Analysis Overview
SHA256
cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0
Threat Level: Shows suspicious behavior
The file cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:00
Reported
2024-11-12 17:02
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\Adobe54\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe54\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintKQ\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe54\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
"C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\Adobe54\xoptisys.exe
C:\Adobe54\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | b0574acf458f8cc31c5ff8353d7d3f11 |
| SHA1 | c8fab530b43e63d3a2bd83f0947ba7a5b78e4e57 |
| SHA256 | 663e1acbbd944683192bc8ff36566ef0e2b956898db4866dec52c65e37c3d0a7 |
| SHA512 | 2f917a1ef7c80b5855c4cddd0f1f76d354924421043e7ac62a0718a3f6f9fbb1f8800283e4895ae87f12600b499f20be292ad0f47965993ef115a35c0f419d83 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 654fd11b063ee3e36b4fdd3ce222226e |
| SHA1 | 343a73b926f898883b99ee3ef608f4237082b3a8 |
| SHA256 | f09b0ebbf693eddf52ffe937b8813abc2d558966df564f6d7c7ceaa5b7bc70c3 |
| SHA512 | 1da15bac57d2187d99e8dcaa1c4082efedb4f251c38ce566b6e2afd69370bd696300f55eb46683240dbaf15e577e8a0aa3e0562c9a42cdf08f334102c19fdf47 |
C:\Adobe54\xoptisys.exe
| MD5 | 66b2c97acd514c9ff7fd58c10b3776a0 |
| SHA1 | 2d3b64f758b7ac257494cce19960db126af0b10b |
| SHA256 | 08970944b765491fc2bb5535ddc685511d25102be716eb817f3028d011088e0f |
| SHA512 | 7e6dfc7a9c7cc7f190c257f5dfe3132d1b59f7f22e893ed320d8aa2c1c8d9f48b5287bdbe3dce79dbac68eccac2ac2522c07fd0e1c38a33764a34acb8c412ba0 |
C:\MintKQ\boddevloc.exe
| MD5 | 00e3954edc8373bd9c2475d2a65ce9d0 |
| SHA1 | 983cb672d389ea2a2f32c034361908b12f1328a7 |
| SHA256 | 8e2e9ff943889915fedeb41125228978d16698f4b7d4ceaa196c98a95b3ab84c |
| SHA512 | 8f59882095832f7465cfae7637068414ccb28d4a0e77e6747b1f756626abc9e7f6ec8cf12d3c2cac9ab393d8094d2463eee33643b70945db88ad0783faadb56f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e7842e162ed23e7597d726eebe2d10bd |
| SHA1 | 019c7ea08d61232d99c1f668159e1085c1474246 |
| SHA256 | 8e0b78e262f5cc8160ff5c42ba2ecabfa2bd30d132dabf10a230c1297b6fd188 |
| SHA512 | 8f67fb3ce3acbb21f7c3e73a29812050884e4cb1f9a44b92fa578ff8cfb544ddd296a6a4e47195612b3b4a79eff44c9a743eca9c4ec04c269643764f121bd3f7 |
C:\MintKQ\boddevloc.exe
| MD5 | 9d25afffe9d1b54be65f222d3cc35dd6 |
| SHA1 | def370ca79668a44efdd2f4dc1c601cbeceeeaf7 |
| SHA256 | 80fb8fbf44553097974b204b6b9d4414b482e0e37a6764057a191110b231abef |
| SHA512 | 36c1dfeabb4a7f7b400fa756ccb1fe33d856029da7168c049a70856c00e1e07304b8e1189e812c468513b3bd22ab32af8ae720b9ea4bec40258a1b90764219dc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:00
Reported
2024-11-12 17:02
