Analysis Overview
SHA256
8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1
Threat Level: Shows suspicious behavior
The file 8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:31
Reported
2024-11-08 23:33
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\FilesQQ\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesQQ\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxRO\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesQQ\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
"C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\FilesQQ\xoptiloc.exe
C:\FilesQQ\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | 530072822bef8e13a7345b3420fc8894 |
| SHA1 | 800ca8b7b1483c7bad0a29bb43f26c2583fb9a74 |
| SHA256 | 0e61dd888d2f214dd6184a3b264dbb932d65393127ce723f5be423e30cc9d49d |
| SHA512 | aff57e5f0fb82d32949f92efe70184552bdb7cca90d2c22630846d8675ed46486e390a077d1a29fef46a5c17517640ad05493dc5b21a40766a50dfc0b1285a34 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 432b435cb471fa44b5bf3a99869a8a92 |
| SHA1 | 989f4d33c309cc9625c91c480f2225d14cdf8c15 |
| SHA256 | 49e5feeb69d82e123dda49ea56e2c1dba9d2b574af4ee7662677817f8c562e91 |
| SHA512 | c52ea91f248c9c19b36975f32eda46af6a22fe29e1e9d049b8c3bf9fa131db8069ea58f8cfdeb0ec57d495fd7fde77d2339bca024a00394aeaf81a46387818f3 |
C:\FilesQQ\xoptiloc.exe
| MD5 | bded4d20064fd3c57f89fd7ec4335add |
| SHA1 | 9e21615c9479e77a0b0e4024e0d6a1c292d71b4f |
| SHA256 | 6d4b1e047a26cd5d2c9cee308e9d3f011591c5dd5e99b84e58cf080cd1674d4a |
| SHA512 | 98904b067f93ce5b2eb2a273057891beba781a92fffed74dc59f02659d432292293e4a162d32885233c00b2a1f5438bbc72b1b09433ef701c2c00fe3e84429b9 |
C:\FilesQQ\xoptiloc.exe
| MD5 | 9a3cf4fe5efbfb3f46ae8d6277446931 |
| SHA1 | 5c689c51fe75b75e34ad904f10eb38d3c95cf6e0 |
| SHA256 | 53e90bc860e00bd1ad772bd6b90e8adad9477fec7feb24a4aa7c9b1fd081c2de |
| SHA512 | 38e7770fb9442a4a01ea3012cfc6d6b62d3f7f405d3020fa74a073d57191442224c748044d5f5558865b0d4a348813e758c072a2d0820196235bffcb18fbcb40 |
C:\GalaxRO\dobdevsys.exe
| MD5 | 5840f3dc89d5828882b91916512341e2 |
| SHA1 | d7d50bb13b6fbeebe612f359389de8abf839b24f |
| SHA256 | bd34e54bbd8b7b694a414eae89136327ec6e23ff77739bc26cb1e659dd73a2ec |
| SHA512 | 82d07f2d65b4c9d1fa005928b7325e86c8e12128547f22986d633ad1e6425db6fe2da54f020bc350605e80416495c71b036f3dde097eebba1b39192484a232e2 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2e99d81a48596376e4fcd3dc619dab70 |
| SHA1 | afb07ec62d07c0c40249ed23c86e0a0089df54c2 |
| SHA256 | 9633c5eb7e1dd6388e6ca3248b9073a9166d17d0ac915e97301ef7e4d7966ea0 |
| SHA512 | 1a9763644ae4d5a8c98fdf0b056d207b24870259ebc8df8537e72535978318baebab19c2b77a0b16cd58c7d560f0e12ab8f7cc5808dc5d4131d9640a8c0a0343 |
C:\GalaxRO\dobdevsys.exe
| MD5 | 70c3af8b120f6a8c9bb330206f0b6a54 |
| SHA1 | bd916d83bb4615d1e4928b31a39da4983189623d |
| SHA256 | 770f59ec484f622517f9a9805901427b2a294a5144da8dabd64ba8b5f165164a |
| SHA512 | 2022ccf34402dea031e2a045c262e6c922fd54b6d359561b7fcefae7bbe117d98cb7f624897edc69ae51ca39554b5727e45098476371c02b5b55b73bf4d2063f |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:31
Reported
2024-11-08 23:33
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\AdobeY1\abodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeY1\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2T\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeY1\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe
"C:\Users\Admin\AppData\Local\Temp\8c08c21699e9f4436647a3c11ea36becd95e2bc567c24d3db9296b2432bf7df1N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\AdobeY1\abodsys.exe
C:\AdobeY1\abodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 8c10c8914e941dc3358bb6beee279bad |
| SHA1 | 2b0116a7b76dce79470d4ae9142a003a673ae456 |
| SHA256 | 22da153d36f3670b1338be5d9ad3a48cd35e1410317c94ef323bed536a731664 |
| SHA512 | 598f79f99a6706aad0caa3abb53aa12f3634a1d71d87213fe2db09c2742f06ad700d503bea123fdd830e4a6183b78f5ba8a86f335be40327eaff2b1d17ad47a6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e860f3e87fce4ffe654217cbb0535850 |
| SHA1 | fd18fd535ac4b2c46605441c2127661d108ce242 |
| SHA256 | 133f6436d14526bae8df2bf19e0954b7ba2fab13dbd981f5ff29e7a903c4ea4e |
| SHA512 | 974a361f6721b9eb861804d9ec822580670516d54b8345027c73213fb92353bcd13dd1dd5ab9b056df480c4308000dd9b08e637460c483b6f2325308b61e76ef |
C:\AdobeY1\abodsys.exe
| MD5 | 26e7bf3e613b7027bb3bb58a15941552 |
| SHA1 | 62d00d33c6fa70a06524118dfd4aa7a90b591d90 |
| SHA256 | f4861599f798d9d514a59fe335dc05f0853d8a99a499725c1f651908692d073d |
| SHA512 | d20b75958fff456eaeb260b9cec447175a85f234bb40d9526f84e38d2f854ebf71f5e992f77d9768691998a9abef4ad1b746fc7ec923308cc814af17cbdc912d |
C:\Mint2T\dobxloc.exe
| MD5 | cdd97b53b5ff1c4c91ddadde33a72d19 |
| SHA1 | e874795b48a2225d7a2708576fd4d0606378c736 |
| SHA256 | 438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde |
| SHA512 | e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0 |
C:\Mint2T\dobxloc.exe
| MD5 | 24d749b80523864f0e855b70b03973c1 |
| SHA1 | 924423e4b407f9eb6aa645c7856d43acd0c483f8 |
| SHA256 | 082f8005cb019fed7c83e5e13bf51bb33dabf8e9f85d141187e024ea0decee71 |
| SHA512 | b2c672860fab853ab538667f536bc0a8b89b598ed29fbc84b4794e41a0a360d617a8113c39f852934c66a2dfed1c1fb467a6157237b4bfb02eda16e10a4051e6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 23f85c6a9aad35387834e26f23b23cda |
| SHA1 | 436df2daa11505fbd1ff7dabafd7dbee36ab42ea |
| SHA256 | ddc72af530b3e4f41d9473ef7b31e17a70f18f20041a1fd8142b333ab11e1a2e |
| SHA512 | d428b4801a89bf9054cbb19cfbb980ad37907dce0c87f8145626fcda763fecc2042b0d57f721850e46464911cd789274ae86d65391a51353ef7cb9e2f8cba670 |