Analysis Overview
SHA256
f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4ef
Threat Level: Shows suspicious behavior
The file f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:22
Reported
2024-11-08 22:24
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotAX\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotAX\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD3\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotAX\xdobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
"C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotAX\xdobec.exe
C:\UserDotAX\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | effb5f2b1ebc23df7eefa1857f06e30b |
| SHA1 | 4fcc32dd3c93dd2c6f6b87dae6b65ba64ece4ae6 |
| SHA256 | 49219336c8318e0671610f08849948b291108e65afcce282d76d71a926ad46f9 |
| SHA512 | bed6221eaa1bb658b0ec6db6e145e0da981e522483e8f484effa85184e01cea3b9a780503f4ace865806ddddd6599a36def7ed90c0cc021460f681b499ec5d43 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bda33358b509794634c212f541471029 |
| SHA1 | a52975d24e201266f1e386416d349e93fdef1a10 |
| SHA256 | 5297b3245b821085c0e9d1618002d5e2cbc939c5a87f8804d1ec7af70b850306 |
| SHA512 | d9d974aa57cc97bf2f7d4cbe1514911440aa785bae15e83f594fd44320dc7a37c3cf47788d499cd1dcf33ad8ae3475229d468c8adaf5eb18021615e4e47e2703 |
C:\UserDotAX\xdobec.exe
| MD5 | 3d90dcd573832f834e485ff6865a03cb |
| SHA1 | ab602a63d65db68732311774422786b8296af452 |
| SHA256 | 54ce01ed7606e61f5d82a98f1e68ca8fb797c8abd983c0ea6d72404e9dd7b749 |
| SHA512 | d4f3ba7eabcc96ca86f5c38ca5fc145eaa085e50a297ed0c3b23f28ad7900e8b737a74bb0de86235db0769ee1ab214fde218d39a376853c076b96ca648e4dc4b |
C:\LabZD3\dobxloc.exe
| MD5 | ee6a56762852aecd2d6e1b8c3f388bef |
| SHA1 | 335046e007df26e7353ae96f26098a32fd3a96b8 |
| SHA256 | e0130f358a9156ba8374f79119db8a7d50e70de9cf2e0ce46b96497691fb90f8 |
| SHA512 | f7ffe6edcd47ca077547e9185338167d961ca85a75f79889325a528121f97f9725f4eaf0bb393d7185d5a9974ed18abc0f314154449fbd3e48b2f9ac9e3cf694 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a2f18086ca5853c9103494318563810d |
| SHA1 | 3dcad6388185cea472201aaac88f0c6fb2f48898 |
| SHA256 | a6dfa849764a256889dfd14cd39099081bd1fb1ad806bdc8b80ade38257762db |
| SHA512 | 8a372804e4637d04ce283b1b79f38eda7bdaab715da5e8a68b53e40a2a1fb50e7d6b7b34157a959f7819421f2d2a36bb7b4f6483336a903632743028cab17c09 |
C:\LabZD3\dobxloc.exe
| MD5 | bbb0c6c7a6c67897de19645899e1f24c |
| SHA1 | d88cb22274569cf1d91dd90377b9e3ff0847e30b |
| SHA256 | b799981257aea423acc7a25c2eee236218ef9fd5e8599ad8d53843fa9ad52e2e |
| SHA512 | 0f34cbdcaab51355fca0a07866b575ae80554a1722f5e31dd3d2ab6b07f43295850fdb90efbcea49b02a905362b5fba2b3917258e6c0a51ffc5ce3a08873c249 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:22
Reported
