Analysis Overview
SHA256
ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7
Threat Level: Shows suspicious behavior
The file ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:27
Reported
2024-06-04 01:29
Platform
win7-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeS3\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeS3\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint89\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe
"C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeS3\adobec.exe
C:\AdobeS3\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | d88bae671a5ccf74ed0a581cd7fb3422 |
| SHA1 | ad2bc35be2a9fbc7d160174a2d060f6ea6a1b2c4 |
| SHA256 | aec506ce24fff3eb7298c66bc662ef2f718a994a53f5f8d7b4d975b33b174722 |
| SHA512 | 6be8575245d597c7416fd52e25f25c1dc6459109ad618fc1ea1c7c0abeb6752c8235914ac597cd7084ddac389702c7b3c16124c11fba9b93cf5ec6f79b732ff5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 41db7745c3d139f7b933e4809981a199 |
| SHA1 | aa89ba8d8ffea6f3fc28331ccc313389207720fd |
| SHA256 | 8c2a8cc56883c53c6440737ae9e879db2c0c01adcdc693350c1efff7f8ae799a |
| SHA512 | 8ce55f778167d6b2bedc5e228412b974f8c61d329eb9602f3308e96938015eaab8bf58c746e2b80a2cbf69f1dd39d21584f45df47353381cd9dafe4bf1a63d32 |
C:\AdobeS3\adobec.exe
| MD5 | caed2829f0964ba0a78e7af1914e6858 |
| SHA1 | bd1ffb48c251a2f89b6e8bde9cb0b104786a2b0a |
| SHA256 | 23e14d88308b10d4553454bed58d38e06cf8aadf773552737593a1cfc87d4d66 |
| SHA512 | d427a3ed0a8aa625ae0eb92de01144c4442dd1d8c4757037f385e606123ff742adccb3bfe97ce1f96c2eb17eeb15c73313120098b30e20737d25cfa9df3870cf |
C:\Mint89\optidevsys.exe
| MD5 | 9862cd4a0b904e124acf0ce86e076116 |
| SHA1 | 5adb8a99356d1940a2725c2e5531f090f7efdf29 |
| SHA256 | 87ae2d10536ff27344cf868b4d4d5c5a5133e5ed1fd0533422633859cdd122a7 |
| SHA512 | 672f893d32fc1909451b7fa45b04d13dc44dc4fb6550999ac28c16026920a1f51666dc3d24e732bd6fc8103e9ca60dda5a9b85e0c8d26ee07b72f928835d8a90 |
\AdobeS3\adobec.exe
| MD5 | 86d01df83dd7627b2762aa94d9d30790 |
| SHA1 | 181e201c288acdf48472585d8928a34edbfbb036 |
| SHA256 | 7abc4ff629f8d117f5e0c78c3f5d5c5c1adfda42ca8949d35f872ed9f32bb984 |
| SHA512 | d0af62dea997fb24be5e75e116bc0a2cc2e2cd0851f289a496b8864bcde613ea31df986a75c6436ff50b7c9258ddb0f470c4581c9e9f3f996a56076d887409db |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5f94ce4bf1143af644e9b1313b600ff2 |
| SHA1 | c033c1e25888e5e73b7cd7a276e4583cece8e572 |
| SHA256 | 1e3e6289041797db09f3d415623ae7c86afa6ddc277d591c0ac3c0923f01fd6e |
| SHA512 | cb140a38062f0a7fb03d9e2c89c5eddee2903e2387e2ebe8bf6779fa920fed21017f2ec46f5c186a5d41fbd92891966e2e9df08b5778450a4ebe867f78bb97fc |
C:\Mint89\optidevsys.exe
| MD5 | 81ab92a0a64fe074f241cd39c944c81f |
| SHA1 | 707bf48e705c062e2e60d05e37f78ef9693ee881 |
| SHA256 | 3394251fda2ecf065871b3c7e5f6cbdac536df091def2cbc9639bea92899bf2f |
