Analysis Overview
SHA256
f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680
Threat Level: Shows suspicious behavior
The file f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:34
Reported
2024-06-03 05:37
Platform
win7-20240419-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\UserDot0L\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot0L\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxEJ\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\UserDot0L\xoptisys.exe
C:\UserDot0L\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | b3657bc7ee4cea6ae79dac4fd56ce38d |
| SHA1 | 8415ac237454f5273c9e9d4a3ab91b95c37e17f3 |
| SHA256 | 9fa4bc36f28d9eb185938fe775e75d7258b8ffa8d95985beea338b1936dd472e |
| SHA512 | 7704607788d9a47b9f7d4f037461a10c1b9c232f50cb5bc3fa715cd5638f0a5e567e4575c99dd5d084e78bff50f2787aa51931e140df212acf1690d153c9fe23 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3880210d0a9a23b45e57d99801dd2fc0 |
| SHA1 | c83602f0bfe2882d617918129294510f3fc32cfb |
| SHA256 | 01b95bec783b0edd900008ee5853b88d1212aa583a322ff2432d505a11ca304e |
| SHA512 | c5e1f3f93b78090f4067da19b1fb75a0cb373b62cb0d78bd2a09002ca62bdeca33719859cee351de3b8013be7d697cd30ef07399d41a1c6a398672460adb9e22 |
C:\UserDot0L\xoptisys.exe
| MD5 | 44b433a678f0d853e7e4a38a0be04d31 |
| SHA1 | 8e911b33f8477d6230308b864264fa87c875a2a4 |
| SHA256 | 350dc3c5d210bb22d013d0104c7a327d5f76c1188644d61e06bd79b55d81f2dd |
| SHA512 | b66137809c3e2eb95045b5d0f2f60c257aba5844e83c464bb5e580077c3886669f99090ce9a88a55b40b5a49c0aeef52cad8bc15492941f6b672c03fa5bf0262 |
C:\GalaxEJ\optixec.exe
| MD5 | f6afd58e964bd184b98e7b4b7b0d7bb7 |
| SHA1 | e76a55acfa21b3bf7cd8c5c9a8fb7163a10db4e9 |
| SHA256 | 50a43fcaaba5716ea13e9b58b0d125e54ee307663a83f96a9747dab2ec15770e |
| SHA512 | 6d79597d2ce1d13afbd0d953f476084c1b0db9c863c5654ec9aaf4a9d2c12965addbe718669de867b9b2ebf2249e2619a92be73b72491d15d2e98b81929d5977 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b44b6c0dca4e319e51674fc8b289e274 |
| SHA1 | c8aab03f5acbb106f3a5fa3ae9b3b0a922479b05 |
| SHA256 | 4ee077e28488464dd3927b0c91cb1e8b0da3bc657b444b5342e939c8dd835c46 |
| SHA512 | 5e3f0d12cf186ffe097145efc8263220affcb424c56428a7cdf056a45d9a28f5a053d26f9d287c6e8474db38e548fbe52f362cabe29e29957ac46779b33493e2 |
C:\GalaxEJ\optixec.exe
| MD5 | 8f10995e7ba79fb561a1a501b0ea8826 |
| SHA1 | a7e3ba05800ccb38488de1d43736080a11f46c95 |
| SHA256 | 80290ef0158e2b4592cd26a62ffb9719486a26690decb51ea60accda24934f86 |
| SHA512 | a3948d58ee3a40cc19141eadc162c64f4b9b48b02a12364f2d4488af88de5695f03e1c51b4391b20396c6c7e03424b3e8d0dc21424a1a2b8d60a2243d8f8d75d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:34
Reported
2024-06-03 05:37
