Analysis Overview
SHA256
cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86
Threat Level: Shows suspicious behavior
The file cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:29
Reported
2024-11-09 22:31
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\IntelprocHC\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocHC\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidQP\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocHC\xdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe
"C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\IntelprocHC\xdobsys.exe
C:\IntelprocHC\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | f945d462e8f0a3f25514b9ad86ae8d10 |
| SHA1 | 6cc99829026c5bbb424a5b5ce99540a32efdb2ab |
| SHA256 | c326c57d1073c47a8a4830c915a69b22feb8525c6a6f95f5bcde3d6af4415e2a |
| SHA512 | b9017a7b9ed274abc937af9be0a564a957aa0c126735833484e5f543736452ef2d8a23a011f7a83780f7624dfa6c3ff6b01fe25d8d224b7e10e6a696e917db04 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9454bee31b3795e04256fcbd4e290042 |
| SHA1 | 3e57545cf71bae5f685a5e0bd81a4772e91ef56f |
| SHA256 | d5a2b70eecaf935ff758e6e99ec2006a225839ea1df1721ac9fa609724f7c5bd |
| SHA512 | 837cbcd73670b4024e286b81576ec85eb5c610780e92196f1c2ac29be09984b6ebbadef576dfc6742f9b6cfb279068c20f017b24884e17fce2237e6d1480d96b |
C:\IntelprocHC\xdobsys.exe
| MD5 | 47ef1294f88064b6c95b7c4970f0af2f |
| SHA1 | 6a94d23f957e06b746fe4f35abf54e008fb18801 |
| SHA256 | f6e26f9428e794a326733b83d5f50f8159561cca1af2022ab0409ae62905b57c |
| SHA512 | d9afc447ac3a923671c339a3913de0ad2142cf20db7375f1c0851770dc36a653869f4e2c6711c61105e2b1140db0bb0e9251a197f3c07cda60946dbf9ceb05b1 |
C:\VidQP\bodxloc.exe
| MD5 | 453bd79cca27ce7936d7feb20333da32 |
| SHA1 | 654d6b8862420f3ae49f62280e366be0dc11d6c9 |
| SHA256 | 315f58516f760e7f86b1918e01636e1e417997da1a48efee0a2d656760bf61bb |
| SHA512 | cf87b5cad2ccd83d8b80d95ef5139f024ccdcec30c00cba08ebca2c875ad6e35cbf20c43cc5fc114bfb9c6f7e2392b77be65e2bb4d35efd7b7226d24f1b8e2f9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2af94f48ff9dced27a3785d72af884de |
| SHA1 | 101c9119bfde9d5c7b27717d3caa9a7c46d5ad6f |
| SHA256 | b336db40b6ed0dbe9bd11f7165592775b4f05b484dd75bb06096af29b785586f |
| SHA512 | d3c0c78dae55a5ed12f88309a4fed8746a30f2324ea0bdd4f153d88dfe86d52e09d7496854b4186f27203336fa150161ff5e51d3a77c62c61696a3fe38bd3555 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:29
Reported
2024-11-09 22:31
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| N/A | N/A | C:\AdobeK6\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK6\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3F\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeK6\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe
"C:\Users\Admin\AppData\Local\Temp\cc6d485e83338c90c97eb89df9ad0eff119222941bf282bd0f0cf9fd9de7ba86N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe"
C:\AdobeK6\xbodloc.exe
C:\AdobeK6\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locaopti.exe
| MD5 | b4b8e8413c76171d4ee19cda6dcef5c9 |
| SHA1 | 1c039c4c2f6eba428e8fd079b88544d9f47187a0 |
| SHA256 | 79e5c44ccfb3625ba2736833fd623ff79ec5ee4a06579cfe0db81f71d8ccebe7 |
| SHA512 | acab59522b4eb1ff23a5cd2666620458c315fc3ab0d71b3d5def975ef7d779e81d3989b1f42749d0fa44bbba0ee2b3e923c969d4b2827d9100e88fa18cc1be22 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1d4b2edf85107b03963d8ec4b7b6f467 |
| SHA1 | e8fb752057a3e27d13041a1ab802f3fdbac87c86 |
| SHA256 | 4e9cf0102eb15044d96b6cd2879ae44781869de397ae9395178d5bca674f784b |
| SHA512 | cf12fef75dfa90e5978e46b91e2d8023a0cbfc26f5c4002cc91c20a203618e4c353195068b862df6fff0989458f7c6395e3c7ae6a68fe1323779aafa96bb0ab6 |
C:\AdobeK6\xbodloc.exe
| MD5 | 3c2aa0ca941bab6330235b566c256f96 |
| SHA1 | d053d8075d59e303192d2100f66c11922a14b6f4 |
| SHA256 | b34e85510c869c5902e8623fa4a4e5559acd0443431e6a9764ccee28bacfadf7 |
| SHA512 | da00866a3793224116bf9f7a895b6679d2e609aed26ffde5f5b368ad9a74d66611741e8fce387380342b210177eda0eb04b172c3ace625556197511b16249b3f |
C:\LabZ3F\dobdevec.exe
| MD5 | e38a52eb64528d55bc52677ebab683a0 |
| SHA1 | bb865faba3eb4387b3ea602d45f59eb44f4297c1 |
| SHA256 | c8ec2f84d5e331eb6647c1ef157584413679daabe153bc2914768319ac0c67ec |
| SHA512 | 09a2953662e44d85be2d0a84a70c7f8359cfd3884c86ae22747c75adc3e5aec245714626312396d6f72e9e9cb6f794f5d7cac99902f4f3e5e41c2d1022e1f929 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3cde7a9dbc435281d56b6a22dcd22a6 |
| SHA1 | 6da56817f1710ccc248cc48637eda00c1ac1f913 |
| SHA256 | 23c4f2f726a2b3d4d0ec3625dd625567f6224f2e642e7e1bbed2c5fa7d46d075 |
| SHA512 | f238da7b0a681d071dbcec05bfaf3ecbc29927b7447beedac02957b7bc368a27736ff592c90234f7066c1eaab03049f234d3af66689a98ade62c7326424e97c7 |
C:\LabZ3F\dobdevec.exe
| MD5 | 823e9ec0e1b2f0436902f1fa2b3b22f9 |
| SHA1 | 0beb6df4db6b1d3f3452a0672b5c0dc15e78e909 |
| SHA256 | 65b0c359b3318576a6f1a91f7ea1a61d977ffb9046c95315761f8dcb89935aea |
| SHA512 | 60f29bfdb7ee399a20017759299c07ea5d05d8868bcb558699928e98e55fb5b7536d28eea24c4325508ba529d077455d0c62924e2804435610acd5d6c22a10f0 |