Analysis Overview
SHA256
20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133
Threat Level: Shows suspicious behavior
The file 20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:41
Reported
2024-11-11 23:43
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
101s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrv00\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv00\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT1\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv00\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
"C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrv00\xoptiec.exe
C:\SysDrv00\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 7b87de00ba9f33ec10f61c0f481c69cd |
| SHA1 | fe3d7a251abdbd5094a14b9b3e538b2706597a8d |
| SHA256 | 0ec37a21cc3485b5b2bf0be962cbc10b94adfc314eb82498669448d8359e02bf |
| SHA512 | 4896af2ea60ba0e5beb74efded5e14fdee806dfae8094cdd3d328eee73059d1356e4418dda5d68554ebe72796b6b45d9f0ba732c9f3df969018cafc40bdeba19 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfe262e905918b197fecda1a1a0bde8c |
| SHA1 | 87a2aae98e839911f138cb6ee09afb99bea0417d |
| SHA256 | 7f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff |
| SHA512 | da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6 |
C:\SysDrv00\xoptiec.exe
| MD5 | 18bcfbdfb22049e8ef9bbb811f53fbd5 |
| SHA1 | de4e68aa4a48c82bbb3ec75d8367835ada7c8314 |
| SHA256 | 1f43ff858519767cf0549ec2133cdd376a4dd0d141dbf240f2c54d9f03f151f3 |
| SHA512 | 91b7bf6bccc52ac6962ae9aaee6838386d28cf0b2a774b68681ec5f40acd6672cf8ee68914230cd9e0efd83b0563b6b68143ada6170456772fe22084a012e94c |
C:\SysDrv00\xoptiec.exe
| MD5 | 63ec74a98bc7c751cdb78170fa9c5e4d |
| SHA1 | 9dffd8d0dc5a7c565442375b7af4a242b3b19272 |
| SHA256 | 86a50e7790c229b1051cdc9c138b6cfe5d42e6b098c81c84ff7371fd398f9700 |
| SHA512 | a46cfc51d54902ac1844aa54c1dc13b1d52b13aa7c0a902608037ce05afca1becb6e7c933e92fced39e29f2596e2247999ae7b19251da8135a5124473ba9df0b |
C:\MintT1\bodxloc.exe
| MD5 | 7685aebbee520ee7e6d333efd1ee718c |
| SHA1 | 799f4a8681ab88297e6aca1b5c46eb36003f7de0 |
| SHA256 | 24c257575fde2a5a550f13c4e1d53865d3090024608211b078a67079d9e0f748 |
| SHA512 | 68be6346390895bfdfb96c8821b3b9a2ed216133d683bdf9297abc271cb2141d2ab7296e282de6af2b51df6de5fd539960b4a755befd1d2217056b97e4f7c99a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dae381593b55e76e4142be306b410391 |
| SHA1 | 4f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6 |
| SHA256 | 317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4 |
| SHA512 | 1cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f |
C:\MintT1\bodxloc.exe
| MD5 | 01fb6eb5631536fd85f69801d41502d0 |
| SHA1 | 7183d620daa4984c9d0c067c907cf8f04c23d4a2 |
| SHA256 | bf06c64df8a062b96ab1fac60e56bc8b043e0a5f3ded2b80c1f575c5f9003ce1 |
| SHA512 | 1f22cc1ced389d16927224978bc0c156b293a1beac36600ebb58a20faa7c036cfd6fce38d83b94baf92c1e498f93c9cffeaa9484e41d5881daf6efc7545bc6ad |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:41
Reported
2024-11-11 23:43
Platform
win7-20240903-en
Max time kernel
120s
Max time network
24s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\UserDotP0\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotP0\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotP0\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe
"C:\Users\Admin\AppData\Local\Temp\20e2442f2847b9798e3887d04b14abf130467383614faa3bf6939b44a47dd133.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\UserDotP0\xbodloc.exe
C:\UserDotP0\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | cd13f5df74f007a109572f80623d8863 |
| SHA1 | 2d789f296405a397de63f439036da74d13815b42 |
| SHA256 | 260f5f5acebec94d70825c06dc68b1f08446bd5358fc08ae5a8c41de30b5a5dc |
| SHA512 | bd88288fc3b8a55f129dff00bfadac23ae413a1b827c9e132029fbd622120bd9e0025048d0d7c1ba596b1ea4fdb811e5f94585ba5d76f9445c43cc492095f5e9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e43e5b50d75495f8e5e54434f109ec91 |
| SHA1 | 998b92b0539e3ef765f3dc693c0e53b4c3fb886a |
| SHA256 | 109261c823c5d609c3a90b576b7bbe1e0c4587db5dd05d4462dc0658bf49984f |
| SHA512 | f806867e57b1c60eaa6eb09adfe0f0e9e772672d9b1a536384b739f31a23b91d79f2b30a18145893c3d4884c874ed0cdae0d6dd33f5ead1e2668c40b8880d5c5 |
C:\UserDotP0\xbodloc.exe
| MD5 | 5c7937a92ae3b13e253aa5ea1b97983a |
| SHA1 | f83087cf5ea6c2e7ac0a7b72f22acea2ea70fa89 |
| SHA256 | 4ad37e2a2f4d49206200ba2db4d686bbceb2cf5fd14fea44e39e2c69905bf9ba |
| SHA512 | b2f83082806471caae55d4b5fc1ae1404901c40460c1a4207232b762baf080dd7473c677f0036f08e84fb53774e2359dc4a6b29a695aeb22f6d8abcb6075fa65 |
C:\Mint7A\dobxloc.exe
| MD5 | a2c0caaa5b129da4f968d16f962c0589 |
| SHA1 | bd353320647d85913d9cebdb39b74b066388fdc3 |
| SHA256 | 6b405633b6dadbf8a54d436db04e42d649ab0ad8088bf6180e4fe6c8d2ce716c |
| SHA512 | 5b792f59b19e4aaa22ceb7ad3d1405d2f6b3a84adae7c83642f9a460ab7e2e19c51cfc2436fcd1e58cc40a2e980e0b0454ac80d439519ee11ae65d7ab3c907ff |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7c58c48f4fefff24ed23e6e76d57edfb |
| SHA1 | a3bddd073b8b456e247cb1fc8d317d3e7e79597b |
| SHA256 | 735f4f8a324066a6f1c731a019ed984ccfa8d5ff6ece333922fd36f22f050823 |
| SHA512 | c731264bba3defafd20046df0505789900493f677e69c3477d7a13c46ae704120005839161b178497dfd98c041e939d5cc71fab4cc76c949b17af31dae8b6b11 |
C:\Mint7A\dobxloc.exe
| MD5 | f68b5f1fe21a2b852b1d1bb635530d81 |
| SHA1 | c13cf7b29510bf497e39295d03353403e8c2e174 |
| SHA256 | cc43a09e68a94611eb3922886184bd45b08bac44632be6dda5acc12bfb0fc5f3 |
| SHA512 | 4eaf26062908ebdb36f8a25bcece5428de1fd5f27402ad787522da7a4c4b111cb420a6558e3719888fd3524fe3f290179a8e87592e0ab60ec335379ffa079574 |