| SHA512 | 330d742e2a0cc5b0025897e9027a300e2bcd9bb8bad634ffdad644d1144f4f462f9e1e7bc8af2c55751da5fe0734f2b6b42494e2f414e6d7875e19a4f9653533 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:27
Reported
2024-06-04 01:29
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
129s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrvEC\devoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvEC\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGW\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe
"C:\Users\Admin\AppData\Local\Temp\ac00729aee12456388ecbacd812f57ca8712bfc685eba2fa4083b82f4787e6d7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrvEC\devoptiec.exe
C:\SysDrvEC\devoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 9d603b67149fcb4fb3fb76a716c2193a |
| SHA1 | 91de30b18d629322750341eff1f5dde13beb6929 |
| SHA256 | b08bbd3c0e72407aae568d31c26f220793fb56b8f256425fafb2f93f929f8cbb |
| SHA512 | ce8c98d2d5976390d7a99dabc9c3f7cd32b8f66798b4489f55cdafe3f9e091c20e075f3fd3086ac22a27476c39f4786003e9efecdd057cb0d69236873ecfa50e |
C:\SysDrvEC\devoptiec.exe
| MD5 | 79d6e70e0441084622080c310736b8b0 |
| SHA1 | da52527f69c04080e5a81ccfe8ba05cf126ca331 |
| SHA256 | 5d9dd22c40e87bac290968bd69e3f23fd2c66fe3ad6a6440d6ae8e777134a9f9 |
| SHA512 | 36f97a6661b16ae748aee1ddad704247c0f573ecf229ab6731d6b79a566fd01592d96f93f47a86ae54cee9cb1cd87f6b2cb83fad2585a29110fae1cc2289d2fc |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a8a7ad174939079847fba2c078d30aa5 |
| SHA1 | 281b8a05794c77628a4a4bba99210c8a3929f970 |
| SHA256 | decb5f4a386f2dfcfd944a42a32724c9c8f9b1f57c4e201bb258479485ab3027 |
| SHA512 | 2b1abe6c62e4f892a62807859460534ae75903df7096eaaf327d9522ea06ed59010dc991e83a3a1c88b2851948a50806df1abb34f9f991b79e6f3116c3957e1c |
C:\MintGW\optidevsys.exe
| MD5 | 55b37e6d55e1abe859b7c2165844b28b |
| SHA1 | e682583351510610e85621ca2c4e4a964262e662 |
| SHA256 | f97b38121d49d6bd52cedb1a0d42ada4af3b71943f0143054a6c8cc9690c1d53 |
| SHA512 | d1a3a07d846b83ed5c6cc7371971d073ee643a07b09d926ef343f913f76fd8ea9f0f733dd23e2e49edd65e97cd90e642146bc5ea7c7d89213b29909572c45a1e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 41cf654e0a314768743e8319f54ba4e9 |
| SHA1 | cd7e40ac4952c6be4d2423a49e6af288973ac763 |
| SHA256 | abacc87812517f6b5d171541ffd757f52fffddd55209954e267bc39062226f0e |
| SHA512 | 70699b39e62cf8c2b4a9e5dbdd972adfd6e6fd5fbd925963f5f806b0583397e8e2684a20fae08d06d0a053f26d150bcd2e286a52ed130d96ab5e8c340d9ec3b3 |
C:\MintGW\optidevsys.exe
| MD5 | 5ab564ae25b54c63ad61aa90a72837a7 |
| SHA1 | e5bba4aabe781f872c487287ebf698b29b5e22a2 |
| SHA256 | 30f90e8602af35f37600823ea814c4c0dc14078850711f065bdd4ba451be12a1 |
| SHA512 | a931d235d4992ddbe108dc2c6ec3d0e39b63c7b4826fbd24e159d618e7f9794b3dc879942d46edeb9c7803edad4805f9a7883b0174d6fdfc0d48b6f7b3f21510 |