Analysis Overview
SHA256
3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1
Threat Level: Shows suspicious behavior
The file 3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:00
Reported
2024-10-27 22:03
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\FilesUD\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUD\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBLK\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesUD\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe
"C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\FilesUD\aoptisys.exe
C:\FilesUD\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | a41c0130a609a257a81f54bd1cd76563 |
| SHA1 | 7ce2b28c8414a065b37ba1049ad979611fe1eac6 |
| SHA256 | a138df6308f42b7312604c54080418904717b182ae141b60d49a90afbf2297e9 |
| SHA512 | 85eaece7946c954eb9b9aeaad174fc29a70d8cf0d0de4841ecdbefe3e1f1a98b81f0c137771342a01edd8b0c69925a8a752fefc1e0f6f1c47d4a6258fc182518 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bffaf6556342a0b3b53bfe5cae7e56ab |
| SHA1 | 131900b2b766ae28616758d5f2ce2e692b4a8730 |
| SHA256 | ef77f8c398382de4e15a1ee293903cef99d32a3105345d4ab51055a149a1649d |
| SHA512 | 8f3e4382b690000bfdd76be4469fb1c9822dd187165ba02c25359b27d40ed1f44a7d1e4cc7020a1281bc8979b49f2d40f829091b1058a18fe7d51053fbb54986 |
C:\FilesUD\aoptisys.exe
| MD5 | 2085bb17dbc615ac6f2f9dba8fbab2dd |
| SHA1 | d42b1ebdb23d17fc85f7847f45de16d9823a9122 |
| SHA256 | 729d6a6fd5c606b6a9ca33c484df257102d7a3d39e84f42ebbb420fef458245c |
| SHA512 | d5306e20ad5471b3c09c8fa01233e55425af37c0bb73e806115e029a7d9d8b1df919761faa18bfb3e2095357394e0e6f8e5a41cc27686aacbc9bc4d642c6da06 |
C:\KaVBLK\dobasys.exe
| MD5 | fea1341a3a5b975a30a2a5e3bd749b08 |
| SHA1 | 865e10e681d1b333f50b6802f056696bbc6535c2 |
| SHA256 | 0198e26d47875ddf109d384fc0a858350762dd2d018c687681980c746416de90 |
| SHA512 | a8429c7cb97b8f0065fa53de51e5bd4a42fedc9e6ffeff1c7b61467879ed7fe49747ce81e966f2e58032ac485a20605edbfe4abe61bba5490d7f2345a5ab27c2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 050980bb141ca0678535bfec81b0855a |
| SHA1 | 8f19a0b1e3fb4a976e530c0c25ae37aeaa735846 |
| SHA256 | d20c7c1acbb00a71d1f141bb1815a2a6b1f092303f6fd0b8f57f7bb35f3ed043 |
| SHA512 | 190b27211020890dbd85d5fdfc7e71a5dd1619058673df388b043e160381d4c8346fab209fdab780e0b4a4c6f59e5f2106e5001d8c45c7c39a29712da25f4711 |
C:\KaVBLK\dobasys.exe
| MD5 | c346de548654eab088b033eeb72e5ab8 |
| SHA1 | 61d5e6da50d6f7b00217db8a4faeabab00794f6b |
| SHA256 | 1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c |
| SHA512 | 71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:00
Reported
2024-10-27 22:03
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeK6\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK6\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidUG\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeK6\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe
"C:\Users\Admin\AppData\Local\Temp\3c0b6685f2a651ae2f9d47605be03e3e5806e4f22f1ae169f6ba968421f00ec1.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeK6\abodloc.exe
C:\AdobeK6\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 0106849e83f1413ec8f50de347dc4480 |
| SHA1 | 6c478a19abbdd815fad46f2e6ff65076be6c50d4 |
| SHA256 | a9da1b170675be2c77534ff696fd4e33e40d6851a3384e6ddbfd99c045306b13 |
| SHA512 | 97e0bf0049ed7b6d4c2195248ec4623bb13a45676c3be369c89ef56a9a7f099a898f284bad5e4b98251643aa94fa081947e4d9dd2b713df201672207933e5c36 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fd677ed33f61f0ea5ae62ce40f619051 |
| SHA1 | 01c25c1eb56e3a3512225a69b3e12e1638ad8502 |
| SHA256 | 726f1b326d4bf1375c5293e0c3397e178c48689fe1b69fc331db81efb03aef27 |
| SHA512 | 8756b32676f5c79089e606c28b35cad49739f83d0431868ddc00fb2709165a6a6e48633041bc17dc4f206d478496cb3ad81e071bed8094019d6286f432be9c40 |
C:\AdobeK6\abodloc.exe
| MD5 | 8dd796c6b711ee3aeaed81b18e69bf04 |
| SHA1 | d1929c968aca53ca14333324761ce70cf1cc172a |
| SHA256 | 50dc118c438137c3498f7132214381e3982477c9dbbe1283263d176d9ddf5b3d |
| SHA512 | 437686ccaca56dacfeb8240d60433e74a8e6824d14f9c0951f4183883a8d00c61607f627e61a392882ffc0989c1d6aca45d08731374bc61ac30111d3ccfd913f |
C:\AdobeK6\abodloc.exe
| MD5 | 0f9289520932fbc7f554fa7433fb00f7 |
| SHA1 | 097b2635274f1a214071766e96e736ade66e3dcf |
| SHA256 | f117095cb2c59a54fcc48b7a30ebe0e70101a796c5e88b91fccdc6db670042e3 |
| SHA512 | 73145e60f111b3a8a898045640c9cdb8a8799f5d70f5caead93a877dc9a951ee124efc6e6dfe20d188763839081ce9a30747772b6c90e21294351f8013cf07da |
C:\VidUG\optidevsys.exe
| MD5 | 97feeb208e6d5ff412f8c6eed9ccf98b |
| SHA1 | 98849f52eb243994a9600b1572aa3f7768247f36 |
| SHA256 | 8502ae099a877b7a126d92db0238f805d37138c30a08b4d71fff96b5f0f06cf9 |
| SHA512 | 585108f5b53d58c9f2cfe1e82c2fe2c3be1b22fa47a155621593b0b44d9339da7e3044a1ba3c1f6098d6637d280be8697554459e5524fb3e9834f251f02b74a7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9691a0bfd42c6cd06048102999ef3489 |
| SHA1 | 95d8d7f8046f5b8a3ad2f0f3a08b85e5d7dd7419 |
| SHA256 | 25174cf96bf2e9be3a0f6ee747f808eac0d78a876b9c7a6c29ba16fc6d6970a0 |
| SHA512 | 58659bf39893355f76e75260d01f1779cb402e5a6be03c208b565a800081fc5390fdef4d5b165a3a8b0516fd583b676860681003fccf73a3999a94aa89f5320c |
C:\VidUG\optidevsys.exe
| MD5 | 9d094d04ba01c1c87d0afdb4d401b737 |
| SHA1 | 4c4a12c364310eeb33cabcbd1409267987a81bfd |
| SHA256 | 523c6e28bf68a2f49ead3af6c365d99c223f49e476350cbed021fdcff7a9b516 |
| SHA512 | c0dbe6ef352925b67849ee2d6bfb0d529f0d9ff0b909173e9a16a4c005983a52fe08dff4eebfa94450848f847caede6eebfc1ed6fa55e9b4325dfce1467ea911 |