead30f22d7204f4c74f7433eaa7503886d959c02f93a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9223bf854ebd24dcd594623ee3987fcf |
| SHA1 | ab8f08825d9371ae8bd5d5f38f36adddf9926a48 |
| SHA256 | 8b01a25b7993dd3db67cdc2b406bdec4a3e5c1eb7a8b12bfe5daa9bb9dc52310 |
| SHA512 | 1e21364dec563092380370eaa1a31d92b0d3bdfec056761c175ee0da98975a460934eb6e720e474e62f3e67b823c599853aaaeeda75e0ad36820ea4574938fef |
C:\MintD0\dobdevec.exe
| MD5 | ac0019c87538fa9f3e08689c01bf8227 |
| SHA1 | f63ddad24b310c4b617a14ef7af908a20692c80c |
| SHA256 | b72c2a63888731ef469ccad80492e7b9a232e0b812cda285e7b3acdb41282239 |
| SHA512 | 73840ecabac3bc604c5e2cc2d591c79b29f191daf6965aef45b26e224753fe7201664bbeca5ef055d514303fbd0995f3f67c277e3e1179e2cccc4a161aaafc56 |