Analysis Overview
SHA256
ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8
Threat Level: Shows suspicious behavior
The file ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-14 02:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 02:39
Reported
2024-06-14 02:41
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotBJ\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBJ\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZGU\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
"C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotBJ\devbodsys.exe
C:\UserDotBJ\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 147cc195c660eb9fca9139c377cc1176 |
| SHA1 | 6e146ac5461cf8bf12de67e3b6458b659d40af45 |
| SHA256 | 61d3ac1bdb79ee4c94a64e9925e545639bc58280dca7bc79cf17d63b5d534b3b |
| SHA512 | ad25378345d0b15eb8e836f8d65ce07497e2bd4573782b8234b97a8b5af7e7ab53d7a4a5f403e2fb183c83c2c08e0886c48f2653fb5187b2a151a4b59608fc58 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 22684f0befcdcf3e68d84f9ca722f149 |
| SHA1 | 3385f78e883dd90f03d21ac1c9b11c56ce87c0e6 |
| SHA256 | f2e9bd9574aa17cbf3b1f1d7edadb3b73527411bbf491ecb6b7e3dc691a9ae86 |
| SHA512 | aea6764684774398e96017f9940f67506cd04c1122df2f084c259fd7cab114bd114dd70c4bb38f01c8b2a88732d569a6d364508856a2c6b55f61ea9db96f1e16 |
C:\UserDotBJ\devbodsys.exe
| MD5 | eff235db029209b89e2ccb037129d871 |
| SHA1 | b8c9e21ab8e513d38b91b037460939e7fe6db370 |
| SHA256 | 9ca52bf90129783e9e32671930f257a6cb0aa61a6636d057da2446f9630f8e35 |
| SHA512 | 9d26ba7254d027ab54a713217e6e7908b7146d74b3f1a3742e04199f86b145a2bcd6b25ffa4fe7f33baf130b71b7376d234da298c452279ed75d34de30e441b7 |
C:\LabZGU\boddevec.exe
| MD5 | 3050c6c6b59239af083247c88c2995d4 |
| SHA1 | a4341770d34aa692bb1eec935b7a0009d8e4098f |
| SHA256 | fb162b0a3281e41c730986c01b5d8ab2f6f9119ce85910d87149914262ff5d40 |
| SHA512 | 4cac03e8cfc8f1699e198cccf81f5d1537fb71c2e7554bf5018407335cbab48325bdabf61dfd263f409df1223eb50ffe273e5cfb99fe77425d5fcb2bfc1486f9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 058d52c87478916904ce501563c12f09 |
| SHA1 | 0c211f3ac1f9866bc8b7bc070c19845972e26e28 |
| SHA256 | 3c6b308b6044a2eb9f9765e0368999c12d6b312bcedaac2df3392f8c50667345 |
| SHA512 | 5334794d0046f670f45e1abd8765d65faba39932924ab8fa6fcd19fe61bf082a158a903ce1c0a2dc2b221dbdf3ad4802c54743da0e63ab3f0eeacdf6b3ec0060 |
C:\LabZGU\boddevec.exe
| MD5 | 9daefe502061561d173abd18521f0c7e |
| SHA1 | ca5386402e44c7fffa5f8e666c85be0f211d315d |
| SHA256 | 1a7a78c5c66ae4a9b91750647dfd5d3a50c84c002e51a3790adb5973ff047f1f |
| SHA512 | c5175d49640e152f72e31268003dfe09480860178f49ed2e7780b77f0a485014b723e02801421ee16038da7c9e40325522b56ace28307df6958b4b9395e119dc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 02:39
Reported
2024-06-14 02:41
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe | N/A |
| N/A | N/A | C:\AdobeDC\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFS\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDC\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe
"C:\Users\Admin\AppData\Local\Temp\ae998668172efb675137f0cd0ab7580f3963b05eff9b663487f082a286523bc8.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe"
C:\AdobeDC\xdobec.exe
C:\AdobeDC\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxopti.exe
| MD5 | 4e3efe2b0794cea687e6b97bd9e09a17 |
| SHA1 | 5fad11be672baf5a40d8e41ee3cfd1cd0aa88d3b |
| SHA256 | 29e223ef13cd55d79cb3c5f8a044e43f117d0eca37c6e1b4d1bff8cf60e783f9 |
| SHA512 | 8e8b3f8c42976077c6bcd295c9ebebaebc774dac6eed7d799d2d7b6465354de9e060beec2c4554aa5134de82452af3efdabedcb98691645bd9352eebac3cc01a |
C:\AdobeDC\xdobec.exe
| MD5 | ac8b84de2ef02c209b5d436897654144 |
| SHA1 | 90217544818199d5acb207cab48505761046e6aa |
| SHA256 | bb8ecc3b20baee42891bb30c9a29ba745e684d3fe6317dddee036252c67d470b |
| SHA512 | 2c905b904f5a7ff51bb73ccee85288a9ff7cc5b6c6c62a5dd7f124ee4912357708d3020a69262db33410bd781d508daf4bb47938d3bb97aff9d194a7edaa0979 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d5aa016941f66628f1f1802f90c9e02 |
| SHA1 | b99cfe0c86bd8d3d8cb3054c34f411932e45acc4 |
| SHA256 | a9c2aec5e0acaf2fc4b7f1df598fdfed89a1aa1461ac898dd67e26cbdfedfe7b |
| SHA512 | 8a862ed6ed84d8b3051f877e8a943789c9f2d5489c1e7afb1d17cd2c1fe3fcb8c5c568e3ef01475a6b30ca3765d728cb2cd7e324d2e9377466e54e818942451e |
C:\MintFS\optixloc.exe
| MD5 | 911718cf9fd68249fa72550c9a0367ba |
| SHA1 | b7a5d5d83ad4e744a42fabc2fa997abf818816bd |
| SHA256 | 444a7cecaec95ce5f3c2e860928284efc3636f5deab7d8d502946d46b2287fef |
| SHA512 | add8f482a578cdecfde134dd0bba51f4518ce4cbdf588271fae780907bd10db82121aa1250deda8239013f16d683d82eba80d26960935e9bc31a313a5335242f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ba81e38dd0e9cff3aa09a79b0246d276 |
| SHA1 | 99bf7941e257a5dab1da1fddb383bc9a117aaf3d |
| SHA256 | ff24410626a87b464f8c8b3c5feac1d28fb898d2b1688934a0f9435271522d08 |
| SHA512 | 4dd4f0e95fd36fa2cc174ffad3638b12467678bb3a42cfd4a01b830cf379f5c70269a3a289c918403151f8b95839bbf9e2fbf006f31a6ab24d61e675adecf9af |
C:\MintFS\optixloc.exe
| MD5 | 0cf8f7a32b36373a305e984ab116b9f8 |
| SHA1 | f27519d66f8049af865a4c89dd91fc2c13c5d1b8 |
| SHA256 | 16db583900ad18d9db4a39ffd0ee8e799dd50c2e6b0835c2dfe56096dfded6a3 |
| SHA512 | 37033de9a9efeb58f5554c66370600de78fdd47f26e4c335e7dda1e04bec71486465c55d6e946decfb266ed2ef9561a116595c22a35521ba2a28726d7b8bb9c2 |