Analysis Overview
SHA256
c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299
Threat Level: Shows suspicious behavior
The file c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 22:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 22:43
Reported
2024-11-08 22:45
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocQU\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocQU\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT0\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocQU\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
"C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocQU\xoptisys.exe
C:\IntelprocQU\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 3b989ecf26c50a46f4f7623d2624c59b |
| SHA1 | d1c5d41a4ad561e0a49c1b4863251dfab850f315 |
| SHA256 | 97349ec3c0400e31f0e03205f45b85f32d063173b083506ff492a4bbe2bc8415 |
| SHA512 | f3c029f77b99785425b1135a957a0ecbb3419d2adba25c52b9af178d98ffe495c16fb774a30490c8b23d39af039576d7fc654b0d280cf77bc92fe5a779ad19c9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2709673bd08b72f4f47b12b4f3405b8a |
| SHA1 | 3bf67f7b7fd64fb31ad8fcf4ed23bf4f9da13f9c |
| SHA256 | f98e1c2ce745b2a7f645bc4ae033d830897e499af5856a46304bae3978678f52 |
| SHA512 | b309ddeae2dfb41b70137d3bd6034d2bbd095bd365248009c966b4801e6208557fb82cd3d63a895778a932ba69f717a156ae06143e0e19459c5f3d2b5eb359e9 |
C:\IntelprocQU\xoptisys.exe
| MD5 | 6f26e857617b98903d8ed3bf19d17298 |
| SHA1 | f654e9a15f686d0a406d9f6d94c3f3c3baf13e7a |
| SHA256 | 0837dd8460a0493948dac7de38e1c1a347552068448d31b4dcf7b867e0e7ea59 |
| SHA512 | 19d1cda7bae8ea5b58974abc6acac4f869c3aa94fc1aa29256ab503a8c291f10adc0ec5d081f1c8040f86f1f4f11dbc9d6a5bdfd3a0cbcd164b5e28b8e73abb3 |
C:\MintT0\dobxec.exe
| MD5 | 8def5ac95380a585c779833edfd24e26 |
| SHA1 | 438fecb34671a603222a25aa100bf5f2e425ba97 |
| SHA256 | 41da38ee5d1348f7448610c7b5fad753578d3ed084abc7771c111e4f62ccb61d |
| SHA512 | 4fb8f25346c018ddd3e6b7a66c09f6bb2e99d60676eecfdd56c081b8036456f3c9f9e3912d6a7b3b692be24b8b7d42913163bad6eb09b268dd56f92fcf665674 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8359f7dfbb447609d29bae8ab8981745 |
| SHA1 | a7a798bd23a3c976c3b61228f0807610a64f447c |
| SHA256 | 3bc846958271fcb0496898b2c710e818a31630e1fc3bd6de34ae5f212905371a |
| SHA512 | 1c162f7caee94c8a070beca9bb95b9c2b31f6589350601b9052bfcb9b8029a3c9cee23ab95593d692d5fabbf51786fc59424132da2c83997a2ade55d566fdb31 |
C:\MintT0\dobxec.exe
| MD5 | 99f664cef21bf11cfb2444ea4ea591b3 |
| SHA1 | adedae24e9abf604ec347df9b67caca443742111 |
| SHA256 | 6bdaf4a24d60fda99be9bf1fa552c56fe6615a8d008a7b349db25aa4793cd95a |
| SHA512 | 39eaa74f5f614299b36da6305f16e145da98f94cc5d9f6242962abdcbfa52f5a1f73e1d105e36c84f55ea6ccb6bebb86cbacc147ad23eb3b0a798ee99cd81ef9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 22:43
Reported
2024-11-08 22:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesOI\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOI\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZXO\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesOI\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe
"C:\Users\Admin\AppData\Local\Temp\c78b0c41024d36bf53919740f92f2ba426009d97863a54f73f721f27454a7299N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesOI\xbodsys.exe
C:\FilesOI\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | eafe31c88a6e1eedae6fc315246c6ca2 |
| SHA1 | db96b6d9a974d40f3a3631924d5553f10e7f9bdb |
| SHA256 | afd30ed293bf9a0ec52938f88a20ec70f099e911971176ced0573907979eafc6 |
| SHA512 | 867c0632b31672e1eacb1b304c8e7bde10205e89eef6ea85b69874285be5aa72252d16f0b267f7fc47159beb2eaba5bd81202378a95ca364b292362a8a8a2f1c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7de7daa834d985338fd5363e3909a780 |
| SHA1 | 2ae121abd7b09b761b269821ef8a2c8670ff2d36 |
| SHA256 | 0493f2b7906b2e219a826b6d7a3f9bc023f92a8d00048f5b25240eb58534e246 |
| SHA512 | f82d3a24e0f964dcca1b050e85aeca5da1ef5d381bbce00b1cdf3b84e3c1526762bc4f293abbc983e9b1c5a70b04b68eabcd54a1db3273d5e910d92ba6358f4c |
C:\FilesOI\xbodsys.exe
| MD5 | 6bf7aa7fee43a12b95634594558629b0 |
| SHA1 | 959ae81126f770f1e2dd5a18b4db938c0cabb654 |
| SHA256 | 72aaf02b37cc80c3ac36ed833a7bf2ac022a7e8e7e60866a8161a0ac1b9be82b |
| SHA512 | b8a21f5a62dd739a5f668082852dceacd7717ab42572324e24345869b606b1c0289551e34d839628be382ad8e6dd9cbd005f71bd94a1963c75c20d3319b63dc4 |
C:\LabZXO\optixloc.exe
| MD5 | fff970666cb81406f64eb2524977628e |
| SHA1 | e8cd2c9860fc6f9f0a8ed2d7592e4029d546a8b7 |
| SHA256 | 801f2f0e169eb0c246a2cb10391861a6588f03a97073b567ce73d5451b7cddc2 |
| SHA512 | 9414bee49c23a37d6954c329e1cedb690332af9af580d5568be39b120e82201bd542d503e048617e180e36650343c263ed6b5be85074faff1a70fcd7ebe56923 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4264b2019848f93783ef5182b9e658fe |
| SHA1 | 26cdd31c24a2d0274870434ff39a8de2ed2f531a |
| SHA256 | 4938401bcee272ba3d1bb312e3cf4880951fb68d3170b22a8cfe6fdcdcdf2288 |
| SHA512 | 1d4260524883a355b2d56b57444114c2fe9a1f93e099188b83071a45b3763e4b8692ef9e77d4c10f4936064fb76e8c57b54aa5bbce410f1f4b5c3b133adfea96 |
C:\LabZXO\optixloc.exe
| MD5 | bd242d47d03ae802f56329b60209944a |
| SHA1 | 6d66bd7ad6fb281ef63e77bdeb3ff8759985f125 |
| SHA256 | dbc9567d575ff0b51a23aa0380a0c0552176f7796bffa4421a2c0516c0e1ab66 |
| SHA512 | ad960782703fa5515b017c45895bce8e7d8159cf013229441131f216d247394a292c08f0a811e331a139b4750c5e435cbdba1f611c8073549579fa1900b17caa |