Analysis Overview
SHA256
6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c
Threat Level: Shows suspicious behavior
The file 6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:27
Reported
2024-11-11 23:29
Platform
win7-20241023-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\FilesBR\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesBR\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidOO\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesBR\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
"C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\FilesBR\xdobsys.exe
C:\FilesBR\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 43d71ee55c74e3e6d48d93879e832f04 |
| SHA1 | accdb93ca7ba6022937249a95594de41f250ef34 |
| SHA256 | 66acb7c06a97d337d247f48b58016fe259cf7d7cf62dd89e9f210b54195e31c6 |
| SHA512 | 31d071dfa0c8be4ecc88619ae6dee1cf250a3d4b2fd2a766084d5381811e3e6a31d6504cbc4e5edd864d0120c8f1604cc1fc81e8cab839fb008167eda41b1388 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bd4468da1ad114ed959544ada3ec4d0b |
| SHA1 | 75461c145b05964aa12c7a7293d8722478fe6870 |
| SHA256 | de381b89553dcae477e4b7dfc0e5a4431b3de1e810cfeed73c1e584728ba6fde |
| SHA512 | a90e43596dcc8cd6c932c4d3a3436d0c39769be396ec7df3568764932a7accc82b241f50cbd4707cc3a318919d4c782a31050f6722b9d52314af3721834c5e10 |
C:\FilesBR\xdobsys.exe
| MD5 | 4e0f5a14dc5973b2270184f3bbcf82e1 |
| SHA1 | 2e6fd54043fa4ccaf01efa1c1da9a822962342ab |
| SHA256 | 07f4d10b1321f363d20bff63c877b23b8a791e93ab6394e00119d0c47937c45e |
| SHA512 | aa9107455e0bbdc3fc5dceba75e01d0257332ad0c22be4db1440c671f3a182d159aa876fd9acbd941fc1e69dd0dbf0691298ebeb761ae642c194951b853dfc5e |
C:\VidOO\bodaloc.exe
| MD5 | 8ba215bcf1dd16866cc0f41472d80c78 |
| SHA1 | f1e067d52c7f4544bbd29fec23d903b42c31852b |
| SHA256 | b0f0948cce9f8c8968372ebe7f5eae326277711cea577ca032cbd3abbdf2d4c0 |
| SHA512 | 878c00f72e0ac44b578ea4ef7da5b0f9e51c099c27960d1b085751ce35b046b57c8f19aa314237426260c0b14dee14338ae173e3d63ad91f0acbc2c71bf4a428 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98765776447b50c305868231c4b1e325 |
| SHA1 | 461aab684d7e8aac0e51165850c9854c3c85c0f3 |
| SHA256 | 206e71db5bab10d7302baafa30d1d243e49d738854737f9d2608f950a3133dcc |
| SHA512 | b01b344047b8e70b0773895b92d09bf8ac470672375b269c897cf7d44b127ec7b6a3599c4f9b04bb3988bdda9476caf887c860f667dc9bd7b54f9ec0cfef1aba |
C:\VidOO\bodaloc.exe
| MD5 | 8a937f36dca27de363ec9fb773c64f30 |
| SHA1 | 9e013314f35c8e763990f9a31bb5c694cbd69a1f |
| SHA256 | 6e1ccc9e4e792df465a44d81419ad3615212c5309c28ae0500504cdddd675d5c |
| SHA512 | 60ed30c70c91e9f6fe41633763b183e222b3537867257cde0708e85e935ce93b688084c85ab90e78165b7f4b999fd3292a468609f83edbc7c86f0655d8e5e5bc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:27
Reported
2024-11-11 23:29
