Analysis Overview
SHA256
18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f
Threat Level: Shows suspicious behavior
The file 18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:07
Reported
2024-11-13 20:09
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\IntelprocYM\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ5\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocYM\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocYM\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe
"C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\IntelprocYM\xdobec.exe
C:\IntelprocYM\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 01a17ac131ac262b4f61e16206a214d4 |
| SHA1 | 63a77a216d29ddf65182d85d3a47e15b44101a67 |
| SHA256 | 1c07c62fbe47ebff5fa0cacafaccb417c335b463d953460daeeb2ac5764b5db5 |
| SHA512 | 49ee1693b2db92916b8f20fb77e1b777a4613762ada9abb8c1a84721ce6aedde18d535ea2205c255052805b08eadceb30f18981e19d0f327326c8dabcea31c1b |
C:\IntelprocYM\xdobec.exe
| MD5 | 3e824d4ec36e02945c8460f05171631e |
| SHA1 | 9c8f43cd0c4cdfc14ea607923205bd017123e900 |
| SHA256 | d1c5a4c0cf53baee1b7adaf5ea6dfebaaf67496e8f7ac6268a3be74427cf654b |
| SHA512 | 19b9adcd089f065e7529c90e20e682aef7a799bb51a739846e226fda7c4a004c1ccb713161ea06f8d921aba4a07ae22cfe22d20e08bedf48d1f8642381ec420d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2920dcaadd7096fa13cb8308e5259f94 |
| SHA1 | aaea344df3107382d5446fa300043589d9f95b69 |
| SHA256 | d21769806da2138f61c62670e74af66f5f62a03a31d27ccc28a75a67be6e744b |
| SHA512 | 4eb8494c12b53f26f8d5c9c8d051daf7b0e70b5d99b1bec905b09bb3d39f29647f80396ea89071739ffb1d274fb4cb0eeee6cc1cfd318061e365f2d6deac0f5f |
C:\GalaxZ5\bodxec.exe
| MD5 | 2a71211d12bddde6ab189f5e04304c4d |
| SHA1 | 1aa3b8163e1af63234e95f4fbcd8df2be7e28edc |
| SHA256 | b8f0bba194fe145acafeb20198f4f50e301265e5afbcaa5c9ff11da0842f6870 |
| SHA512 | a8f30c4622be8a0139ee924b0bcfdccf0642931e69d2fd99f7b273ff8836ff55f7c6a2783ba24816ed4b06a0fe4de26231aaf55ea6c7568eb0742ea3df1d4144 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5ec1dde961c231cf9bf291bd3f5435e0 |
| SHA1 | 7352b3260a1daa59fd6850a6bb674a146f71d191 |
| SHA256 | feb47e3196c4370a481c0887562598475ab9a32198d2f2ba6df9ac491a995ce7 |
| SHA512 | 9d77cb9d9874a7da91c0ea4e19318ed0c660b57d3a9f82322ef805f191aa1481cad7f7db38cb78463e4a549ce3b8d0dcf5cced5643ab171b48af3a86d08984f8 |
C:\GalaxZ5\bodxec.exe
| MD5 | eb8ed978f2849c1112128369dfefa6ca |
| SHA1 | f6a4520af533ed7e4b9f119a52e747aa9a257360 |
| SHA256 | d6918d0f153d7c5ee77f006e66fa3252936df51cf50902235114fc12828d3980 |
| SHA512 | 0de984bab7e39672952dfb591eac41349c3d2aee168db9b7c613674a9a8fe6d9af7c2ee2bd559f8de0867bf78f1717abeb0ca89b08d7739d5e0cc7a35a9b412a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:07
Reported
2024-11-13 20:09
