Analysis Overview
SHA256
0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742
Threat Level: Shows suspicious behavior
The file 0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:50
Reported
2024-11-13 14:52
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe6W\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe6W\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB8J\\bodasys.exe" | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe6W\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe
"C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe6W\devbodec.exe
C:\Adobe6W\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 9b0b9267a02c96a2d59d57b739e2e026 |
| SHA1 | 3c98524a92617f4c0075b5fa8dac3acbe87ae641 |
| SHA256 | 93dfd3a0a5a0d523ae211d160f487381f35e889bdb2b62ea4b9d714846a80107 |
| SHA512 | 45efd5da9ffd0d7a7d82f67311cb9b560a94663fdf49b65aa7540283fe0662d1019553880691d6755378c2284aa48d69a23067ce8907cec467a28adb2dd6ddf9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b4456c91de488e7ba672616410e01704 |
| SHA1 | 6b8ee6e921ca8a3a07afd6d48c4c4b3cde1198b6 |
| SHA256 | 0b5adaff4657f8a50c47f625a36a8bcb0b9d2697bbc784149a8d61f4b57a80a5 |
| SHA512 | a25dd7decbe3a8e3e2f118c953ed5a0a5abf370ff9e0d306805d9a703162f962c2d255bbb781b89c26261cbbbd79d419550049f2bdda0cae78896369e2eec92d |
C:\Adobe6W\devbodec.exe
| MD5 | 84f4c4a0f9b2a3a9a81f79358b7787c9 |
| SHA1 | 98a0ce95c5adefd25a025ec2802da017e0f21f2b |
| SHA256 | 97e28b222161c25171929312a6ced3d9e8e0c76652320aef597adc697aad3c6c |
| SHA512 | e55eb5ea74b1150cf82dc2c0d38f47044888c1bfbc1c4be94fb54f23330021a0207de870d29a43201ba7e2ee14de34db1e4d6f681572552626df6b20164dce1b |
C:\KaVB8J\bodasys.exe
| MD5 | 26f4ff1f3ca3fc2bfe28b114530b0ef9 |
| SHA1 | d81a4c8c48e44490a27dd36e10dee9bbd440798c |
| SHA256 | fef1811cd4bdb6021f1c33760fa5aebbcf0922d77e145d5a9b82031a5018c324 |
| SHA512 | 20ebd6b8c1256103f89fa6525873b91234efd4d83ecce9da606c897de368489ad21e42e8c231483bdc190f44b7702cea283ab3d957505772b6bf9d1529a48893 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | aab944a181288aaa44f877861c303d8a |
| SHA1 | 1dfec6240d1f2aa919dedf84b359009ca3f2d88c |
| SHA256 | 175d016724a6aca2c04ee4db06a05139a60bc81d0960e049f6fffe1cb712794b |
| SHA512 | 29c5a22d35b74fc762263f37ce2511c81369a76b112ab02e4b83f026e1ee05928d1b8fd7ed726fef40fd327cc74f9bb9838a767918d93af3263984f5d8b27abe |
C:\KaVB8J\bodasys.exe
| MD5 | b89066b664e1bcaf48440629f62e1196 |
| SHA1 | c53a80a80b8c0e651574958d04b006e21b5f6592 |
| SHA256 | 5dde44e5cf22086c26a23c6ce0cc49f35c6e8f1280c1ed8ec4d5cda7ee95cedc |
| SHA512 | 84d342bc2916c6cd7e19264d24240e987d711b2514ae2d87b625e8f8311ecd7b68fbe511890a1dbc0b05b2daab8075c2078ae405ba25315360f9dec971fa653f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:50
Reported
2024-11-13 14:52
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Intelproc6Y\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc6Y\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQK\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc6Y\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe
"C:\Users\Admin\AppData\Local\Temp\0c2bbbc3c57d46c727ecc5b44f139ae8c97ca5fece61b46d9ceb9f57a7cca742.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Intelproc6Y\xoptiloc.exe
C:\Intelproc6Y\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 983350dea92c6e0b6198506475023c05 |
| SHA1 | ecec9380834775c362a90efedd1285c978bda9d6 |
| SHA256 | 072d8d1c6e3056c0d170cf05a972d04e27e7ca92c8ac95ab9ade315096ce41bd |
| SHA512 | 0aa41c1de890abee30255d236bfb2594033aa1daefac9d26e38de9fcd5ed23828398d79ad6c3dd3aab5015fd36c0436d1072eb03554457cc8f2fcf2ba30e9b56 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9b9da5991f68ce879aab33c91e3ed676 |
| SHA1 | 290ed55f7b65ba5bdbc1d9c778d0e9062c0f2a34 |
| SHA256 | ab3bd087fec7551afef258c923f95f2db59ea9f9a39b5f713b1b2a3a2092eb4e |
| SHA512 | 32d233ef65043207b10d7cc89969c27ccd06faa8e3ef10963188bb7ba199c3848a6ee6e955b34e9a8ac728560070ebdd0404e7012287bf6c4bf693db1c03548d |
C:\Intelproc6Y\xoptiloc.exe
| MD5 | a814503617243dd84beb8b6cc58f68fd |
| SHA1 | 9e9f78d2248ed1c065983320e324759f76b64af3 |
| SHA256 | 8e8152a796bbf48caaab5b209981053a504e52100ab0ed37bf85729c5fc04a52 |
| SHA512 | cc93eff5c258b81bc83c51d692ac405d613a41873b81758b21f4d1b52e51b23f6e71a612e8f3d7191ed52ea9e46d8bcd1d0ff88a8582d60b124ab129b284d784 |
C:\LabZQK\bodxloc.exe
| MD5 | dca5e23338140c860cef1003e17bbe15 |
| SHA1 | 6d37caa33d3cdf19c0127e1dfa64b9295ee21d65 |
| SHA256 | f77581c9f1c1216a96f265be99198e31a0189d5693d73f04d207cf08ad46859c |
| SHA512 | e60c60140ed00d396ac2fa89d38cc3d9d3789ad707e4a7684ce644685f6d403b0d95d0110975e4c2407656fcaa0f44fdaca138589c565be7e374d4e1b8d009ae |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | be43caed81e77a04905770d1c9cb2d8c |
| SHA1 | 2b971fc541e031386ee289b143f5c962124dcc4c |
| SHA256 | b233dbac69bdeb9c747161490d22ce43d2c50d77fa21b1c625b3729ee8c23f31 |
| SHA512 | 944b45ae5bcfc76813eef8bd213dbedaca8f23a64a3747f6e59253abe4804fbaa38e860309156fa19a59f2d992abccf6115595e88f1b4b3d58f3c8ee76c6b983 |
C:\LabZQK\bodxloc.exe
| MD5 | f0934597825065837c347db37e2c00f2 |
| SHA1 | 3d8ada379f58ecf12195564fc028af6e29261edc |
| SHA256 | 54d3351f7f7154c148ca64beae98e33eddc233795587de0fd3b6b0039daaca20 |
| SHA512 | 52fcea1a3c8bf272bd78e88b1d7a5e050c64abca76d6ff46390decd4493c36b818bd3bf6f0a2a0634e5779af447d72bdc3706b894e90a66dacbd81b190ade2a2 |