Analysis Overview
SHA256
8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2
Threat Level: Shows suspicious behavior
The file 8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:00
Reported
2024-06-04 00:02
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\IntelprocVT\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocVT\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWZ\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
"C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\IntelprocVT\xdobsys.exe
C:\IntelprocVT\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 1a06c5028f77e05db91b9a14d44953ae |
| SHA1 | 8dd5b44d7a9afdd0acb2b986e0808585e3017bb3 |
| SHA256 | dc36ef5a2fb228529ccab50f2e19bc476a419df1b513ab1acde01adb874fd041 |
| SHA512 | db6c8cb407c88fb662becca591fd66651d9c82392cf8316aedb0852ae6af3cda299aa0891993ce1030f804e17f7cb803945a63fcc005de62f00cfb8657a2ef7f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bbd46dd76f021623f249317b3260a0b8 |
| SHA1 | 82670f5cec5b0d891751f43b98580e0f7af0e5a3 |
| SHA256 | 7f4928d920f7adee72acb7a50c1be7f3820c8ca09762ae6d5fc390b3f388440d |
| SHA512 | bf4c38d70878be0962e9ef6c2096902c59c0bddb6f4725fe849d59c27c1d451583bd1bfbc2aecbb5a9e59d88088c7d1525c62183c424e0f2a74de4b38bf8f67f |
C:\IntelprocVT\xdobsys.exe
| MD5 | ad0e3d1056137fd9c62e98edba914419 |
| SHA1 | bda48f62bdd9a1abab8b6cbeda87114658d0fb20 |
| SHA256 | 4347eb63fdf6cc0cc2b49682c80cf0722004e37281507a3b2210bcf76f771e31 |
| SHA512 | 113df48d7bc2d83c71c135d8bb143d89514c7f09083e759113c88bbc520b0296b9817d973b4702063b64f04aacca24fed4645468cbf4f1b63fcef68faf6f271f |
C:\MintWZ\dobdevsys.exe
| MD5 | 39c0413f90bdc9551a259545a1b88493 |
| SHA1 | ed582c2b7ffaae55581331665fa1e8b766276f50 |
| SHA256 | 5c8a4e88c77e2bcc25fb3b4acfac162a1bd186ac6decf1f5dab1f5d0005411d0 |
| SHA512 | 8867bada1542d0e64674fc8e2dd7dfe540fe6b62392a13d81f28336e1db3f0640d43fba176724bc9238b22c2f6bdc272b50022e690612417ce76321c2c961071 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 28dea217e6cbc210968806b8540c89ff |
| SHA1 | 60f9b3c6b4ff5f2f5a63725a2def966198fb6b3b |
| SHA256 | 93ebaee91bc47783acd2fbec021cdc013f247351f5d267b343776ec7f3765bfd |
| SHA512 | d2b97d0209a85939b86990a3f3e187e182d585d242946e8fc0cd5202353a70ef0e9a15a462e7d24f24b7f1f668a6a001d651073e641eb186f2f1fcd110d60628 |
C:\MintWZ\dobdevsys.exe
| MD5 | 82a7258b89015609cb9bbe06c768e456 |
| SHA1 | 9d3ba6894141244ff69d9a4602aaea56021c8f9e |
| SHA256 | e413043d84ea0bda0781c26df2eae3866cae0264d4d1e2b92e2c11dc18ba3121 |
| SHA512 | 1e97bd1f7cc97bc05087afeefe04088712687342cfb99caa2f8225a6919fe906c03bcadc8578fde673f4598b3b1d19af6efa432afed807fc9d58857d697c37e5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:00
Reported
2024-06-04 00:03
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
160s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\AdobeGW\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeGW\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWT\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe
"C:\Users\Admin\AppData\Local\Temp\8b020e35f7b5162db5230100049eab3b492627fdb9287f8e1220c731ff5abae2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\AdobeGW\devoptiec.exe
C:\AdobeGW\devoptiec.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | d294b259c2367f65e4fb74804c66012e |
| SHA1 | ca999dc36a7525781b5c11437cafda17ca1733f5 |
| SHA256 | 1fb3e09226846e0cf592f9443d3a6a8b324ca3d3448f715eb98af6f302afaf60 |
| SHA512 | 63e05f743e87b50f5b089ce1794076cdd28f7197591a5145e7c718f8519d55d8aa5987eaea56623b754371a250c001e0a613b1a1da47e7bb3792c47895c259d9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 57c3a9ebd25c627a17491abc3c9884f2 |
| SHA1 | 4216f28fa9b13f435d9c1adeaf6dc28b68c75e5a |
| SHA256 | d851e9ddf49c012358ce35ee50bee01dbad8dc0b868d608c8fbd4e32bc2dc3c4 |
| SHA512 | 487722feb33cd8d23133b2a26b67763c08b16cd489408be3464d6c138874f879e32d3f62b3eeee2707f57d3fa7333905e772be1ec4c6dbdb1e6e50c785eeef7c |
C:\AdobeGW\devoptiec.exe
| MD5 | 59e71b2fe5fb2dad5a786e8341cbc549 |
| SHA1 | 83517258b0885e54ee939f48b6fda636e53d53a6 |
| SHA256 | 7e752a59fb7d6fd129b87033e33747c5fa0e74c6f10f5e70f43d73d07389bf3d |
| SHA512 | 15200aefad3361e7f25d3a994f44cb8c7c051ee04f0452df66b64d2259800931c60c826703b57405a0211643250f85b93646a51a7c8e8b4f71038d716c354da3 |
C:\LabZWT\dobdevec.exe
| MD5 | 507ab44ecf74ae871209e742e1eefbd5 |
| SHA1 | 78205d20967fc94f9317df30022150beef3296cf |
| SHA256 | 39e54f1ad03266e524595cde8998cea40173ed52dfa943ab7fca11882e155009 |
| SHA512 | b68c4b7ac734ff9e6c1798867b955527ac8da245b1214c5fe0a9a5b510a8647a8c222205ff2710dd294530669e21fbb21de22ae556205f182bfa29926714f316 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e98e2d00a8ad3df9922f8639c962c7cd |
| SHA1 | 6435c945787ca4992cd3cbe1d4e9ad5dd9a21941 |
| SHA256 | 87a99db7479a36d4cda718d5abd179481a379fced6f911f70c111b540d3151c4 |
| SHA512 | 707d9a639397fdee00c3846ac1d5b2e18a9990901d7ab45a4530c7f1fc771bf9647547c47a9a2eb4a2dda2cf26b03f90a1e9f26c7314a4de1be87c3866d62523 |
C:\LabZWT\dobdevec.exe
| MD5 | 3272caa4192b8d3cc4832cfbd777888b |
| SHA1 | 10e90f64214d6efb82cb0c61b61bb2432e1ace8e |
| SHA256 | 7347276718f89fd23f53377b813f9d00fed29dd8de42a4a7cb231d3b918771bf |
| SHA512 | e729ad22b2452b1a1c0feeca7e66627fa9c11366ece405cd725088b5d0a02aac0bb04ebd8097be5cc76b2c047979c0752c0f3cf037d1cded0fb21f5d922ebe2f |