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\AdobeK4\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeK4\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFR\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeK4\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe
"C:\Users\Admin\AppData\Local\Temp\6cd96120f3e4d436489a20a25246ec189afd4d9842735392138534328abf499c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\AdobeK4\aoptiec.exe
C:\AdobeK4\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | d8da0fe40a4217a5ec4716640a5eca42 |
| SHA1 | 5b61dee820bae506802eae6bf7a8ecc8c1f6f35b |
| SHA256 | 3c395effe00497436da699c37517fe36dd486a1714f0c1b5882b8b20eceec568 |
| SHA512 | 331d16ef50a3ea01ae9f7a4b7e6b5217a7c460151fccd7c2099eedd613b4d60bbf900cdc4cc30e69acd0c73343a4e2e6cf07e2a9ef55ebcabe4820a94bb50ca0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0970ab8a23ddc3e6fd06f06057c6dfa9 |
| SHA1 | 8888b15c97cd1a8f1feb2e500fce643626e5e999 |
| SHA256 | 7e4d67a586baf87bbd9c9b28bbc33b66089d352e74dd10815ce5ae93f387ce58 |
| SHA512 | 2c3904961f7f53cf5880d488ed3935810ed1bb2787d52cca00e5173fea3bcd365e391dbdfcf59da83e14e05eef818ec0f0752ed598b2278470994a22161f587d |
C:\AdobeK4\aoptiec.exe
| MD5 | e0cea268bad3b123570d9caec2099cce |
| SHA1 | 13f00da74a6ef1c0811b9cab4e60854c89afb7b5 |
| SHA256 | a2353a4fdf4000c90de6b1df357b7305314af226ae8b32a889c7b5a89e73ea9c |
| SHA512 | f2eacb7dce13b911c7bcaa02f79273e80bb45e1336b6cd8916d5307f6e1f4fbd036a4aa2ae6d2e8e360c7a6eed9cd0f9200b7461c4895c114c778267b5887f22 |
C:\AdobeK4\aoptiec.exe
| MD5 | f6ab502a17d4b2f1a256c1c9d98cba51 |
| SHA1 | 8751375fe0655e7a237c02208bdec0191f2904cb |
| SHA256 | aa714439523f222beb45e86373e6bdb78d1b0afd619226538bd480a5e4292089 |
| SHA512 | 49c8d5615a3110359f80c433ee6a7113d8fe8871abe31d6c6a73943f6561c0b9276a612b01574efa5098474fe9c30547f434437387f7f85bb28c520a02c3a13e |
C:\MintFR\boddevloc.exe
| MD5 | 81ecf9cf41a0540cac035756315b906f |
| SHA1 | a47b40c8a1f385b68cd8c3fb6e25d0c96b792299 |
| SHA256 | bf56cdf195d679617c2f5ce3c284eb80d2fead17b5b8875f644d9a93fdc06199 |
| SHA512 | 60380a981042dc2cd0b84346727611572e2eec25eeeb565f0a7155e37654bc23b0324d55a3f9926d7c18371d715339e6dc3cf62e125e0d97bf4917a2c1b65a72 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a846371aa6e633f259f09df0ba7016f3 |
| SHA1 | 712d4dbec5c3de0e2e073458c1d4fd7a4b78714d |
| SHA256 | 13e88cb686431fde9d59adc4384a02092cbead45347287ccbe8816a89e03f92d |
| SHA512 | 0b0c621c54c77a4c10df22f2cd46d9a131181138f56547c98a4b512741d429a06c6d146fe9bb98b08f0a99560cc52a38bca8987f6082f1847171c57b8f2bd1b1 |
C:\MintFR\boddevloc.exe
| MD5 | 874076d0193b6759ffff3c901c0fdd1c |
| SHA1 | 97a557a8df8a32dbe054882732305ed7c2abbf3f |
| SHA256 | a5da468c815de77c5e20b22fe80c11adf2034855c04ce01083fda676dc53abd2 |
| SHA512 | e2e6703b65944c17bcde304af1faaf66041b1ca8bcc26294cf61a4997dedb48039102d524ca42e4b95fad03c7af215a1d4328b8726853c488fd2d4ec29c2a55e |