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\AdobeLQ\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLQ\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax3P\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe
"C:\Users\Admin\AppData\Local\Temp\f50a91a39c5aeaba83559ee22bc96c3a5748b0e3b15a8fcdafeb6012bd068680.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\AdobeLQ\devdobec.exe
C:\AdobeLQ\devdobec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | f35808f8909b7f28ffb345472e55354c |
| SHA1 | 286a07a3686ab42d84bdd48dff1ace6a837839f9 |
| SHA256 | c3eb5f1327f911f92b020c8abe439d41ff93f55150adcec09696d7fb7a95de3c |
| SHA512 | 822311352fc279dc9662147924f4b6f936fd2e0d1540d3990812912f668398dc981f942f137125d174117961005be5bc98d9fd7bc52b948144ccfe2a68e3fd5c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 52a1ea14eb78bea5bbde55e2da97abe9 |
| SHA1 | 29587eba683fea4383a459ed1dc90259707f776a |
| SHA256 | 9fa8ada38902945f312aafbd7550fbc27fcf09fa5b2ceeee38f432b36684e2f9 |
| SHA512 | c82be58ceb1abede5678f4734305a46ad22c05d25fe98781e1332afef671cdefd6bace3de8d77f73e6d0050908765daa843efb9d822c71b1b723a22175e1f733 |
C:\AdobeLQ\devdobec.exe
| MD5 | 154968e9ef005118202aea2b1d05fcf9 |
| SHA1 | 52b21a6910b967ef36b2723534904820b5f7a906 |
| SHA256 | f7bb8d36a9ed17856280a0427107018860c93cef430deb49e4eb57918830997c |
| SHA512 | 5adbca246c05550bb2486952832eac7e9d0a38492bea77c3d5bf084bd853ed602bcf4caca61b32d412f58b1383a779ee1c07c28802fdc23f5db70cf4399bc8fc |
C:\AdobeLQ\devdobec.exe
| MD5 | 73eda3a1f5fc4555107256038f979c04 |
| SHA1 | 8d8651f11195467817a59124a2e9a93fe2b56051 |
| SHA256 | 7db57fef2b3fcd4e99a5668f2352842880951523344467bfa94f52a609567607 |
| SHA512 | 8c4f7b0e4375765d9cd500fcbf8141d664ea84c271f2e2f6373c809968eca00056d2502ed9f6a2ce32aeec1c9009eeb8d25dfcdbae1711d65efa2b67c6d96d51 |
C:\Galax3P\boddevsys.exe
| MD5 | 2359be6e30cf56ace6e358faf1958993 |
| SHA1 | faf96a0ef12960f8d54c7be81734f91ede2d592b |
| SHA256 | c204e04062455b19d8a601a70ea7c883cf15c7c4d7bc0b2f614a57367221c2d9 |
| SHA512 | 10f296837961438d78a8722be08a18bf8e0b1cca06330f1fe77d1d5b99c360d302a39db0d9890c81ea277695b7b711810903c32f4d7bcbdcd6afcebc0fa34502 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 742e89c8bc8d837b56bdac9a17316dc7 |
| SHA1 | 3be0f683a5a829c8afb619de37dc02f57f2f1a3b |
| SHA256 | cc5b61473a514a5845a88d41fa190200f77b468605ae1fd71bbd4cd37266f1fe |
| SHA512 | d33315bcc2cefffa054124f02796f1edbed1c82df0ce43db5f8d20d9f21acb2e41c0babb23caec640e6bdcc2423a8a5f48983cb96f406f3b998ead549400615e |
C:\Galax3P\boddevsys.exe
| MD5 | 1277107cabcc016a5fd1f1042e36a2e3 |
| SHA1 | d7f8e8f7a16218d6bb1dce7bd03617500801eb78 |
| SHA256 | 8e909b1d2c6f2b50ac77632d0c29bee78baafb5a1b3d23226e037507fc026273 |
| SHA512 | f129adcdeabd08d93ae5036fe57020e5d0eab6c1565a555dce876fa729326075b333ac31bc8a7973c21d03d17b08334e1acad9033a1e66962d79780e301afbf3 |