Analysis Overview
SHA256
3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f
Threat Level: Shows suspicious behavior
The file 3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:02
Reported
2024-10-27 22:05
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\UserDotJ8\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotJ8\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQV\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotJ8\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe
"C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\UserDotJ8\adobec.exe
C:\UserDotJ8\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | c610d9346c82cce9598ee0ffac65c9f3 |
| SHA1 | f6df6e823507e1dcf5c4f860aba5296d16577502 |
| SHA256 | 80827d7d8448e2e69d4ff8a60d192760e13c7b24dda433188dcb9ef839cfab86 |
| SHA512 | dd577c245b37ca8b6bb6e3577d96d64df70b936b14f3cde31f63936dfbdd136326cd9331e70c4ba3ce591cb303794183c5799d1c7693ddee0b2e3eb842d5a284 |
C:\UserDotJ8\adobec.exe
| MD5 | 9342e36075baf9d36491c8b065829323 |
| SHA1 | 2f7310a8fc8d20d7b288004c1476ac88ff71bf60 |
| SHA256 | ebadc15d35761a141db9e72ecb298024e789165abf23b729c4b62f7b918298e7 |
| SHA512 | 25e252bf2771d5db65d52df4f13d347014b7c0babd0bfcb4eec6ee71fef67d69e91036ede77d11588f1719bbb474e4ecd31c39cd450f3c63add059c53c68bdae |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cc181cc1dd49a848c9cebb45c4029b1b |
| SHA1 | 0a19c315bb72a0d365fdc781e248bb9487562326 |
| SHA256 | 522349a40a4e2fd91081bf5b556f56096ab9583e0777e6e907172c946eac337e |
| SHA512 | dbe223eb6c01c5f57b7cbbaa146f05441ae1f67f61ba0bb77a0908f0a1759fe7b665d7eadc84cb35f34f1b33b3f5daefd7e789610e606cdea37ebf0c482997e6 |
C:\VidQV\dobxec.exe
| MD5 | b366a533c713c29dd4bd65245e42ceac |
| SHA1 | b44535661a8b51b8027afbb93716e5ee4d333b0d |
| SHA256 | 60e7e85fdaa288dcbd7bc08ff767ba3b6c7c78f4560f256e4d1ec0afe31d1419 |
| SHA512 | 6c575312f5b463b5c73d9c02fc32adc4212bef056a92628beb2305a9e494396bc4f2b7265320683c751ba1e2b13c620214e4148d3fdd079ef442c1a35e56b98d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5aa73e892fc7184600761028973884b0 |
| SHA1 | 93af9fcac00b7567a3a809c0cbaabd4962570395 |
| SHA256 | 2cc0ed7ab4148eb2217965a244fc6a3936471ff1fad9bf37b4360731569f4c0f |
| SHA512 | c15ec860f5468b499349f97e80f9c5da98dba85006c3edc027e2197656856640dd36e73482350316df55f06aca69494d631069f81d9257f156347f98245c1132 |
C:\VidQV\dobxec.exe
| MD5 | 992fabcaf0d7579e52229b1d3110aa87 |
| SHA1 | e6707e769a028ce9b5459dfd7566f6821ce865cb |
| SHA256 | f1758a637d727190391f914151aedc04ad4dda220ed6bbac3e2bcdcb96428d1e |
| SHA512 | 9d19c056fb51c7f77b7aa21960745c3032e8fcd8852cba9a50d074566ce3ca7b8a001d4443567cedb733df89a0e7bd14aa9da0785c3bf07ba8f4005b4a17dd14 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:02
Reported
2024-10-27 22:05
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
136s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeLJ\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ7\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLJ\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeLJ\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe
"C:\Users\Admin\AppData\Local\Temp\3cdb7b48c091058418aaf6718ceec337e7b45d8f2f329003fe274c7ca5b41f5f.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeLJ\aoptiloc.exe
C:\AdobeLJ\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | f91b780dd53c40200aa50d4ed3a0af7b |
| SHA1 | cf855bc634656321e05151fba1fa617e7da5aa23 |
| SHA256 | 7de28e4a25a0c0f103e4a09dd328d6d71df9a7f604d62f109f1307cbe9295bac |
| SHA512 | 2aca783e770fdc023ce41979ac14b6072dbd4379e8e2a0af03345ce4e4c3377bc353b3c0fb77cabfe608ca505d1b975d48c61582831963373e3f9f0088392549 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e6ea5db60f39685375521c82e079d17f |
| SHA1 | d68045657f6a2a625e3011277679c1f20341666e |
| SHA256 | 0800cc70ddc66a787c6a11fdc86ebc9668e71afc05d1b7e94dd5c1782a45473b |
| SHA512 | e0fb306b25d147d5943ef508ca1d8b566501489ec97d671a70494e065b9d66423e542aa05fe59161815a6a4976d9038f04a9aab27d21f5cb13ebd71e0ae3c8ac |
C:\AdobeLJ\aoptiloc.exe
| MD5 | 864fdc83d1197603df3c33bb8e164617 |
| SHA1 | a81ec053731e44de625dbb0f2294713c96884ee0 |
| SHA256 | 62e044453b68d54c6ba034794c844c69f67d8da8a6e04dc8d98fd215f0440277 |
| SHA512 | b7fe72ce61cc359bdd9f2d38df6957fceb7d9cd5e0546410e35279a31759eec905436eae353e975f59b5bf49f9301636fa8330b641e6fe3f9ff0a3d1c4845129 |
C:\GalaxZ7\dobaec.exe
| MD5 | ebce55bcdb242f52c3a86b850c007d16 |
| SHA1 | 3123d6e24ed5f7672a39dd702f97f84af922aa47 |
| SHA256 | 795c7612c0c0d789565d612b427b3cfe51cd9637057ec557ed7b70305678a281 |
| SHA512 | 3b51a7e49096643690fb49e006a73df70bff250a6437d3612a7a928cdc68a63b6eb4196db250ab1055f70868edf51cc0f35dea3274986b590f73bd4c14c9f236 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cd38ef24ea5cb96f006d0e3ef07ca38e |
| SHA1 | c2bfbfb977f18d2d2385d2c2787530e7eb7cc2a7 |
| SHA256 | fcc08a61dacd021b1ac88428b2608c084391a0abcc97f563f688aa20c8e14aec |
| SHA512 | be282d7c62c6da2b1b666fdfffdfa5fdd10f2c9065f97a0f6a5f85731baa86fafdf48660cd06c496fb4e555502c01122b3f66d2654639e26af5193c6dceaa0c8 |
C:\GalaxZ7\dobaec.exe
| MD5 | e03ef66bdc7603e7d813402a3b1ab2eb |
| SHA1 | 0f660c65b0cddfad235364b3a1363ddab861e47e |
| SHA256 | 017ce49d69749cbc7eb6833f844c66c922d1930f70e367af54aadbb35c153a83 |
| SHA512 | 9e14ea3dde5cac40f32b9457281b6087b9baa7dd57d040cf0f936825706eee817273a67c3b5b634850dd283ca62fc46b893ae2631feb25ba53925b655d1ff676 |