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\FilesHI\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesHI\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB0K\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesHI\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe
"C:\Users\Admin\AppData\Local\Temp\18c980a274cb22959851ab98a3cf43229359b3e98eb74f2c22497a940d6cdf3f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\FilesHI\devdobsys.exe
C:\FilesHI\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | 53f25dd70f4861b14d9b8dc64f27e542 |
| SHA1 | edb27e6af506b8538bbf2fb70bf61ca854b18ab8 |
| SHA256 | cf34f19f70e2221d7651722e7540f65957d0acef4f35a0350d177bfabbb031b0 |
| SHA512 | 78d50918b8fc45e78a1b32cc366b7730f11e9d4501be783a06b05350791c2daaeaf029ef1de83cab309275b72a4b5205a3da5788d884ecb2f5210f0e2076af78 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5516a4887a90702389fadcaeaeb31119 |
| SHA1 | 8cf3ef56c7bb67d4247c30f57328ab2a5b5cb958 |
| SHA256 | 18ce44bfc6e23814f74aea17eb25dcb8bb60f9cc9b05f4cba5d9a17fcc97d533 |
| SHA512 | 43514bd15a361eb767f8c4a46bb87c80912b7065cc52a4aac16f8b9bd0d53c2d82560c89475c99d27a11fbe69c6368f8c217d27df7f7e7dd7a34e90b32baf473 |
C:\FilesHI\devdobsys.exe
| MD5 | d0c1cfb1bc751f796263e7f6ddb68f7b |
| SHA1 | e35ef7c594cb6baa90f3b77146b71e296e56c4e9 |
| SHA256 | 1a6c015cd3f38350b98a4f16e42869a081c8c2b12faf73546f606cb722413f4a |
| SHA512 | cae3f67e99cde353b575ad9336db1f03f0a932d3a54e204190c32c3ac66e11ce387b2173bee5874627fd1c416b95406b774b630d0f3a6fd4b69f5987598a54cf |
C:\FilesHI\devdobsys.exe
| MD5 | b22367070085175ea5bb9a668b97597c |
| SHA1 | b2bd3c12d3868079c082db71868be46b767ed552 |
| SHA256 | 4374c661f4c7a7e6b8a8ad1345e52a107a2b79fe97290def989e578da19af856 |
| SHA512 | 8bbb13294969e9ec32dd561959d9647191e729abb55c7f0a71152df39e705b59d15fb160eea71b857681b6f6d0002e1c3f0a572d2225fd9ebf9a4411f7f326f8 |
C:\KaVB0K\dobaec.exe
| MD5 | 8a0211a3abdd5be0f116a99aa0d47595 |
| SHA1 | 94052b238233594006ea4083a68e50c92a4772bb |
| SHA256 | e5eebbb46ca0ae7781aa7ac9a9e1d8ea570dbc57303b77056c9dfe587058e016 |
| SHA512 | 890a9263f03eef23f65da930fe7f0e2762ae583c90234b5d00200448eee7212bb961f1135599722d9ad8df10ef4571752111e9df56ee7ea271ac575a1a06a39e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ab4d393d3bc1a80a039116e114c5c2e9 |
| SHA1 | d7977b9f62432909274dd229fe81e758e9522417 |
| SHA256 | 8a69bec2ed97fba52dc0f72e872314e788bf4c7fb090f9aba98ecbe0a1fe2a12 |
| SHA512 | 0192ec1e4a4a7602b29b6b9c07061f727ce2dbc2ec0aa6446ad2df022f966fbc3662e12f904de5cac0d8f6ef3e15d3a522410769f228f3d3dd9c35fd60628660 |
C:\KaVB0K\dobaec.exe
| MD5 | 0ae881b5f09b9047adf46903243637b0 |
| SHA1 | 15e5da18ae7b8d5fdef94ea189eb42cc52f7eddc |
| SHA256 | 45835d391f32e2bb07b7cfce44634dd2eeb035c5a8a21f82b552072e5968dd60 |
| SHA512 | 360beb83df4f16e824b7960283bd2d84fb1a41ccc5f16ad9854df5d4a8252e9cc8f1c5ab30bf0273d9203dd6bfdf01224c1fce2d97bc86b0ada870d6a32ca82b |