Analysis Overview
SHA256
fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777
Threat Level: Shows suspicious behavior
The file fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:48
Reported
2024-06-03 05:50
Platform
win7-20240508-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\UserDotEG\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotEG\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZH4\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\UserDotEG\xdobloc.exe
C:\UserDotEG\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | b7ce3d96ed2eae43fbff12fabfddea61 |
| SHA1 | cca20e563680278312288e4837b1f133befe6855 |
| SHA256 | 349aabb46d08255ef1edbb49ac73c4b4aea179407619b8ded91baf90cf26b259 |
| SHA512 | be4252467038d0febb383b924cc367d103b4e420cadecdc60a065833a7133ba64a4b6482946811d980b7b62d73168caa77b58c31364bac359b662942acc49ee9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ee129eb44fb023bd52fccd204aed6852 |
| SHA1 | d7ceca78b36bcd23012401c7837e8d33f2b15652 |
| SHA256 | 7894460e593d9cd5521ce1f3740e395553e73b038296cd288210b363dd6e95a8 |
| SHA512 | 800f4f0c5b26df12d2d90e2768161bfe501b074405ad3a124e1337d80d54b30d2610e1a6ff1202e8da53d465ad19d573557039e3ca9d352d519269c5277d8f4e |
C:\UserDotEG\xdobloc.exe
| MD5 | f1eba410de9ae20a71164337c3f0ed62 |
| SHA1 | f5bb3c4624d89ad2de6f8314abdbf6debb1efd2e |
| SHA256 | 8fb2731c4591287a0c8deafcf0f49ea4a457c0d4e668809d39638fe9d8e8ce49 |
| SHA512 | a4bce017e4be40ae7ffdb69f2d31e8549dd0ea866c5c0a225179d190863659ac3d021576c35bea38141ecaf728685f9bd55c19b0aebddfea776d65f3284d2368 |
C:\LabZH4\boddevloc.exe
| MD5 | 1c5ca0f427c0991d13699ebfbcccf79e |
| SHA1 | 579ffcb5804e4df36968c4ad790cb570348d5c13 |
| SHA256 | 0fc34c0bbd0dad0e41a7581ff3d36d42bba51af91244158c9310ceccdb1ed980 |
| SHA512 | c5bae5f1b5affcac55927e9601c7a9f38a72992217f7b603e68e877704e065b1b9252e48dc2365a859f8d8b41f7a9fa181bb969bfc42acd0cf7f8d3f0418c908 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8c3ab458e6ac60419fb362853981a58a |
| SHA1 | 3f51913ce0be3080cbc323384e077ff2dfb0b3d7 |
| SHA256 | 03c251a9b8f9751059d5a9e5e66981e34692340907e542bc8d3328e416ea48b7 |
| SHA512 | 91de8b2ebaa8aab0c39ba812699d2f3b6327cff360b01c3562b57a83dc8cd77687e637ccc604145446370028bab7188f38479f92ea2567103d5bb8808bff88d8 |
C:\LabZH4\boddevloc.exe
| MD5 | 4c026ae806777f73d5b2448b1ece46fe |
| SHA1 | 8fcf647fcefd602bd4c8a742d51fa94febf2a66e |
| SHA256 | 219aaf32ddb938ab0eb922d3cf1cf5ce054dd928b3f34633000f039645e6f746 |
| SHA512 | e0312b459b91d9ecf9a3d94f66547367b6bbaa65237f053b8639035c0ba2d6fedb17cef6480ae65c3240a6d2d5c87a7512d57f95f1f40eb0ed6b0b379552dc15 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:48
Reported
2024-06-03 05:50
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\FilesPI\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPI\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintI0\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe
"C:\Users\Admin\AppData\Local\Temp\fb5989738faca580f539daf3ad1c1a2f723fb128275134a9745bbdb48d7aa777.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\FilesPI\aoptiec.exe
C:\FilesPI\aoptiec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4488,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 87df644322b03d52199403f3378a7221 |
| SHA1 | e0304e38bc69366ccb7fa3f320ddf00d93d7482f |
| SHA256 | 448c4bdf8003fbe16ce2a19e3b9020fcfa03a21e9323821c4f8b0b2b28b7f5fb |
| SHA512 | dfaa957a8bc41f4338a0fad8cf8ba2c10903d420665203a328d455739c5db516348579f522f3994271ad1c15f74cbcea75f96899ee7871321404d8ba054b7b3d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 828ff3a257150c01c74e66ffbb5ec01a |
| SHA1 | 6e46ccf9f6ebe0e70d6bba879abc63a2cd9f634d |
| SHA256 | 59fe1de57c3299b27a5e6ab2a42d01d39b86eb100b0ac85285dddb783504092d |
| SHA512 | a5b911d21e99bcc58ce313e08ffe1ce2f93b513952c1c543f50cb45a092311d470c82f7e44bae29e9fa48c263a02753bb5f831ce309b52f5d8bfa3265f711f19 |
C:\FilesPI\aoptiec.exe
| MD5 | 3181321c898ae392fe45d77292abea9f |
| SHA1 | fedc81dec184428048743b8e42d1fc58c80f25cf |
| SHA256 | a962e080e40dcf77a7d91909033cf87b258a1056656d1e063b7c5f1ec6100fa7 |
| SHA512 | 7e18a696b830267c7d66dc54296b54a10459873b26520bfc2e554c28624211f38a0f7a7aea5fcb2e1e4a2a294927219be3de89e9758b18f90b47e73d1cf0918d |
C:\MintI0\boddevec.exe
| MD5 | 6d6dae27d15e8853734b5130f5ab971e |
| SHA1 | 98f741ee5df81df402ec4b4311c99036055b7273 |
| SHA256 | 8c7590bae21ad04249ba675f8e983c90f1362cb914bf2a0921349cc4cba8be17 |
| SHA512 | 759e92b6bb6ff7b3f7e1cb4bdabbaedb7eb539fe710f4d624f1945a5f68030fcff9e4aad06d3b750afdaf57127584fade1d5b7d98f9f74a2a92bb66cc49ddc65 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 543aad135b13b563616ce4c23248d453 |
| SHA1 | 5ce20d983773ea3619f3f14bdac82a3e2672fd8b |
| SHA256 | cdcac49fa15a16cd7a600d2f3d0d08eac50599f8c85a98c5067c97c3c978f77b |
| SHA512 | 1ca46fa83001816282d7d3b64452099d31f9532651ebb6560a26faa12194df6423d37a3d316b987b026fff94c091a570b44befe2bcc5d0bcd110f3d8faf8074d |
C:\MintI0\boddevec.exe
| MD5 | ac21cd7ab07d98ec93759fdef42a4062 |
| SHA1 | 650579bea9f359d5bda0fb340b05543b9a5df5b8 |
| SHA256 | e708318130c710978044ae5437a26ff87dfe7ad3b6e419216bf19487415faae9 |
| SHA512 | 88a38b8046494f779096dae6051454e79d26c98074181fd68575fd36ecc275e5bac2c7971ef9a5069e44401ebfd15f3eccf5dd3f3149b0e94732cc78c567cdfa |