Analysis Overview
SHA256
f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121
Threat Level: Shows suspicious behavior
The file f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:04
Reported
2024-11-13 20:06
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\IntelprocMD\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMD\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxY9\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocMD\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
"C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\IntelprocMD\xdobloc.exe
C:\IntelprocMD\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 8a2470c1ebcad2acc61d636cfdb7b798 |
| SHA1 | 5685578fc7200bc4dcd2888b5b02ef750ea11079 |
| SHA256 | 4d8d98e66e392598c9d02f84a5dd841057e7c92edb17c713f3f0c8ddd18c09a8 |
| SHA512 | 9ba37c751a9b2a8877646084e49146fdae91e4a0025aed4b0e8511a64e418d7263e2586aee0521159f0c0821da15229ddd736096193a1ef2ccbc55e704bdedcb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cb3b46a6307350e1195a0580cf66196d |
| SHA1 | 30929249c728b29ccdd13b39ca0d2f4a5c3abfde |
| SHA256 | 840ec4fca23d36a468107273a98cba761039aff701e64581312c793a97cede3e |
| SHA512 | 6242c296f72964c65810aaaf9c67244b482bf860ddcfd84be124f1b3d25ea6dd592bb007992fc3d7b7dd143469111cf3419d083dd92a8ff69910e38dcd5731db |
C:\IntelprocMD\xdobloc.exe
| MD5 | 3870837866b367b67edaa241e0e8197b |
| SHA1 | 6a6897a7a0d4ee36cbae7be4d988f86602624f3a |
| SHA256 | bd3e620ce17d540b1e017f4cbae2f3fc15210a76ad65a3106734099af2a2b6eb |
| SHA512 | 2f3e961e506786c0b404b75c56e5df96dc4703f7d6387ce747461c7e085f8445d1107324a216bb0af692166595cb1a99e40f9ee58680e9dbaa96131a8cd1f70f |
C:\GalaxY9\dobxsys.exe
| MD5 | e124cb2c9759a37a18fd0c84ae2fb424 |
| SHA1 | c117fe5a18509bd6c0514f64ddbb4d32cf31066a |
| SHA256 | 0f6242acca15715de0369288369db732b7b6b7387fbbbfaa8e49c7eaea17940f |
| SHA512 | 079ebeb0fa791ebbb236f3cd1a1f8dc73a322ac9f2a1e75e6c6cd9796791cf7eff6e9faed82991a2a13e741d531b3c70d63378888f32165d03e9c3abfc689256 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7032861cab850e4d076eb5f760b48bd5 |
| SHA1 | 3deb78c850aae024ddaefcde5c029fafc4e021e3 |
| SHA256 | 0b6aa60af03d77d53d0f4293889648d254b965663097e88d20be71ba0cf8f4cb |
| SHA512 | e463f72a9d0a5156a2c2ceb288b470260963677d99222d9ad2f2c404cdc2eadb1a63578767d14697fec98582a6faa372b4c494ef32a0f9b80df222bdd830a4ed |
C:\GalaxY9\dobxsys.exe
| MD5 | df55c12afd39a2e1ff20b959c1cd88f8 |
| SHA1 | 2f37c8d682564dc60e8b118d237b75f3dfbf0808 |
| SHA256 | 8622aaa424f9b17ef65997bd46ee19ee8d2cafffba9e44e7b39b0af75c662708 |
| SHA512 | 5eb8cca0c0f6107b0bdfb4360bf881d64fdcc00f159651f5568d2ee51900d94d9344881277895c07189cc3ca02af7d16f71162fe6e0a92300fd6b369bcbd5588 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:04
Reported
2024-11-13 20:06
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\SysDrv5F\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5F\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZTH\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv5F\devbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe
"C:\Users\Admin\AppData\Local\Temp\f9100117e8f6a79b0d8088e0a03b8d32d8ca90fc7043e1909c3f36025f6e7121.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\SysDrv5F\devbodloc.exe
C:\SysDrv5F\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 7884e479b90646cc42e17896891a7717 |
| SHA1 | ffa6844e624fda632fe0508f7630b6ff1f862eeb |
| SHA256 | 3ee04ab6be3a84928ac60bdf0709514b52443a60e5cd19b3bf5b723c9f364b88 |
| SHA512 | e0f2cb89c4a60393593a7a31861fec8325562923e0deeccb1d3040059221e107c5fcc06d0417c22d5a0425a92f628af2d5471538a3ba83351207c6cb3f8994a0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ebf263d2e3b73cd0a739d6c8e73cb40c |
| SHA1 | e2dc08203e02df75d34333462055b1018dcea041 |
| SHA256 | 1c859a8657866dd90b93d7b72073646bec9d4984896bd032e8e40032ddceee58 |
| SHA512 | f94abe0acd23be33f790d9521b2ad14e2d97a1acd29fedd1a4d85b17d511ecfc8b2f2826318b15fb484ba94bc5927f4bc441781a5ded4bfcbbaabcd9bd5635b7 |
C:\SysDrv5F\devbodloc.exe
| MD5 | 43817318a2d1b0a33a694c07491442ae |
| SHA1 | fe9651e3ef6d87b61ba50a813e0572c52d417841 |
| SHA256 | 647d28d27e6a2bf57fa96f0b3e561b696478b171d08c66483772dbb495831a6a |
| SHA512 | 6f6826a862300ef7e44b3f21aef0cb1bcb8b79b3c77b9808c31f6d4b2fbb52fc424ff704e6748cd3c351f870c9bcc4e4e3d0d702281b598ab4415faade148072 |
C:\LabZTH\dobdevloc.exe
| MD5 | 5b98d0c89193911274755990d5dea2e5 |
| SHA1 | f422d0ba046b7b507c750b06e866befb5ba7e356 |
| SHA256 | 2cb14d5c01c5e9bb48a20a9c60953b644519c7cda394b48922f08d3d955c592e |
| SHA512 | 9bf80a83059d139004cac4e9da525de1b3eddb16b31945d1109aecb8255999484202b2c2bbba1ace8fa5fb0d18a26eed04fca6e349f5b3a2a4d722f784137711 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5a739c774074ff59bc5ab2b0bf5425f7 |
| SHA1 | ffbb2ab5b54d79d91a927972ba085a6889ee70d7 |
| SHA256 | 4418574c7e1d776445e8d18ee75a2d93652f6bcbedb814f5f1f69a6b73fd2be9 |
| SHA512 | e180c2e2731b24240996a78179d3bacdfddec9989a1371c3f14c29e7e8f3348998890569ce89d12a1d0d753749187c49a06bf7f9957a117f2c2f7060823eecc5 |
C:\LabZTH\dobdevloc.exe
| MD5 | 136ecc167395b0d9639b9584ba09db6a |
| SHA1 | 7d8d4263ff96ce49e77f350dae872c9aaf52fea5 |
| SHA256 | ee9243b37980a8b75dd505dcd93cf6caa883160c73be4249836bc28d4107c4dd |
| SHA512 | 17ac7a986530c0ffbd2b105ace8b18ce318ade618ba003002e1e81175fbd7d40330721682e81ac07ce37a8263abdc9dc3b6e14f0459d5cd939283db083172592 |