Analysis Overview
SHA256
234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231
Threat Level: Shows suspicious behavior
The file 234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:14
Reported
2024-11-13 20:16
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\UserDotYB\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotYB\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBI3\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotYB\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
"C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\UserDotYB\adobloc.exe
C:\UserDotYB\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 168a03cd55d85f22486189eeaefd70e5 |
| SHA1 | 60d91eb179beb6d8bb49e6c14e4e4579412c2d2e |
| SHA256 | b93ae94b271b89b480e78ab98900f35ad161e8ee86a06fc4416c6353061b66ee |
| SHA512 | fad05c88b705404a3b759224872ceb6d9cce557cf3b73301c9da907b69028e5f10aae20326fab1cbad3944b2d79e54e43ad0695d4ac50004ebf47acf7b9dbe63 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3b6667742f7e537e5bca4ba2faa6e571 |
| SHA1 | a9618d96819e4aebe54bc6efbd82865a22b91bd2 |
| SHA256 | 2d38fcb4934d451a8e439e1c92b9c84edc506ef8422d3cf13612e92351ee514e |
| SHA512 | 18e7f13ca68d9f3b1305456d9237abed64330ef0e7f86364f855c1302e7275e9a5754cc5bb39557cef04a44bd06d01d36066b7743c42048a51a5d01245830b0f |
C:\UserDotYB\adobloc.exe
| MD5 | 3badbdad86588fa014582d9b1c54fc37 |
| SHA1 | 778624b922b5b9af0a57cada14b601d80cc749e6 |
| SHA256 | 18ad6a4485f472626b3fe1d7fd02193984b7eb8362e87e15f7052684441efe1a |
| SHA512 | 7d53292877bd22a562b1780ea8e5b9978d5dab36da2604020504f9d2f77b9806e9d1309790071262152b78480765a1cf257a1ffa348920624d2150e28e993f41 |
C:\KaVBI3\bodaec.exe
| MD5 | e7fcf630355b6e1277254bea898fc6c6 |
| SHA1 | 9e500fe1ac806b71c48b9a890f43c3f08fc524eb |
| SHA256 | 99b9c1bbd683d2c9b98f66965f4fcbaccd50f4ea1656fb50b4deaf31f31e77ba |
| SHA512 | 7cc986b5bc56db5182570b1f603cb8ea9bf5e76fdc30820dec4c68ebb11b5ce38220d3d6a873faea44cc4400912567054a610dfafb07856a574ee8e2519abaaf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a8f0e9b438885314146243af310956cf |
| SHA1 | 9998b7e85252338332efff871f67089613992ec4 |
| SHA256 | 80740bdae51338f46c4d17123cad94607977e3fe1ff7b36f835a7160dfd2a66c |
| SHA512 | 2a05841847bb2f53154f6570231cf5420408b08011001a67fe5217fc704fc7df0ae659010e66618aba6b7eff586a9409c75319dd044179d12731dc5c078ae889 |
C:\KaVBI3\bodaec.exe
| MD5 | 3d45b0eaee6cd60ad4f5568ac16ef258 |
| SHA1 | d7e11caa9a67cadd55724afe2d1d84adab824cea |
| SHA256 | ea6a4772229675d6d0144ac1cf4f7831259b4edd25d7706903c3f2e2e3ca7243 |
| SHA512 | 2d25a653389ee60d4d1a922b31cda5d7dac66d70cb6b72b1e60925b039a1066d16fe93dd478af6cc0fe4eb3b73c7cab86c4cc39eb4f0fb4da694adef8999708b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:14
Reported
2024-11-13 20:16
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\Intelproc4O\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4O\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLN\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc4O\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe
"C:\Users\Admin\AppData\Local\Temp\234f31195f061162795b82d61d370f28e7b0eacc0016f2770b01725fcbbff231N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\Intelproc4O\aoptisys.exe
C:\Intelproc4O\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 4da0908e8e159d0b66df3869113d9193 |
| SHA1 | 7195c4730e4d18f83f4fe61af66eb9654d8d8c2f |
| SHA256 | 2fe93daab84dd656dc6633a0a6ca1021406ddcde439c59a8a1eb05d3ae9134cd |
| SHA512 | 1b26588bdab01e76b62e4d53ea917c37e853347e24684c04a5a422b9eb26bdac3dfd69915c19818154f1017b622c0e0753aa2a58e46a754652ffafc3bfcf208c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e8df3cc577cbc5306cbf144ab06996f9 |
| SHA1 | 84667810530a560d8365cb778279d9b72d87e5d2 |
| SHA256 | 5956528b155623df5934d023c1963229db5c706432d9fc4cfc1258c9b4a7d69e |
| SHA512 | 693f688b1cc222133f1281b0b1fcc2a253e550232ca494ae6a4b5ba6e5eb9ff52eda5eb76a07d8fea85b3b90c9ffdb5422bc99c1319a1e1df8475ff92b9b9e9c |
C:\Intelproc4O\aoptisys.exe
| MD5 | 87e346237030a0115186712de1ba55e8 |
| SHA1 | c6ab7c5c52cc1a51630bcb97b133fe0801488f04 |
| SHA256 | a77faf4bf001251584028ea5d70989fec2a40d4391b807108a4064c7b64a4f71 |
| SHA512 | 035d89c9009baa20058f4e72d52d8b5fde4d9888f3cf6dd874c5e881964a26a12b1007961f002113db70d28558cbf9682ee5d77e6174f986cee23ac6781bd85d |
C:\MintLN\dobxec.exe
| MD5 | 726955c1a69f16ff4499befc01a68488 |
| SHA1 | 9ceffa1fc28c8054de0e62e6fbd85eec608921e7 |
| SHA256 | b2b22e3bde5c7864de709919b5abcf6a1f2d46b2920e614a643eeb286f9d991f |
| SHA512 | ddea6afcdad889fc3545b027b417b09c01da954ffacaaa72691fb09570fd9c6f7d8019711c6e0af12ba9a57df659f97f7fdac9647a88f09375a5ecb44818ca5f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 17b66f301518c144742b0c5d92e845af |
| SHA1 | 52528c0fd4f53ac3c01862972607c31cf7e9b8ca |
| SHA256 | 8e96d90b586a3fa8bda8c3241dd7e75494050bc0d830f6964e1b32a375fd7dce |
| SHA512 | 1cdf95c54b1746f1667aa8dae444edad1a208c6e382adea3ce82a44e015f772ff113ac9deec92c068f3c96e94bd35b425d167f3e59127a3c3b444af2a70bc120 |
C:\MintLN\dobxec.exe
| MD5 | b2d77a3e7b154ddf5ca51c28a6701623 |
| SHA1 | f595d154a6fd7e7227edd829b5e8d0c4fa26ed7c |
| SHA256 | 43ccd4eaa5386e73301d86d31810ee29f4bd56a2c5110592a29e3631ced64400 |
| SHA512 | 9eece8a337d9d77b64a64f1a09a5e72d45825171f7d43eff147c697cfa4a30ec9f6d1020d8d453d42cb96a3cd790ee8b31bd315d7a09d6c1a41fbfa7589cbc36 |