Analysis Overview
SHA256
f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30
Threat Level: Shows suspicious behavior
The file f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:36
Reported
2024-06-03 05:38
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\AdobeCT\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ9X\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeCT\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
"C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\AdobeCT\xbodec.exe
C:\AdobeCT\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 7ed09b0587afa0abcbccb2762425758a |
| SHA1 | 4df0ed4de4d49e4823f3cf5d81ba1ca496b00c7d |
| SHA256 | 80272d04a7cab72013e6a026d4a2aaae4060f6d0351f021643686e7ca29838d9 |
| SHA512 | 62626889ff87b49b3d570bff16754afb96baca0684118e4770656030e56904d9b84d0a59db84e4da42d3337d8b049b751e9f9e6ef7e4c3d59e069e28773d0347 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e5a421e532d9b99e98b8b2c840eed54d |
| SHA1 | 04b69dad6fd98479a0cf3ba6e5fdeb14812a0bda |
| SHA256 | b13132ee2909b98982bfd58faf5ec68ccce3e178ccee0a79eeb5e8e9ad877b55 |
| SHA512 | 5719955228792a542d3d76c322d4a8f6ed2d9e2a52950c9ae87916b5a36a8b06a632a4753d28ed7f1ff4f0db584c013ee9d64245a5a57849346ec13e5ba82b48 |
C:\AdobeCT\xbodec.exe
| MD5 | e40103673e08865e6e8aa189cfbe7479 |
| SHA1 | fd5e7c4052e78fada152fc6ec1ee7d857b2a3e79 |
| SHA256 | 69d1053f255b3ec2e06fb215a1798f5c5c107f19057cf4dcadf3fbe01db82059 |
| SHA512 | d13b557197226e9c0edd8a92d0350770349d6bae663dd7387a606f7bd2321577a86bcfaf331492bedbf976b7d7e0d0c0acb23e3c4f79ce6946cbca4118e60f99 |
C:\LabZ9X\optidevloc.exe
| MD5 | da101d88f68648cf22dc794ed281a01c |
| SHA1 | e7352c880606814215c0706e897a264fb2e32c4c |
| SHA256 | c575dac5b9b32b25a9c7d59cb29869cb0c92dd91465e5eb6c6194606eae1d0c3 |
| SHA512 | 3725536b5106e7902f271015df5d0a7dc567bd66e202e50eede885373a1b08f587bfda9e3a82b0f8ca563b2ea22f09e2cfbcc43ce565337092d44dd53e0132b8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f6419c0c31b458651c739d68d4c0b2c3 |
| SHA1 | 8b0c10ac12893eac70171f8791a1584cd2b81f13 |
| SHA256 | c739cef60b29a2e17d416e31da1cab2427cfc42b287dd085cbe683b36c89f3f4 |
| SHA512 | 87182dc2803da245577eee16d82b062dbb10639c3859cf63c883305a83853d9a4414671089ce2ad74fa392cc0e8fb503198dd7bf1c667716f7873a58ebb4bbae |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:36
Reported
2024-06-03 05:38
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe | N/A |
| N/A | N/A | C:\SysDrv39\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv39\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintL5\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe
"C:\Users\Admin\AppData\Local\Temp\f5bcf6fd0a01d689ba2f350f6b387a9a7a1175119c5fec8ca25a50b8ea44ac30.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
C:\SysDrv39\xbodec.exe
C:\SysDrv39\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
| MD5 | d7fc32b8b0b03b155b387512e204cd9e |
| SHA1 | 758c3d521367af1bb69497e6d510bae3695f7bfb |
| SHA256 | dea2f836c827402647a777d0c32dc35bc759b3dd9d6c62ad0b397ad59f13fdc3 |
| SHA512 | 77c9bedd3a67cb47af22a3041d5240edb11917c997afcb50b94c2007e948bbacda966feaf25a81f196f95474e255c8457729d140e09716279139e633404b6bfc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a8633a058dc0051db259c9d06fbc8b14 |
| SHA1 | ad86f493ee775cc6114f90e80e8d66574e64cac7 |
| SHA256 | d327cda432675aad8410408501aebcbd6aa4295e0aed4c589cb1066c3e07286f |
| SHA512 | 79e92a6ed0eda0dac7f97a00debb677efa2e4b04ea82eddfdc06acf7ba4d63b56d5bed08a24a81d7aa04498305dcb6903b6957a96a218a585541e337ad51bd85 |
C:\SysDrv39\xbodec.exe
| MD5 | 3e560b728c888e2569c4625ca6ac8cda |
| SHA1 | e13e6db2928e37e861e27fa38ad6ac13ae33aa97 |
| SHA256 | 3fd2dcfff2b4667348bdb20afeda30185dfca86cad40289fe896e7a2bd3e71c0 |
| SHA512 | 39aa829fbdd5166ec8944afd89ca34212169691fafab660a7da49846f9c540fbcf0149f5af23001583cf8ce80512756542989af65d5c255112505fd6394b7f4c |
C:\MintL5\dobdevloc.exe
| MD5 | 4527b53d61c96c5bf6113c8ed376548f |
| SHA1 | 577d097573e3be63c88bc36d28ca050ddee677f0 |
| SHA256 | 753785a00bb0a2586799f4a65703d3fa5608dfd2bce184c40688ea570b301c37 |
| SHA512 | a12c68a5b52219e6792599724e5422fe10003db0d36d0f4a8c996857229a3e01966bb2cd96215b915b04c1b78698469941a485ae60201fa748a4b5f0a9d88ab0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 14d9b934ccc13df15d55fd5a1fe540af |
| SHA1 | 7dfbeba25f770b98e5aa392e7cc8ee43144b19a6 |
| SHA256 | 5eb7b0a4cf782c31ecb752d60771fa8444d2a39670a456037c1165f6179f1849 |
| SHA512 | 2b21a253a256b33de35d1f95f6339b0e12eeae41a3023e1fb471218ed797fe650d7b625000ba07cbca51f4f9b8fad6f11b7d302042b4107839328c05377c52a8 |
C:\MintL5\dobdevloc.exe
| MD5 | 8e3f4c8aeddc2c5e699ae33dee6b07bf |
| SHA1 | 63ac5e9d925f9339945c1f7a0b31b62e2aec7570 |
| SHA256 | 621e6c81a89c7c5ab293b56b08d182017de98a75eaa0bf5fef287a91b5f68028 |
| SHA512 | 12545a5b91be575930f33337e659181f11da52b6c66dbbf4272f46304632de93ca09503074c3f5a0d8bbe2ab3fd85a7f53b6dbc266d85809cce46618a6f5506b |