Analysis Overview
SHA256
f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47
Threat Level: Likely malicious
The file f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47 was found to be: Likely malicious.
Malicious Activity Summary
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 07:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 07:04
Reported
2024-08-25 07:07
Platform
win7-20240704-en
Max time kernel
149s
Max time network
19s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\Adobe8V\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe8V\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintEL\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe8V\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
"C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\Adobe8V\xbodec.exe
C:\Adobe8V\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 8a28d0e44b48692b977d78a3455d3a4d |
| SHA1 | b8b92cfaa7636ca9b6249148dd3667ef29e55a69 |
| SHA256 | 382b5e6426b7765c3e99b5815decaea3c09a39818508be060646bb083c166708 |
| SHA512 | a391e95f0da8112db283200acd890de50490c42ab4c94eedd00b1e32845c472b2e89dc2fc2697fb93142e27d26796a933ba73893fce95886e67bf088eb1f540f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b977c61a8fb8af6a51d3c6531c014f5f |
| SHA1 | b64201e0c7f2a31f0234898836c69a5ac7b4fdff |
| SHA256 | 9e9dfaadc9f5ae1a60f30d4ffad570004b5f13a60b1b61c801b3ba5c066faba1 |
| SHA512 | d8e30fdc00f46a4eb3bd632480525aebf412f9bd1b68f4e267425ebe5d64163106205dc398b92b2224b8c91e9ef987213bfe7da97cf1c8e9250befa9cd3deb59 |
C:\Adobe8V\xbodec.exe
| MD5 | dd6714b84eea143e14a55da1af4e9d15 |
| SHA1 | 5c1260255f6637b4a30f3d6f689a18622ececf89 |
| SHA256 | 0ba4fa6987f167a5c380e2e83afea63a16e425bbc752695cb8d4260b9ad94abe |
| SHA512 | 28fe060131f5df4567be3149f853340499277dac03a1217f4cb717dbf334765c136746d65e45b6d9f56c3481bd730700768729b1d9d228d980df416fbe02b581 |
C:\MintEL\optidevec.exe
| MD5 | b415c2e93a8786a1d5cc3a323a218afe |
| SHA1 | 97e8c1634e3430999262d6cd10608ceec7fa37b5 |
| SHA256 | c42d61cc7eb19c01457bc2a4190d0e2e6bacc52b21901c3c004a6676af3837d2 |
| SHA512 | 2c62ba493eba77a3d1e0edf0271bf21f4d11f592fbcefb54e7c26cce96f8bd2bf4c79dd845b630357f75d6c25e7f37b68bc196a518da234d0be7cbd1d877e2cc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fb6bdebe8286e03299783d382aca9a86 |
| SHA1 | 92106c47f3f763c2553fb0a5392b578107b63a24 |
| SHA256 | 4a603c03a9f8e5fd1d81b4672dbaa26de8c42c941c59d57135e8f7f408909552 |
| SHA512 | ba277d3dcdaa30e4a750e9b3da935cba64de3bb9e59234e211d76c1d65f52940fa23f40cd39ebc23d2788d43caa775a30b2f1e09a72da8775d49d0e8efc476fb |
C:\MintEL\optidevec.exe
| MD5 | 7bf8c86160101265338d76fb524ada3f |
| SHA1 | 097bf26caa3236d790a46c1dfb97df381cddb828 |
| SHA256 | 945d08f5a7b754c397be0c2c06041b0a2ab873cefb0621b5916c5d35da9c106a |
| SHA512 | 90cf0803a2a2d7b2b13ef22d30973b32efd3ce65891e5c0c6aac7ff088470e7f81cffced1868281d49d6e9613b5523660269077ce01e317d18f7b177e4a027a3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 07:04
