Analysis Overview
SHA256
60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353
Threat Level: Shows suspicious behavior
The file 60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:06
Reported
2024-10-26 04:08
Platform
win7-20241010-en
Max time kernel
118s
Max time network
18s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\FilesXI\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintR5\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesXI\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesXI\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
"C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\FilesXI\xbodec.exe
C:\FilesXI\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | f1170ab96ff0d6245a1d78434184d88a |
| SHA1 | 6b544f906bfd5c5eb675af2ecd04d8b6fd300f3b |
| SHA256 | 0eab4708b3e9e17a0b2c66c22f8291a4c8151fd1257360d850a3fe8350b19b22 |
| SHA512 | 53429ac5e561b269b098d0c50116e6b3602946bb3331967efb441e75d66d9bd18c355963ce175195bf03863a12b8b80a4711c231bc7e25446d7c8ba92555d199 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 297110f3a0c779f3e2e886d3542f812a |
| SHA1 | c4262291444f230e2538926e940aa45b74efc57c |
| SHA256 | 7ecca22fdfca87967fb99b045d63a94a7737ba2a999e503487f63bd9a64b604e |
| SHA512 | bff58642c7d239f50c2f8db4a9747a9ca55dffc389ce2c27eef434ab29bc476482b885532158cd9b10ac9e0c7c91dcbb89aa79c8b201d43ff100a3073ccd47de |
C:\FilesXI\xbodec.exe
| MD5 | 5f64861955603d6f426d7871b3014efa |
| SHA1 | 5b50761c4d274b41e989dd385d3e03dc6c7bb1f6 |
| SHA256 | 5bcd017eee66a9075353896e1454f2c8e52dc623e506a64b67605e7dd83353e1 |
| SHA512 | f663429cb98e380a4adf5e354692ed130513e2892f5d842cce29fb3699f09af7fb8823f4fee595913ab2d6cc8f940a4e22c412846bee3579d3532e8881554339 |
C:\MintR5\dobxsys.exe
| MD5 | 459618bcca750b5533666c7585e055b6 |
| SHA1 | 6202619d112878a1bdf8014a2e696dea9752e00f |
| SHA256 | 957265a8f281496de3480f04bbfb3a1761a968dfa4e3db5c51a5fdbffc90bf9a |
| SHA512 | 9b436fdfa54f87123149c7209f9dbe92f1c4526c46d1d5a39762e96ef0a37835eb05478e6c37721ec1a1551e738149d352f9e678739621b0179fa5783ad0e1c2 |
\FilesXI\xbodec.exe
| MD5 | 1f07df99e0d7862db027647b5ab63a6e |
| SHA1 | 1f732785a6921f27b9299681711de721ad801235 |
| SHA256 | c693ade3a462dd193914a1378d0bc636dd7ee76e30cdbf1c6a496096c5dab8e8 |
| SHA512 | 62eac6429609c78f175c60c73eaeab3e514bc6b4c7b9b352e25806f1f4df3a332d603374455bf9fb5febfce8cf8807083e4200061eea56d0e007491ec298b13d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d6ee1ad2a245fcc7bb05ad5760c16803 |
| SHA1 | 89095f8044528e9ca221a92c9cb3eab4f40c576c |
| SHA256 | 55f0fd5377b57af12007e226ad1aa40c170a7dea52b7ef0160b06db6f4f2880b |
| SHA512 | 67124760f06c3b956f8bd03077df5d6b1fe202efd3a17a8cf1da53c9f89e478ae2d9ebbdbbca2c9d5591736f1ebf998948b93abbbf7651940e798b71d000f3a0 |
C:\MintR5\dobxsys.exe
| MD5 | 8202402d3c8b3ba301422f3b264c2475 |
| SHA1 | 2a83f3a0ccd947f9074234ecf732582c325270e1 |
