Analysis Overview
SHA256
923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665
Threat Level: Shows suspicious behavior
The file 923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:38
Reported
2024-11-13 19:40
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocH4\devoptiloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH4\\devoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintOE\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocH4\devoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe
"C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocH4\devoptiloc.exe
C:\IntelprocH4\devoptiloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 4f0e1ca0aab0be4dc7ccf18fb25ddea9 |
| SHA1 | e397ccb8a81262949e43c19ac358dac3c72fd62c |
| SHA256 | af9e907f16bf39a994ef6322c3d109066cd73eb4a6b5d797fe5081bc342542c0 |
| SHA512 | 7444aecf72f880d554e40688e5055692dc019309d10f86664739c32c8533ae061b88a86a5899eae973e6e5ec2a93649dcdc0963f266dc4e5a6af54705c9d1b4f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e67d620e51c7c141d3ab3614f0c5a186 |
| SHA1 | 4e55daf86b2b8a13d5b335c163a72b3a4da9dd66 |
| SHA256 | 15a2decdf9569f43258cfc546af84cd8f8f69ebc93f349f8d32cffdea6f6c051 |
| SHA512 | d1d630eaf71306cf3af0dd9684a615a029c6ca076f80a2b0604f04c37e3d1699ae76fb06e975e239dbcd064d51980943253f1cd62ae49ad47908ee3661b81973 |
C:\IntelprocH4\devoptiloc.exe
| MD5 | 82db81b5d847a3beed2639f87a98229d |
| SHA1 | 75c83446bf9f39502c108292399c204b4015ac3e |
| SHA256 | 60fe2d54a10a4356d901a5de02244998df3eebf7174d703eb109ff2b245209d3 |
| SHA512 | 28ace9a6111c1f9b162237d7da1c3c29b2f28c1f89d36a975e5471cdab722b3ae787eed9d75a77cb8f5a3d9e0ba23d9d628f18276682b36f2d93889dd859da26 |
C:\MintOE\dobasys.exe
| MD5 | 0f70a041cd6e8df61c71ae313ac5a1dd |
| SHA1 | 80cc80d62c50bc570bc59cb10c5b97136d7c3771 |
| SHA256 | 78d0e4a08cc0112851b9d27c6ecdba241ce4d1bfc16d33113262d9cb8598c153 |
| SHA512 | 5d0baa7c5b7c55166012fb4d80fcea12dad5743dde9d044d517ecf91c9ff5049e81ce4684d4911cc30c18f643183b03c81e3d20ebab4bf911c1d8eced5c45ab0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 06018b9a0bbc632dcccddd43cee4d72f |
| SHA1 | 8b3ee9ecd5150ffa5c42acbc7d6d96d2e4bed344 |
| SHA256 | c59cde484857ad62bdaee2316cca5c208d95700337b44cb33f205e2fa165f3b9 |
| SHA512 | 4fc2044517e8ebe1cd81c19429761204041263d2ecf742e93826ed9288486c562406cf409ffb44a3041cb2b563cb7b8da5ff9ace11e1941a4807466bb4e24537 |
C:\MintOE\dobasys.exe
| MD5 | f51e13ef278ca6dfdff3842583015676 |
| SHA1 | 4bf53c21239e519565b5e63e580b84685faad989 |
| SHA256 | ee967cb1ffb855468b11495ed823e9e8f4b287a01e88bcc7cce6edb110f5843f |
| SHA512 | 8353e2acd52ea86fccdc6461819e8a5e296407b93904712baf81de0879bba6dcd31d9f5a007150be44ae2f1727a91e5291ebdec8bc4d88a77040bf4dcede7dc5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:38
Reported
2024-11-13 19:40
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\Adobe6M\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe6M\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ17\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe6M\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe
"C:\Users\Admin\AppData\Local\Temp\923601a81437a58e2879a3b2d93142d6499705cfbaa9cd14de08a1c34a8fa665.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\Adobe6M\aoptisys.exe
C:\Adobe6M\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 176b5cff10ed0f26991a879ea49ec831 |
| SHA1 | f8df10b97c5b42eca43469dd21d97df9e5aaf23c |
| SHA256 | 3c8a275db7472ef38122b2f880b402f0f23c50b74cd196178f4ac97d7de07727 |
| SHA512 | 041958d55a53021c825bb99a4586cf550afff4eb656a45bd8b62da162c146e628c547cea7ea899d78cb4c322c1b9c8306a8f567e9749be8cc50fed1ca7d68089 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2ead492d34dc4b4591fb30e4f05169c0 |
| SHA1 | d3ed214f4a6988cab809d67722b3a8da1b500526 |
| SHA256 | 9f4fc6f72e3b030f3db0f46437cae63fe3b2e763d2da66a018ed09c5504031aa |
| SHA512 | 4f458b8b75acd3bb0d25d45f18fd2574838a474029e1216fa21c57f4e22409fda382e638b6fcf16e1d154323d164e1d3e406fbb71be288b1e81a48b053154d43 |
C:\Adobe6M\aoptisys.exe
| MD5 | 66926690972c062deb605c2d50787f4e |
| SHA1 | 2dce5afa2330c267dde82437526abd6a9291459f |
| SHA256 | b52bca6ab7bd2f3f51ebeeccbd8a2b4e9d33157bb192b2f20d215714e3b4d9e6 |
| SHA512 | 6d590a29b69fc70b13407ab2a76ad3a5ae5fa26829519ddea4779af49ade0a952580c2e3e642129de37c50379705700de23390c6d77bd15dfb8f57d9a9b085d3 |
C:\LabZ17\dobxec.exe
| MD5 | 69ec19469f53d6e97b1112ebacbf0f6e |
| SHA1 | ff4e4091f4332e9b6fcd2c68c3736c5c921532ff |
| SHA256 | 6bd01b6f8c22925b816d2583e648ab4b87093508d1030bb6c24cf04169eece61 |
| SHA512 | b296079c4375f9e608765cfb1345fc105d545bd8ae8f0f07d6563cf0e6e91a800d0c5cb4eef927e46994ebf8c7a7d09682d5b893ceb144e12a1454a0bbe26d9c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fac85246fd9014cb56672affe971c691 |
| SHA1 | fa1356c440e9427e1b9050d8227cceedadfcd2f0 |
| SHA256 | 21c74f05504b32e4e463c3f7d217d9aab446bde2e70cb19c6f8161c7a99263b3 |
| SHA512 | 001502670af4694383453310832a66f74b5271a4e3a52c553946e3ea979624db9e0cfc0108d98a0d39eef9b441e2714919a6d0d909a2a09746175000cd9b4c8d |
C:\LabZ17\dobxec.exe
| MD5 | 314730f15e4844eca6c33dff76b1d2cf |
| SHA1 | 5188d3bfd1e2d1d4c47b176525b3cd16479810a4 |
| SHA256 | 6b5e3df98a5c0497d187a4734649dafec83d63ce9125176993b3c11200846600 |
| SHA512 | 7fc0d97dd52c1a55cd813b1df2db9f179641d0989c8428075925b55c7491eec277750f35b15b1e0862fddf338464342f19a2d0425dcbcbba2e765f7dbcf84dfb |