Analysis Overview
SHA256
1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726
Threat Level: Shows suspicious behavior
The file 1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:12
Reported
2024-11-09 20:14
Platform
win7-20240903-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\UserDot4L\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4L\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid5C\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4L\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
"C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\UserDot4L\xbodec.exe
C:\UserDot4L\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | c98daa4ab0c3268db527aff910fa26aa |
| SHA1 | 893be3b7c6d6f5ac4afc7ac6163743ce536c2c7c |
| SHA256 | da7a69bbcfc8922b037a2d7d2c13f49b02949867ca4e8ac39632ecb29cd40c01 |
| SHA512 | 35fb9329bf90fbe4c28ccd5d2d6a2aa876dd13cf88faf274ec3a65052b7f3ddc54f8820a0f35ea69a3b993080640854d98f692f9ab0dfe1133541bdc19c8a81a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1d704e714ac6ba30fbb56292b3041985 |
| SHA1 | d3a8ed8749601d74f1c6759d6d10342e39b907eb |
| SHA256 | 3e1f460dcfd7275a0d6bd5e3eaef18fd513e158d699e5a62bfd70db41e37cd95 |
| SHA512 | db6684f6169a675cea4dcf6b6441954e103f10768bc92974b9dcabf13ec1b8f4a44f2efd22f63603aa58ed9e3610961601bda62006d2f3f90eb43347b88a4748 |
C:\UserDot4L\xbodec.exe
| MD5 | 4b15a8dc60fb28ba194308947f8d0bdf |
| SHA1 | addcf6f0cc5dc9577f5354dd3efdf91843caddb2 |
| SHA256 | eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152 |
| SHA512 | 35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e |
C:\Vid5C\boddevec.exe
| MD5 | b89066b664e1bcaf48440629f62e1196 |
| SHA1 | c53a80a80b8c0e651574958d04b006e21b5f6592 |
| SHA256 | 5dde44e5cf22086c26a23c6ce0cc49f35c6e8f1280c1ed8ec4d5cda7ee95cedc |
| SHA512 | 84d342bc2916c6cd7e19264d24240e987d711b2514ae2d87b625e8f8311ecd7b68fbe511890a1dbc0b05b2daab8075c2078ae405ba25315360f9dec971fa653f |
C:\UserDot4L\xbodec.exe
| MD5 | f8a6bb436afda62b3fc5e356c2a2b86f |
| SHA1 | cea29e2353c0ffd2c6f1a535e1b95927f25f0de8 |
| SHA256 | d60f806b47844af5ee5a8699d334026a73dbef99925ba240cfd02c09f9edba84 |
| SHA512 | feacde03056a7da505b508c0589ff52ca5798663996d08944fd79da885d70575112592d6ff1b83fe5539ad2f0f903fef2e7becb094b7f361e68b68a5f83baed0 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5b564730b9e7af4a6b8ab2aae96a42af |
| SHA1 | b02bb8306c60a6ed7cb6b4c15491dab4b018c914 |
| SHA256 | 585c617091e839ee434e37869e0e4e2a1c091ac44cbc9310e9d0f39e030eb517 |
| SHA512 | 67691658220456fbd24676ebc4e2e5cb3bbfab5b79c402f2b7c9eb8386004f316bfbf72ba0f647cccc02942c11d4dd74f71fc0bd9e219c584a2aa1289bd0a931 |
C:\Vid5C\boddevec.exe
| MD5 | ff4b66900a409c2d72d38997d01dc396 |
| SHA1 | aa1382bb61e141fd3103fd571aca5e4bb7f0eed4 |
| SHA256 | cf89864284134635b4e9c306e5843d021154adc68820d6aa5760629d5d825d3c |
| SHA512 | 292f27cb900b2940fa70b53539cfb58347e43e04deeffaa2659db67b92f8b883ddea049d8ce72490873fa4e7ca387062415257d954653186c66661290adb012d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:12
Reported
2024-11-09 20:15
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\AdobePP\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePP\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3W\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobePP\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe
"C:\Users\Admin\AppData\Local\Temp\1c321f2a8370335645ab26e90f22bc863e8487f3191377e4b80cbb767e6c4726.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\AdobePP\xoptisys.exe
C:\AdobePP\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | c46eb6abeea8fdee438a726526b1c81b |
| SHA1 | 2362db702e400fed2b484bcebb82524080b75c97 |
| SHA256 | 6bb64d782998bb2a9fd2d7ffe4263c6651e7cf62ab6bc4fda0c9cd70d754866d |
| SHA512 | edde68ce00dcb1a571c937be7c3a1128d743023663f9895cc67f2c635845b5a431fc867414c116b08af1df817946d1c05bcc3cd67d0c662b6b4d738945df1adf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0a22315311f558d805b725cf619e35c9 |
| SHA1 | f4b933d2be6036c8c6c894504229ae5a6be4dff9 |
| SHA256 | 9c1331cc3dc4cda5577ee183b8a3acc0eb20027463fe021ca5732f13c5428fc5 |
| SHA512 | 3cff51802ca19bc60cd7163743e2a557709dff950b5280a8c355b42337733282e170e847cbb3b37b601cb55803256660ef3e4bf8f3274ad035a5d080ecc3b2dd |
C:\AdobePP\xoptisys.exe
| MD5 | ae2f3c238908537647c4ad6c943e0d8f |
| SHA1 | f88ee9224614a19931bae0a64814d6900996c39d |
| SHA256 | b7cc3a22bb3a7684d4a5104768a8c61ad026fab2746051a24f32b0ec809ef03d |
| SHA512 | a0e0783705201c0e8136da4206581b9d93ee44a44fc6c0aacb1f0330d7af63238b661ed98310b97d820973b0c6f886e888d05f33d47d8f95313e236867459767 |
C:\Galax3W\optialoc.exe
| MD5 | c1db393f218942df177f17095ceae84f |
| SHA1 | a3bc28ab86d669b7c669cc8f576e2b8fc5cd9376 |
| SHA256 | 97e832b5c5659402a71378977b6750da48d6bfdecaa8615333f5f7b23b4b65af |
| SHA512 | 0fc1927d64d33d21e70571f82497fcd4508f6f65c0c11d85a5d8d5344a7219dbe6c3e8e0b9d922ce479bf7b068e6b9a2dd3c771b0f9b595d83d4ac83dae83067 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0fdd8ccd8186e07cb06a5957d55fb3de |
| SHA1 | 7cf3ecf6a9befa5e0a133b5afff154d1e142b8f9 |
| SHA256 | 26e527d67c04c7fd4164b9b934c1d1e6d1b3c608fb6fc9c90557740a016f03fc |
| SHA512 | c8dbc603d10c6b7990fc4898a30585dd2a6556cd6cec2be61ac210f204390532afbbcbd7317aea8c2062e6d7c3ba638ea738d44db267106f54a6dd83886b0949 |
C:\Galax3W\optialoc.exe
| MD5 | 05d1aef499a939a45d386a8773bff2a5 |
| SHA1 | ad23ecd183b65f96f85a66aa60f835efe4dabb75 |
| SHA256 | 197d6eea47694e002dcdf2f43e71cd5ab6c52a23efc75bdb466ed23c58bfdcb9 |
| SHA512 | c21f6eceb5aae3a9d484a2f2979edcd2093dc57bfebbd6befd62cdce27c8ff83f6c2e1b25aabbf1c7da1e55481cf5f5a48fa4d9e67ecbdc61827dec2d247e4c7 |