| SHA256 | d5e7d0696af9eda8747989952c1c1a8ef7fd87f9435fce36a6406c18d19f9092 |
| SHA512 | b937709fe00c0e84081eb24c9da330e9c46e66ecc8f05d81f646d9f25c1b6efe3a8e982f93365bab03558d373f4fc20a21a7b01219039982c939b515096839cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:06
Reported
2024-10-26 04:08
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocKM\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocKM\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEC\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocKM\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe
"C:\Users\Admin\AppData\Local\Temp\60723d4880f4e3621fa378bd3e358fba507f6580057fa43902b94a9e52ad4353N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\IntelprocKM\xbodloc.exe
C:\IntelprocKM\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | af8aa649d739a2c0613b36b142081aaf |
| SHA1 | 87c6e8baefe9c2dfbd02800992fefa3a19ce8e81 |
| SHA256 | 94e3b37a614f66b2cd4f927ae4da2587be3d8ef5ca178470bf102080db43967b |
| SHA512 | 77c6e0226b6e4871297b9ddb7d46924a2875060ce74c86187fcb08ce782998b1f039ae1ce9b55965cd9437f740be8eef1e1ffcb47787b514772948518b12765c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 09f0cfce8c8e57bf13dbad0285425f05 |
| SHA1 | ce24702d19efe0f2636c6aacb7ec82ae4a960cce |
| SHA256 | c527bd8029b067e3fbddc684f93fb7bd464a07fbe2d67353183cf22fe996f567 |
| SHA512 | ff36b96655521086f6728af408d9e09cf8db22822ceb5d566247379ab1f53774c8f6467384158e30ac23959400fcb2cf2399b3f1ff8ba24680f69efec5cd2a12 |
C:\IntelprocKM\xbodloc.exe
| MD5 | 02e0c9080d727013f9b350bc37565585 |
| SHA1 | 533c0f640e88c4d9a903828869d5e8282eead35c |
| SHA256 | 5f130dbb1eb13bbdace86563b476e1d6ffac7f0e14004fa41122663f9e58c5f6 |
| SHA512 | e373016c6d90d46efbf59fa1b4d51458c3e847957703a67bc0d7d1ecb70f05029b326f1cdc625070a4d998e9bb62388e5d8a2f9823ec616df1290793619a2a28 |
C:\MintEC\dobaec.exe
| MD5 | 89cba1fb1a4fb83a1bb886201d7cd6d7 |
| SHA1 | 3e05f006a719f7f0aecba2cd1fefd33e74b99536 |
| SHA256 | 16372c0d6174081d3e76cee61915f9032fa97fbdf4b1fbf1359739b440457e2b |
| SHA512 | ef5c596c826a1acbd07e80438cfdd728244baea704d022a92f3d5dbf6433d6a2a156f77f7d8b307c023c4f168151d1d942cbe6960372304b2bdfeea0c2782d64 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | de914bc8387ef1ed79e506c3d89ce47a |
| SHA1 | 125e27b52f781ab4bc29756a2c5cc1e010908760 |
| SHA256 | b5b8f2f5fc98aac388f013ec89080501669c312dd70505080ae80c58b0b7e723 |
| SHA512 | 5d4f3535ff55cba19471bd4ea682ec6c9e980488022163dd3908ad9b07fe90cd80f884cda9958e093a715334d4c939e2b1aeaf3db67d874953ab8555516a982f |
C:\MintEC\dobaec.exe
| MD5 | f3f696f4a91c272a473a0e4c3888def2 |
| SHA1 | 5a0e26733680d6c69d92431efdc909e41e1b6726 |
| SHA256 | fb076ba47fa182f3a83e5adf54d7dc3674ffdc975482264197dcf944b2ca9bbe |
| SHA512 | 5b49998f7ffba2fcb54907e8a6cafb624dd3e0118cc2fc1c2b0365df74aa5470aaf1bf15795e4e809eb5f3593dcc93b7b0573eada765219c8efa8bb74d39a73f |