Analysis Overview
SHA256
670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b
Threat Level: Shows suspicious behavior
The file 670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:30
Reported
2024-06-03 22:33
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Files2Z\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files2Z\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintCY\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2336 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\Files2Z\devdobloc.exe |
| PID 2336 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\Files2Z\devdobloc.exe |
| PID 2336 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\Files2Z\devdobloc.exe |
| PID 2336 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\Files2Z\devdobloc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe
"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"
C:\Files2Z\devdobloc.exe
C:\Files2Z\devdobloc.exe
Network
Files
\Files2Z\devdobloc.exe
| MD5 | d882df19ee641e018ef14140f76b4b8c |
| SHA1 | 26605a05f72c5eb2fe6c4ea17f38a79ddcc5c977 |
| SHA256 | 2fdf388b0416b6e5c27560d4f75934991794c0a5e3931d906b5535d8ed5cc429 |
| SHA512 | addad9a18ebba0a618c3a4883d6ac0083622c6879e7dd42198c9e0687d7b622be2b3c28c68f74808f893ffd6e2b569e0db1e5effbd68bdc582c0d705bb1a65de |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 384b1ea5852efea73c6cfac4f27aee40 |
| SHA1 | 2227b5efb838fb563a8d3a6d1fe146e3b637a94d |
| SHA256 | b71de1189c4897af7bd2f4f3bb32ce3fad005333b43875560722fd141e2e02b3 |
| SHA512 | dc24d5f81c0e8f5530ac80bb83f2143a7113bed9b78f3ada0f7e810e44ef9fc621415da656846f655aeb71dcf439f7c6e98833853c266d720b459fc98af33775 |
C:\MintCY\optidevec.exe
| MD5 | f049f316d1dcca60f5682a3c1fad11ad |
| SHA1 | 2cc5209b28e53e0d97c2aa2540904a5db8d9a772 |
| SHA256 | 29d9202c78612e74cb2b5016b22ff110d526a03ac7a3aca362e1fbc52bbf30e8 |
| SHA512 | 333d8c63373946edfc76e8f9f4d1afcc993a45431e287816a4f1a0aa03880ace89972633c8d8665ab55880714064d30cc574d4c300369096dfbf74f671bc68f0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:30
Reported
2024-06-03 22:33
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\IntelprocEC\devoptisys.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEC\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBIO\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\IntelprocEC\devoptisys.exe |
| PID 3516 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\IntelprocEC\devoptisys.exe |
| PID 3516 wrote to memory of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe | C:\IntelprocEC\devoptisys.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe
"C:\Users\Admin\AppData\Local\Temp\670bc6661add51a8397a563dabf37b3056037b073d473bba1fae68cf2a71573b.exe"
C:\IntelprocEC\devoptisys.exe
C:\IntelprocEC\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\IntelprocEC\devoptisys.exe
| MD5 | 5fa72fe32f0be437655fffee64838455 |
| SHA1 | 3f03c8aaa1c5ac0be8826aa278271bff79c3e172 |
| SHA256 | 60e934f686d8b8ff0f5c7eceeec403f728d37bd9b5792688339e8fa5ae3178b4 |
| SHA512 | 26175dd09d90e7e7cb2f75ef3005837a1a9f05190941ebd44cdc2fa6359ac742a04b03f5ddc99407dc40945a83ed4eb9801870a435a5cb4dc1a46bbab62097b7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a92ae43874333706f747bf37b1d498d9 |
| SHA1 | d395d6322a82b664660b8290e9ce74a5c42664ad |
| SHA256 | 97486733c57012455ed6dcaf1355eb2cb8bb41c919af5d74b19419c12a500d01 |
| SHA512 | 2f4698873aa2153aaf8d7dacb8217f3399c09c051068e3c42cb1f7b63eae055b00a9e2ce6454114780983b2006b6993ebf091f1934d0d579207b5d88c118ce2b |
C:\KaVBIO\dobdevloc.exe
| MD5 | 5804b7d4cdc77efbb29a02ff5f1d4887 |
| SHA1 | 4927e58787f6319b41c344ce1cb31d66b5e9859d |
| SHA256 | 384a0498d57307191ff93a4e535a4f406e3b29d213816ee8fa44fbb4dd485705 |
| SHA512 | 24e5fdf0e4111bf4915294e30c37414a73b3475e88a7f512246c7a692afb2f552c6d850e7d6806eea3fb96db7d41ea29bd2defee2f255a19d73a99c89d61c7e6 |