2024-11-08 22:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\UserDotBI\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBI\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQX\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotBI\abodsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe
"C:\Users\Admin\AppData\Local\Temp\f3639298c946669bfed2959ec1bac553e9afc053a91e5d9d22c023797905d4efN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\UserDotBI\abodsys.exe
C:\UserDotBI\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 2eed14689fd0de57ea523cd36b4d2532 |
| SHA1 | d82f7c6d1f04619eae9b6ed48396978446e6ee5e |
| SHA256 | e1f46e2748d0a14d40654f76cb40c91137f669d52bb27b3c4cff36cb97c080d6 |
| SHA512 | 4adeb8b62ec3eee9050a01d4dc7dfe9d1b5a345d93ad76eba3fff3735d6b9eca03dc20ea1e6c380b5757684744056b2be0be67059551e3a3e4ae1c1b257ce5c5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a03ef2cc9e7f4d9e6a59dba84d68e1f3 |
| SHA1 | 432d7c2c7b4de2264b59f86e96404f7bd285a118 |
| SHA256 | 1e0c50f932cafe8141310deb5c89b3f418c92781c2d8aefc442503c12b69fc85 |
| SHA512 | 810e9248023b55f9a08eec365a19cd3fcec3b71158ee510ca026587fd6c079ff2fb2e772ceefca9db23dcb941f8497ed76ffc81177ba902c331f1516fc757316 |
C:\UserDotBI\abodsys.exe
| MD5 | 12f25a7475deb27ed1c7ba2abd7760c3 |
| SHA1 | 81432be178d9c134a354ff0cc96fa692d48bfa91 |
| SHA256 | 377ba83ba13124a6838b1c6d595bdedafd8d941394d202a678449a01976481e8 |
| SHA512 | c2c052efac626bf81fb22548859df986096300445a29a77efd85186e8ca4b255812414c4909723ed38053f1db401ccd3a487a75ad0e9bf09a9437b0d9bba44fe |
C:\UserDotBI\abodsys.exe
| MD5 | 4bca11723d3341ab8cbc4889ff742371 |
| SHA1 | b97db9a5424d228c0eb864538e0aa7215d61db53 |
| SHA256 | 78ae174811d6a4eb55834c6508c475b31ad2da4e18e74ff9a01befb54e7474b8 |
| SHA512 | 89c79afaf4fdd4845046251a451c387a52adee42d23f6610ca3cca4fb3161a1059885ed1dbdbc5814da6df5f2f194e7ca51e3d92339febe72afe51d3569d0134 |
C:\VidQX\optidevec.exe
| MD5 | c0c2eb0225f18417822dd98a1cb54094 |
| SHA1 | 9b5a7c21c4e1bd35e1ec2eeaf198a451d90bca2c |
| SHA256 | c42e2fe350e4cd91c27aa81f1888da5236dbcb579de9961d515b36be4e0e46ef |
| SHA512 | 111abd79181889d49911bb3a0821a58394b3bcef6eb850846ff9b2c8b56071106dcfa03f190d88bb5b249e53b794c40444a75071eff184e9f2378188c0c281f6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c15253e2da3aa59e318db7dd9f19d804 |
| SHA1 | 59e378807e33569fcf47ec708103a5d1ea381a4e |
| SHA256 | a81a5abe41743aa49cc4afe3a3aacf9fd0d00e0f22ca21b83dc0b8a6047e2841 |
| SHA512 | f6cd8615188f425ec062459518d86c8b9a50f5f0b2926cc4e3fb2c6bba030fc43e851aa8f6a7f050f1297a68c6d1e78bff9b5b8c8f3600f42e7b28b1d8699207 |
C:\VidQX\optidevec.exe
| MD5 | 45487bdf32a00d792f6b4281499548a8 |
| SHA1 | 3f96bffe068fdbc7ecaedf9b342fb4f553220fe2 |
| SHA256 | 711e32a255f116bb63cc1e30cb9c39780ca75dcdc721a7030ad660843adfdd7c |
| SHA512 | 161a61acd5a96811e242fafc197434df0af3b35fba194f64e08b88c01682e512d5175ed397d5194a9eebf24014435b8bb16bb7acdbc78ed5d5c9fc60d8ada11b |