Analysis Overview
SHA256
9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7
Threat Level: Shows suspicious behavior
The file 9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 00:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 00:39
Reported
2024-06-04 00:41
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\Adobe0J\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe0J\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ76\\dobaloc.exe" | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
"C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\Adobe0J\xdobsys.exe
C:\Adobe0J\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 2bbdef029497d18b4def07d55cbacb81 |
| SHA1 | bb2a59a64780efb0b486ffd4ad1f9f0f102b7ed1 |
| SHA256 | 942402c93e02c39c7bd900d1e9cb2bac4cfb4d10c4940fe58736de4c9b89c10b |
| SHA512 | 8705dda6c95f23eb1b673b46f0232c9e055a1fef378b522028136cd7edfb421f3bb07adf3b570383bc1a5ec811fc319444c93dee7d4159a5b8e668a99aa99f2e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | db28181107b9e2a54f3eab391a4518f4 |
| SHA1 | 11f8eaa1deb229a72b8caea7f27bd34f4153351d |
| SHA256 | 4c3e5d819c4ae6d70020e45f42bdb1ec9334974892f7dc717c6196b1e8e24ba9 |
| SHA512 | df053a8924ba189b5b0054890a9f3c416378e80804198a8b982288dc392a21efbf948647701b79b132baa689c308c06b01c5d91a71a1600db0cb1323636b4b3f |
C:\Adobe0J\xdobsys.exe
| MD5 | 1149f2d3eb9e8b3be936b4a0851caea9 |
| SHA1 | 095820582c184f34d32c0878fab3407ad1467a3f |
| SHA256 | 3bb02ce48ccf46d87d062f71e6a3f33cc3964570bc53664bf94ea7e81c15d3cf |
| SHA512 | ea8e22d78532cae3f73637fcfa2a3f6867039463c78d5b03e46cd50b21987468fbf7ab9efec9571d924a833dcd8545e04672bd3c3ba82bec2ead3177ca6e481b |
C:\LabZ76\dobaloc.exe
| MD5 | 64f418a3c2edbab70ef35a55de92915c |
| SHA1 | 94feb791c0bca7e969dd29ce54aae76532893dee |
| SHA256 | 39584e39477566ed41652b7ce3e02126ddc93c3c004608fa9b2db06f8494b1da |
| SHA512 | be07433c142fe3f75bbb5d4846fb43daaeb93df5940d380e8353528f0dbb41ee33351ff1ad6de7d607d433c16330f8e88a5e7d0be1d5d03ea196a05c492f916e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a5f68a21dfc3dac04f24cad6f6b8a31e |
| SHA1 | 8b9576008bdc78f334aff09b2eaf7386302c7b1e |
| SHA256 | c4b3be246ee5c5c389f5f83bccb0a00b803bd8348c8f18aa0fc423f295d001e1 |
| SHA512 | 931dc68383336e59048191cdfd0315ecaac7720e4622dd741a590a9821ecdbc7cb428906f048ba7f0d760319dec026a79524eef811bf1aac436b82353cdd7217 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 00:39
Reported
2024-06-04 00:41
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
93s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\AdobeLO\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLO\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxGJ\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe
"C:\Users\Admin\AppData\Local\Temp\9b1c7f08a6203d7897ae5d459257eec116089679e0bc486d81e93edd4deb1de7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\AdobeLO\xoptiec.exe
C:\AdobeLO\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | c71f789f208fa3ab82a6c019d6a4f0db |
| SHA1 | 9422f9da89d51debaa34928bcf739b8c526f6234 |
| SHA256 | c38d052ceaa204a8420bbd2bd61b46740f0abda0774d70b23b68e35ffac68cc3 |
| SHA512 | fe3b90f04d0064f0efebca91bfe156a12ed9a2c38a00f362c5b77cd689a9ccfb3f02558e5bb4480ce97362a403c89283863f299041945a183523921273ebc425 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6cb1ac5e4cea64c37247e4945fedec42 |
| SHA1 | aa29600b765f7afbc8994fcb6ade70c4e9fe7451 |
| SHA256 | b4ac19437dc5b4757fde53dddaa90fb909e4d05c6c45f5b07a52e0e8a59d36bd |
| SHA512 | ea278aa7dd9eeb0a1fd4f2c51ea6b19280af518129f5eca43e1013c7e59b8e66a20495e7359a7315952360dfd39b791e49d4c24b60e2b4ef9edc761d3b2007e9 |
C:\AdobeLO\xoptiec.exe
| MD5 | 8e458a49ceaa667b0f7a6c1213d45da2 |
| SHA1 | f9c6f5d957b23a946c8802831b59fc1297642f28 |
| SHA256 | 595c7e51c8954750e727e540bcc43438aa237a6377de34aeff2a1e1c92e3e9af |
| SHA512 | a34f92114b37adb22362112a671af58e8b24b349ace371fcda3acb33ca711174288b6e56275a561e13d38c605ce614bccfa2c87a063e1ef9be8f7641e558dd1b |
C:\AdobeLO\xoptiec.exe
| MD5 | eba5aead78b461fe7accee387336e3c0 |
| SHA1 | e7f507d0e353d4fe3bd131bd7ffeb5cdf0804669 |
| SHA256 | 375b3458d512eee3e2d49c4874cc94e3f5fb6ab7063591b5348386fd10e24786 |
| SHA512 | d403f6b26e293c1823d1da1185d4f2c2d3765e034d126c38e82342e1a61cb049b77cb74b4cd1e5ee1cb053272543e0c464e9bb08a38fd7b12234281612755af1 |
C:\GalaxGJ\optixsys.exe
| MD5 | 213ea1dba977cfc4323aafb5ec838b70 |
| SHA1 | 2ac556ce3aa3363b198683beb75a696aa6f0059f |
| SHA256 | 45d173ea065d141d402a5fb7783ff9888832b4dfffd2cd65c87ed9506da4881b |
| SHA512 | b6ee4a920f76ef9bc21210ca99cf60307b97e4e114d42ddaa62e4dbb6ad5289f60b09b2db0c19a279243f869cc00ae07fe2d2132c6c30bdb91c92950450bcc21 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | d8edc6807296c7775369ff858ed464fa |
| SHA1 | ea9fa858e275ae564de272d1053cabd05c2b3f9b |
| SHA256 | 7b8b272f329ec28cb7d5b3596e26b9051853c702941230f37953f90389661d25 |
| SHA512 | c1388a0c5aa84291b09c40e80c6f8a7eff3112aa9115b930903e83478cc3c978349b51fde1d8fa51f18aeda9d3e645bdb1e17fed4dfc1f0b71b1275caf67d5f0 |
C:\GalaxGJ\optixsys.exe
| MD5 | fb1771b1763b675638fff2dd51e268be |
| SHA1 | 1528bf41cfdfc652b205db7120038c9bc2adb8d9 |
| SHA256 | 4775743f6d0eaecf71bd18018b77ab9d7c20487ad8892a736b1f4053eab88abc |
| SHA512 | 60f0a71e544e9189cefb1c8ce36d32dda0ebf89fcef08263b23e2c8ecac2191bee465364707656f41bb440a8b174382d9733dceae6afba885108fad74bcab691 |