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| N/A | N/A | C:\UserDotII\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotII\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBRC\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotII\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe
"C:\Users\Admin\AppData\Local\Temp\cb3d0ab942120dc7419b146b0f2b6d3b8255228a4caf9337e0bae7761ff7a7e0N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe"
C:\UserDotII\abodec.exe
C:\UserDotII\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxbod.exe
| MD5 | a94758262f254b2c166cf61d3b980711 |
| SHA1 | a1f4276fcb5550ecfff04db01656079e4d9326ae |
| SHA256 | 4cd681872029519e7278099043dbea6fa111c3a66b84cc0718a1301d2a86a44b |
| SHA512 | fef4f5fc9b415b4f212078819f573521e384068e57b9e12258d4566606102eb893f91c02a4ac033515ede79c4f457136c2e5c10c3a456a2fab835751f8fe8532 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2cb720d83b7252983524eafa54b288b9 |
| SHA1 | 46bdbe4001f39718908b1c0d80bb5924550e4edc |
| SHA256 | 3b323139fc52500240c6de22c74444facb5c12a01d49622b742d8eb0bdf0e10c |
| SHA512 | 816dba094e3eb23e130b82b8836481f90abe22d02658616404fe7ecb4556e3f30f2a0afd429d4d18427fdb51a50257858e42bfd5372b8420b071631ec2be685d |
C:\UserDotII\abodec.exe
| MD5 | 26991a7323425d01232d37cb094e7466 |
| SHA1 | c35c3f0cdbda25fd88f1d39dc07c623a9a25394b |
| SHA256 | af25ad1f354e0a9b9af9625b0ff62750d55269a382acdc5d0eda0ded96daa83c |
| SHA512 | 8ddf1b20514ab76b2d74f09497589eb722ddde38c639c31307afec011c53c360debb4f69182f0e0ef72e87c20118afed6e21f2e0ed9da19669ec7663ecf62430 |
C:\UserDotII\abodec.exe
| MD5 | 63a9b7065fe4c6908caf527173847371 |
| SHA1 | 621a851c6f6ded04ae33be11e91c4d767537e32b |
| SHA256 | aa2ea1a9379653bafd2d21adb4bb0c73ab5b00c46e7ff9dc46b0c536be5c27b7 |
| SHA512 | dece9e22c1135bd3fd7b69a541eaa3cb50f9f7aba3a02685afb38f63da5645f96ae5e3149c79571987a27f75fcaf846e859bc6375d97a2b25b511b1714ded50a |
C:\KaVBRC\optixloc.exe
| MD5 | c91d3464c60c5b5148dcb2ebbb8d6c6d |
| SHA1 | 6dddf2180d4bf983aeed53bdae0739f180728dff |
| SHA256 | d58fe3a217f490df0d327e51b9c5df67d288c3221a8775238f9ce2fabfcf462e |
| SHA512 | e8639ab7d80347dd238bdf6c4a35af0ae1f7ece2dda2530f1c4352846567ed139e7fc8590fb6c7dc2510e47b98c35eec8d8f77cc9ea90120ead81c0015fb63b7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7b7426f3c1aabc68316b23ae295425af |
| SHA1 | b41b91b9cb9cff9a0ed1095236233b232a02eb6a |
| SHA256 | c4d534f675928ab244dfa9cd3f8328e8ac1c08cd28216e78106205ba68d915dd |
| SHA512 | c21243ce7f22d87279741a25467d09a73eb9fc6e5afe34d0bf78d990b6768f3c53761fe37bac9bb62f6c27fe2166727506be02f7f6e2b46eb9667e5252146316 |
C:\KaVBRC\optixloc.exe
| MD5 | 9ba1f92f17320406dfe029e73132f1f8 |
| SHA1 | 5178500c26e0bae7a24b5f6089f4efac6bd1c451 |
| SHA256 | e2bdabf6ea4b10b3bcdc7cc25b9413609a1f9f529940ba94824e408abb581504 |
| SHA512 | afcb08b444b349ced710fdcf62a34fe5d36f5ae3233e46e7dea8b228f13e34643000d248e3a4eb700d4def94bc096c9aa4988b02398441d2eb578682cd4eb835 |