Analysis Overview
SHA256
3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772
Threat Level: Shows suspicious behavior
The file 3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:59
Reported
2024-11-08 13:02
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotN4\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotN4\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBH0\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotN4\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
"C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotN4\xdobec.exe
C:\UserDotN4\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | eb64773dc200cc8a3ba0544dff503e1a |
| SHA1 | dc22661573c1afbde30b76ef5d232b250c4d4dad |
| SHA256 | 0d947406379c9cb94809f247d67213e12a462855f678028c51d0398d90dd1355 |
| SHA512 | a6ed2972582d87108058f54ad6603949209833ca9829dff4b33cd2c7380fc5f751050324e75a9b1ca69eb93bd4ab3f5b5ea63ad359700ac0dc6dedf825310cf8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 89070966b6b92934c99f0d088a167acc |
| SHA1 | f1ebbb71c6560fb310fb500674ea97d5a4d51dc5 |
| SHA256 | fba341ba03c8aad9cdfe55815fa94cff29a812b23ae695b0acc42e54090a3f33 |
| SHA512 | ca1a0314d0b6d9018cf0b07a397ab5513a52314d5461783f23f1d593f9983f2baf65829c5b620c5e5773e6715e7598975c67d12a62eb5732891bd34d035644af |
C:\KaVBH0\dobaloc.exe
| MD5 | 86b64dec647fc6561ca3c3be840e179f |
| SHA1 | 5065a325a3ae69b7d81fa0cfad86c6ae8dbdba95 |
| SHA256 | 08904d00fb6dc543e7a286896fea330f5ccd0148403289cb7652524602db62f5 |
| SHA512 | 7172976d33e7fefb4f446bccb0a5371eceb18bab7c117d1031900cb7f5c649734b2acb0fcf875cf941b948e349b549399ac8e7d218c7ecf216ab8141aae0b587 |
C:\UserDotN4\xdobec.exe
| MD5 | f1ca6d163b5377cdd9a3a98e1765cb5f |
| SHA1 | 20c71eda1f5a09aed1b2ceb50e07884be120c8ef |
| SHA256 | 0f98ea63fe435bc54c61759dcfe3573402306098a5288a501eea860188c30ab6 |
| SHA512 | 517a207bee6f486114f4ba78c6d51e7c2f403ccb1572bdc2d4d90c9d3bd621a8cece436af04f7cf8a6286fc9463de9ec87b4dcf52fa6bb5f4d401553208abd62 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bc99c067013cf34b39ba2e513a4e3cd7 |
| SHA1 | 4a83d035bb79be79515f4370adcca94f0b63664a |
| SHA256 | d4e71924a131d263a99f29cee1ac1019b5e84b7e0e6d4b7d4bc9a6d63f8aa875 |
| SHA512 | 4ae9bae45b6112f9ef3fce443c2c2c9ad415afcb2dd558e435ad4366500ed5d2c5831acf3468389758fb076bd51222d575de70092a94b126f14f8fe95ce187a0 |
C:\KaVBH0\dobaloc.exe
| MD5 | df5443419d7cff3adb8c744c5b5cd6b5 |
| SHA1 | 2b16f6d55ad4115ec7f2d05c3dde6c66b65081d9 |
| SHA256 | bc91e48d324bec3306bdedff504df65e01b12b51e2469ce2dbf383764ac18760 |
| SHA512 | cd8e12f3bdf65417072badd00da64a76c62998eeb1f60df0130315ffa34eebf054b22cf100db29b49efebf825af1d27dff30affffba57490e116a9fb562ddc83 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:59
Reported
2024-11-08 13:02
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Intelproc6Y\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6Y\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQK\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc6Y\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe
"C:\Users\Admin\AppData\Local\Temp\3f8464c1cc0294ff11d73d0d057993df77a8f5b0741012eef6da9441d7b9e772N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Intelproc6Y\xoptiloc.exe
C:\Intelproc6Y\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | e6a91c807c0f6db73716bc68049c3d5b |
| SHA1 | 2ff33c23eb21e5b07686569017d63cba27200684 |
| SHA256 | f56fc33525e8dc582c64d15e78b80f8024831f842fe048ee13ecbb0c3973f367 |
| SHA512 | 954ac4a2645af7b0184b6fff5aef866658e7e93a695f85d43ebaa8052d48ee1216f627c6fa71fed8bd5ffe91dcaef69e8b07fa2d6b02b4ea50690e67907bdd36 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9b9da5991f68ce879aab33c91e3ed676 |
| SHA1 | 290ed55f7b65ba5bdbc1d9c778d0e9062c0f2a34 |
| SHA256 | ab3bd087fec7551afef258c923f95f2db59ea9f9a39b5f713b1b2a3a2092eb4e |
| SHA512 | 32d233ef65043207b10d7cc89969c27ccd06faa8e3ef10963188bb7ba199c3848a6ee6e955b34e9a8ac728560070ebdd0404e7012287bf6c4bf693db1c03548d |
C:\Intelproc6Y\xoptiloc.exe
| MD5 | 133e3aa62a4f5b8d484640f5b695e9ea |
| SHA1 | 55b19c8b0c35a91af4798fa198e53edbcbd7be08 |
| SHA256 | 905d5fcfd5cca2ea0140ed260b82c77f715c05cd8fb189587a9408356d0c20a2 |
| SHA512 | 2abc6936076b6e7095aa920adc86997921578e3349a3930eb3d9f9f0eda07a12a0438c91268c6bc173cba784fa90547487bda482f73071414c6a317b106183ed |
C:\LabZQK\bodxloc.exe
| MD5 | 41de40a79781386cd565f96a1bf86add |
| SHA1 | e6f570e175ab099a4b33799423d6a44885562e4f |
| SHA256 | 09773ad1b2aa931c35dfdf509b076148e51de800e49517bc41ec3f6f9bd85b1f |
| SHA512 | f1b7182e9c3f2a756cd6dcfe71b76f5ee041bb5c56d8db69f53c0e2d901785f248fdad59331a39890d2d67934d9767cc11276945de8cb7cee463345e401fb0f4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | be43caed81e77a04905770d1c9cb2d8c |
| SHA1 | 2b971fc541e031386ee289b143f5c962124dcc4c |
| SHA256 | b233dbac69bdeb9c747161490d22ce43d2c50d77fa21b1c625b3729ee8c23f31 |
| SHA512 | 944b45ae5bcfc76813eef8bd213dbedaca8f23a64a3747f6e59253abe4804fbaa38e860309156fa19a59f2d992abccf6115595e88f1b4b3d58f3c8ee76c6b983 |
C:\LabZQK\bodxloc.exe
| MD5 | 4a6907c42a18aea34c678ce306c1842a |
| SHA1 | 8784d2c3affb1de74bfa04c78602fb28648214b5 |
| SHA256 | 792d194047ce45761ea22696affda1b9f214b313f7acc1d3bdaf96b7edf5b8e1 |
| SHA512 | b3535b5817359e2f04806d45f519ee7b0fec68e0a7455081c892f7fd58a718cc7611ad24eadb5a9aa93a53f6efddde18512f7a1069f0ea796d9e4b6e209d41ad |