Reported
2024-08-25 07:07
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Files1S\xbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1S\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBOQ\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files1S\xbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe
"C:\Users\Admin\AppData\Local\Temp\f16ec3661772f3ec574582df89e9d7fbb1e9c22216dba5eb011e366b62510c47.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Files1S\xbodloc.exe
C:\Files1S\xbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 30822b51d1508e1fb9c14f48bee9f4d6 |
| SHA1 | 49faa70482c4db6f0865fe28fdc53e36d5702f1d |
| SHA256 | 9b86b025438597309fefd7edec837f855072cad3b290683374fd1e74b803dfab |
| SHA512 | 3eb5e31ef17a1bd01eaed70f57fa406f583e749139c899012c4e45af6e2b4fc5dec70ed0db70391798e5d9a815ccdaf687a94877f79475df2fa6397c3c2e946d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b50ad40c11403182bdd3e63fd2f51911 |
| SHA1 | c9debdced362fd3d73342c98095711c8e7618aab |
| SHA256 | b8fc3eea296c2bacd35667b83fec10a4096b7870d1a9bc5c98472912ece39010 |
| SHA512 | 5907498aea9387584b07cd26398a0b6eddab56db2f80dd98833002ef20fc6611ee873eeee8e9a7fb517917a4c61e838286647d7c2808b3f929679c3309edea4b |
C:\Files1S\xbodloc.exe
| MD5 | b368be22b6f3efa4cb1810b4e2cb27d5 |
| SHA1 | 96d9349871e2237380f6a6a964652272f27904cf |
| SHA256 | 0ce0efd3c2aeed662f19833d3c79744b8359494af12b382b3e7777d0c7994675 |
| SHA512 | af2f2195302b6a944a5992be11177f07c76f88b892b66482c2c157ae316974d20fe28185e8aebe84e480ad1d768f3116cf63f72f7876477c9534741de1d0a0c9 |
C:\Files1S\xbodloc.exe
| MD5 | d819e8ee1b49c3100c84602b07f39c53 |
| SHA1 | f4c9baf33cf7e8df4cd541409744556d79deb073 |
| SHA256 | 054a3b847575d76efa4f09ddce9e5ebc8fb8cc066cf2d57d3e8135f2260ad288 |
| SHA512 | 6da752a2e0b60aa9c41cf056d1635d92d92307749661034bba95b3a29d3cdb59298b2a87d7ec8fe7971e3e71e34e8714622d2d406bdd9f155c04399c92207484 |
C:\KaVBOQ\optiaec.exe
| MD5 | 5ce46de9d1c8ab23eeb8a98bb0b2232e |
| SHA1 | eb2b026ffaf5a7802065fa5971c5c4495fa6763a |
| SHA256 | 0f99b7bc2b192971b8bed8dbf4f50389b59e62d5cae4d0fbbb58657c2730a6b0 |
| SHA512 | 173969eb6ea4e493f9c0d1c1df5c1080fb72fc38f0fc13e5eaffdd7eeae658b9464603a66d0a918d3f86bca65b97dccfd201cd7d66c1758e452476026a290712 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b2f7d5c0f9ce10cadf6f8273903220a8 |
| SHA1 | 4248a149860367004ad6017a93aef54a9b7dc5a5 |
| SHA256 | 40da32f78a992be999daa600bd51685178b79f968c5a170f4cd5b90825cc3df3 |
| SHA512 | cd4173132302e09a2f83391bbed64955f9384ce3be0da258c9fb9b7af5455df9c09d4f7a6c81924efd1ae3ad7435189c68dc795e5723c11c050b0b54326401fe |
C:\KaVBOQ\optiaec.exe
| MD5 | bb28c6c767235644c585e3bdd462431c |
| SHA1 | 987c425dae3cb9a528ffdb7ff7aaf3035a513775 |
| SHA256 | 2eebbdc69c18bfba0d93c84ec4c53d8bbc545b2a961fb13f80e83d4f9cdfbe96 |
| SHA512 | 52f7dd7b5d12ac5a40c919a048a57cc9f58eee83fb0c7ae54ce0b27af8770917013ed50f35fcc424a9ac2152c856aadd121a06a701a67fd6aa369c8a741b8643 |