Analysis Overview
SHA256
04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96
Threat Level: Shows suspicious behavior
The file 04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:49
Reported
2024-11-13 13:51
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\IntelprocET\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocET\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid0V\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocET\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
"C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\IntelprocET\xdobsys.exe
C:\IntelprocET\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | b1db69d95ced41c4ba44fce35a0c64f9 |
| SHA1 | 7297cdac307f5158b04b77b74c08edf19e1133b1 |
| SHA256 | 229efee2382eda0d70444ce800fba135f5a97590273490e93b70df7d6af15412 |
| SHA512 | 7a9ddbcdd9ad479a8f15fc4a75281257ac07a6c5df03da1dbab6a7eb2cdcc46c559c6b2e507c76c326ad24eab9a95c22fdfa5c8d47fafe13033cd97b6e16c30b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f91b2dca6439425c2cbc210698b9c449 |
| SHA1 | e3877ec3a070b4dd248b49dbd05af3f3a2e09016 |
| SHA256 | a3b57dff8a8be34716fecd03099d8af0eb3cb68ff07a414fd8fdce502a75abce |
| SHA512 | 2af1deba4116333443e2575428dd001dfefde2e80d53f3918cacf4f319e321b91f612a3ad0f13a1906459f0603997f21e203beefe8ab79e4b6e778269cbf7e5c |
C:\IntelprocET\xdobsys.exe
| MD5 | 8e21a7330817d440633a83e76002c67d |
| SHA1 | a124d9500f902bbb0a5ef5c465d532ae642333d8 |
| SHA256 | f41964f777ebb70643ff2183cd208d5d4ae364621caadd9631d0fdf9d250ead7 |
| SHA512 | f032285ad9bdf6eb78cc5df7ac795b9f27dfe07473246ade5e5983d5cd02af19d7a203c6521b99952a85055603d7ad48845559c53253fb777f8de013d528b788 |
C:\Vid0V\dobxec.exe
| MD5 | a3300ee6b9cc72a8cc2ab5fcab44ee0f |
| SHA1 | 4ac76e0765e3331d871860d93d63b9d7b75137e2 |
| SHA256 | 4858e5713b5eb4d70f6c3c02ecc979254199a19f2cc2189cd700f41bd7ef5794 |
| SHA512 | f28c91719702d051db613a55dadafd5e5d760f950a100a0b382bf52ad16653894e3faef34e881e9f1d20ab6fdee4e9666bec28c7b3620e4195a2db9f1a2b9e33 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e75f2b5c4bbf0ec2dc65177cbd0e7591 |
| SHA1 | 539533ad6606ec281eb7ae2a1ed7409d05fcb668 |
| SHA256 | 2eaa548b8599e7b31f6d6ac22f3907df3aa681142cb2e96a21dcf257e9488f3c |
| SHA512 | 13491af895687aa18be519a9ac004bc0ab842879d295c5221beaf05f4fc9eead531c555e517dd7dcc955098793678b3d8dac130bd0a61750624caca9fcdccd97 |
C:\Vid0V\dobxec.exe
| MD5 | 840c6c13dec0f435f4628033af428dbb |
| SHA1 | 911f8e100309dc5d06ce1e8f68ffbc2aa3c8b420 |
| SHA256 | c46db80b55940b27b22e8905fa444af023c346304a2c349fd982d4442a398ad0 |
| SHA512 | 25b4e65757aa4cd937bceb9856c43fe8d82d0af9fc220e3f90a1a74d3629206e0f189c6c417eb2a78b294f61f7e8ceee589a99c7c8eb619d437bffe79f95c157 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:49
Reported
2024-11-13 13:51
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\FilesCJ\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesCJ\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintUD\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesCJ\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe
"C:\Users\Admin\AppData\Local\Temp\04182781c7e3e25d7d7476f6a47b46c00bf89c2d498434a87f5de8d39d75ae96.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\FilesCJ\xoptiloc.exe
C:\FilesCJ\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 906ca7fc9e6ab036b73f04e0f181c471 |
| SHA1 | a00147087799bfd674a0d58b09313f9f719757c3 |
| SHA256 | b39277964262f9cad8ddd384dce50241eb366db4fe897de8f1d71b7c000c53da |
| SHA512 | eb8527e59cd3c45017479a6480a9101ea77917f770e9135b79c121674d8a6e86e52540b20d5ed4c13a074c0a4777d685d99ef5ad192f16b7ff10897a7cdfe0eb |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 63db966d4e80a7e95d88748185d0e591 |
| SHA1 | f081de391d73530187ca2c59dd9cdca7cae9d2b8 |
| SHA256 | 9b7b5f1fc32ad998d4c8a02638e1b1c2bf8244167cabb0cedddb540f60d02fe5 |
| SHA512 | 5b7950c410d76c11c90c9752d77732f80b30e2616caf55b8fd1a56ecef33b1524e3aa9db7e04d16f2551568b63ab1bb63dcc97f99c6e7c5da6aed9c485d6affb |
C:\FilesCJ\xoptiloc.exe
| MD5 | cd38ea1425038fb4a83295e22068627f |
| SHA1 | c8ada64f61bbc8109a200c402bcf2ae904d1afa9 |
| SHA256 | 0379adcbe3ec8c50c84781d6b9a23b7d41abcce66142788f269f51adfb5f76e5 |
| SHA512 | bd00206c4f9f815c18f312c189dcaf1eb3dc5aa31a3c4fd580030bcfa40c9941224b7620e278b1cb983b4bbb55a79280c63f97ef1dd0deffa6b4f51be8482442 |
C:\MintUD\optiaec.exe
| MD5 | 19e188be67d20cc28e25fbf358eb206e |
| SHA1 | a2ac27bbd71aed8ca528bddd266cfdbdd7d30b25 |
| SHA256 | 0e64784bfca21e66ddc21a753f9f5d5e078adaf3969892b7b6c12dd0280719f7 |
| SHA512 | c3518eb111453bbca6491e46b6f54e415a9ea319a0af7bf79513545173505d4b3470a544017437c3a43bf8e5dea7cd597c7d97a2d9d46eb31de3631185033aca |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8f1748ff3cae61593467212356bc1610 |
| SHA1 | a40e46831839ebc87b58e00d063103b76223b7ee |
| SHA256 | 7d8997ddb4a0b3e44d24217d4d5cd6df092fc6401b4169b4b3c4bba3e92daee0 |
| SHA512 | f026183f303d29f7b45993c9a9167f8ca7349e21197bbedefd0cc913517c2cdc1cc90298698f89865970114dc37d14b5b92408505c4ad5d3c7e1308664433c5d |
C:\MintUD\optiaec.exe
| MD5 | cb4089b36c9a32dc5ba4b0ac72b14f64 |
| SHA1 | 51d577671c09042ccf27bff1ca9ef8ac13333ec2 |
| SHA256 | 37f6dcb1771ce9f40e48ee83e3e1246ff946aa5f4f2d99ae5908810d661862f5 |
| SHA512 | bd32229f8bf03d4fbb5b8be58fbaeba120ce6a06cfb59953526dbdff7673330e7c79f6ae909e34096cd63f065193b3670815b8759a5b00d96be0d9c5cf3e5963 |