Analysis Overview
SHA256
ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b
Threat Level: Shows suspicious behavior
The file ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:13
Reported
2024-06-03 05:15
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
101s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\SysDrvHS\devdobec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidGZ\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvHS\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1968 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\SysDrvHS\devdobec.exe |
| PID 1968 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\SysDrvHS\devdobec.exe |
| PID 1968 wrote to memory of 4396 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\SysDrvHS\devdobec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe
"C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe"
C:\SysDrvHS\devdobec.exe
C:\SysDrvHS\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
Files
C:\SysDrvHS\devdobec.exe
| MD5 | f74389575c4eed1c471a17841b51ad31 |
| SHA1 | ee467886bfa460514ceaadd33e72051b1058e5a0 |
| SHA256 | dba1437593c1fd22de36778d883a737b2e84a9951f04589feaaf229ef401dd19 |
| SHA512 | 53d7f9b05188afbc3c82f2e4b339dcf60b39dda9bfa85cb30e52e7aa8df6649fca5e9b8cf8bad0821075e95aa6b024c8698df0272b4eaaba72bb7da91544038b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b21e278ea1ba78aea980ffac5f8ffa9e |
| SHA1 | 299369214c54889198ccf4a6a5c72b4f1811013f |
| SHA256 | 6c733dbafb0d5be7ef30bcce726fe85250607793e9af5bbc6ba4a3ec74e1a4ba |
| SHA512 | 94117ae44b15f4dc1d04fe43fa065eb2ee452f69d05190be83ba208f460560a2e6c3328469eb22faa55c2a9d335934e638d256abc2e96be03b10b566da3f36ed |
C:\VidGZ\dobdevec.exe
| MD5 | 9f61b04e3af530bf9f20f0e915752159 |
| SHA1 | f64fdcb33ca322cea86607e49a769122e9c984a7 |
| SHA256 | e1020fd9c8cd38e2548141fd3131bc58c5332d84cd6bdb0aeeb814a382581c4b |
| SHA512 | 4a01b24e965bd70c101ac9780aa82cb91cd31daef98cfd498a65373a6da3324ff6fcf539d57777528e291781cd83c7bd8e9704ff6c5c567c5e390285c5103e7c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:13
Reported
2024-06-03 05:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\UserDotBD\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBD\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB4T\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2032 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\UserDotBD\aoptiec.exe |
| PID 2032 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\UserDotBD\aoptiec.exe |
| PID 2032 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\UserDotBD\aoptiec.exe |
| PID 2032 wrote to memory of 1164 | N/A | C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe | C:\UserDotBD\aoptiec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe
"C:\Users\Admin\AppData\Local\Temp\ec7f73563d36f1bd9ee1e717fe90a6b75d4219cde3c0cc6b99a2642c693caa6b.exe"
C:\UserDotBD\aoptiec.exe
C:\UserDotBD\aoptiec.exe
Network
Files
\UserDotBD\aoptiec.exe
| MD5 | e9d4f6ab723396cd1de8732ebe114d40 |
| SHA1 | 28025369a72a7696942997d349e5b774c994e983 |
| SHA256 | 7d9c66c618f871d3624c4f4123173fe1f7ad2e138efca501afeef3a432d00ab9 |
| SHA512 | 09e472b7a665e17cced5a4b74ac6413fd497d8964df1d0a8c89675f0c5c75f6252acb41f541ecc7137e7c19e0256d707066bd7c477c1dfee9a6701099f895e28 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 50ee4ce6c07fd61aa33a680c5d175327 |
| SHA1 | 4a42431c1d6ba385c9c7d01daed01310c37747ac |
| SHA256 | b30f34e875724af666a7cb9e9a9c96c5549f7f6c8eaa01dbac1a0f64b284aeef |
| SHA512 | e2944e693d4eaffebb433638107b45ef05b54acace3cc6ac911a9eac7fab3fe35779d2be72a92c22455ecf7ce7216009bb06c99941f04655bff96315c58f7ffd |
C:\KaVB4T\optiaec.exe
| MD5 | 0aba70aa5c89a1a6a9a9a401eba37d02 |
| SHA1 | 63e00950a402c3617f390eb09f96af271dc51d7a |
| SHA256 | 5c01a456ff47e8a5297d60bb9981f439be825a1a2ff27d08e017540defa44a77 |
| SHA512 | bc6c5929712b02008169c33a034878fd4dc3525c7dccbc5d2710cb04c546100048af4b48a67252646e176e83b10efef056c4eb5c48545244027a96e2b07662cd |