Analysis Overview
SHA256
5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144
Threat Level: Shows suspicious behavior
The file 5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:33
Reported
2024-10-26 04:35
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocH5\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocH5\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ7C\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocH5\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
"C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocH5\xoptiec.exe
C:\IntelprocH5\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | 73f07fc128587294da4cb9d432f99fc5 |
| SHA1 | 93cf80666038db3d1c79e18b628b9524df47fcaa |
| SHA256 | 180a967a756208eddd25a900ab76acd2273a708b7ee13521afc35be08deee0fa |
| SHA512 | 426e8c15fc743212192bae1a686faf5254e31aac09513d17faf3db6a24da177ae2768ca6b7cb51dffdf92c76ecfbdc7cb3983a7d28ead9b7e40ab3a62297c838 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ea0e8493712d04ad964a61b1c0f62084 |
| SHA1 | f75fb2c372f48ec5971f04d3ee07517d7977ed13 |
| SHA256 | de2d57ea6d3d0210f349052823d080420311ece296fdaa9cae5e1d80e3d129c5 |
| SHA512 | b7f78131231ed4bd7946536dbdf3512d2ad315d77b509457bdd86097ae6a3de16991b87867cbeb9b2589dc4ca45275b36bda76c60af6e075a3ea5bf3b58c1a0b |
C:\IntelprocH5\xoptiec.exe
| MD5 | 1b303d635a2b1ff937a5584adc9cab18 |
| SHA1 | e0da617cf72cdb17995d57457fd63c8196bf4c21 |
| SHA256 | 08599f14e4d42c9b4180b22a0006e93cc5bc703c8f68026bf5b3f2a3553b022c |
| SHA512 | ec4de85b3f2d50f22d6044cf2a74db69bc0d60e4324e1affc96492db11804bc32f53f1325f47c3f8f8b00e45e58ed5da1899e01f1a39af42b36d3581651ab4df |
C:\LabZ7C\dobaloc.exe
| MD5 | f71811ca286aa054a05377fbfe4308a5 |
| SHA1 | b4a1804662f151e759806874c2a0613ee20e97b4 |
| SHA256 | a0948ff9f98be1ea4b1c111c8804a300595e4345ad24aeeb34d29353ad02fe84 |
| SHA512 | 927de7696adf06406a07e6822bc64a3ce5e428d9598ee933619a16b89e0bf7f058dd2343a87928a4ee2de368447621f135e5f3cf5eb8e997f7bf02076ae7e278 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5919c829146c6fcddae0b596f9a79bd1 |
| SHA1 | 8e2eec003f9230901e187cafef3a07143f9b8bbe |
| SHA256 | c3bd9346b0f05bf4eb3d69760fd73182206ec9f40447fbaf35280a93fdec4d81 |
| SHA512 | f02190d490fb25c5641ec7f0a3836cd018cd4542f81856038fcd95da7bb7687e804cd0274ee1ba3dce3ebee23ada33eb16cfe68182b6065bd277fc548787f093 |
C:\LabZ7C\dobaloc.exe
| MD5 | a39431ecd71a739daa9e6d095a7a2efe |
| SHA1 | ca407030e24d26a92597ef3caeae6c5a6fc01151 |
| SHA256 | d0f142f9fce28a5390358f6e2134273ed25ca883305eb05dd6031769371cbd98 |
| SHA512 | 0f4cf1bff6f993c25a72f13d6f2cca574a076fd9c29a18a306634084cc679bdfcefa64920e37171a58d33e6f500540cdedcfb87d46f2ed29ab55043afbcc90e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:33
Reported
2024-10-26 04:35
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\SysDrvOD\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvOD\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQP\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvOD\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe
"C:\Users\Admin\AppData\Local\Temp\5e85c93a04fa06c588f79971e4b21c059c2e70159d08eaadb7f29eba96ab0144N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\SysDrvOD\devbodloc.exe
C:\SysDrvOD\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | ba8988d43e73030e8e207ae54f4ebf1f |
| SHA1 | 85a49edb87c702245d24ba31aa9c684401aca628 |
| SHA256 | 48e791e7bfb78b8d65aeef7389adaa5d8d89d4ad42f1bcf70c16c2953700ff4c |
| SHA512 | 4601eae783a6b2d9ed7ecb4db58f885615185449fb71b8ed16d7ddb09f862ed6e8f8941a724eae71562eaafac6b7dd7316c32d62e6f36dc849d6298d37c45a2e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfc7c59211d600233ced407dc5c6cd0e |
| SHA1 | d50b0660d9ce00a29cd99c2f6521661c6ba753f8 |
| SHA256 | e2e343e40e621fd850c052ed5fa2d51287ec6f290e59cc3bedf0fcf340b07c98 |
| SHA512 | 5aef83c1c9ec77c0505321f6947f08abffc319b5afd4c562179780fdcac9e9449a1850a6531b7b2b272af2a516943a0d81c334fa7d628835c1598824e033d1d7 |
C:\SysDrvOD\devbodloc.exe
| MD5 | 20308f981abfb0240a5e3bfb669a9f9f |
| SHA1 | 7201f6e2309e7810fdb7c21ea645c61b25a48dbc |
| SHA256 | 6541d343db7f4aae2c82fad180636049ae91db631a5eb89e9467ab68abc5c509 |
| SHA512 | 45403482a0e7ee6b3343caa00204a78951d67dc73c9b26e695ceb1930432d90e6ca9a9a516fcdd8098a799f26d9c3c0947d666459f7ea75b1d5846f9c7d77f8c |
C:\MintQP\dobxloc.exe
| MD5 | 51387bf65f6ab52367768502a2735d4f |
| SHA1 | adcba95f62ed11a127237a38267dbea37b262242 |
| SHA256 | 95db967c76a97f220ac69083da8205dc232cb635dad141b4ce7b59ba2778182e |
| SHA512 | 62a1c5440a88ccdf2a2a912e0f4b677e0b1955ff22222c62664b5a0e8a9fd5c8061bdd404a9e2058552da4a379d8195ff64f4c9a39b1c38daaaf8612096b6297 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7a2334baff1868589c96153d688e0be2 |
| SHA1 | cb8e97cf1f85af906bda9ec0bb191310b2e9831a |
| SHA256 | 5d89eb9289c37126b762141419094fba4e0fb3f81a4119deb0ecea02851d9d40 |
| SHA512 | 299cf6949aa376a8eac9b416d994471452adfb22e05221e6ec82d0bdf0e111a22972b701228c2cbc4aeb6292b31b57b7fc3c4900d86a60b55f40aab5c94bc7be |
C:\MintQP\dobxloc.exe
| MD5 | 24dc13826c530ac0888279383f79b0c1 |
| SHA1 | 61ff8bca4a6d4377909f834d6c08794b2cd97714 |
| SHA256 | deaffb93caa56c5cbc8a25db30ca4f25c2b9210ebb3d4f9a5a5a8d10c8a0b8c2 |
| SHA512 | 1d55b571fcf3164e649ce39c94e454b4c86b730200c2eaa833e9c4cf408e109d7663dddfc59d522a0b367ae9534a74b0f0f6bf1a49c03605c338c99cfa0f7f43 |