Analysis Overview
SHA256
ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236f
Threat Level: Shows suspicious behavior
The file ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:58
Reported
2024-10-25 22:00
Platform
win7-20240903-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocWQ\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintIS\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocWQ\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocWQ\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
"C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\IntelprocWQ\xdobloc.exe
C:\IntelprocWQ\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 780ccad667ea0144ec02dc0ec0859238 |
| SHA1 | befeb186efd063930cbaab8c35555c22fb90bbe3 |
| SHA256 | a2be7d3a3c049df2b745be6519a9dd70c532aa7ab80b08befb579aa8a60d5227 |
| SHA512 | 92f6a1af6e3361d6636cabf1c0403e2ab75b9abed715c5dda9fe6993bda63339934b37eedfc2d2b9db2587c4199ceb45245d51a563b205c32d0b32cd021ce8ca |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | be52d496898e17064f24240b56ed9631 |
| SHA1 | bf78736f6d793cace9704ffdd8282eeed3ca2709 |
| SHA256 | 67f8ec9ac7d25942577ca7fe197c5cbe17329f35bb4035f66a61c2b5a37d59b1 |
| SHA512 | 0b3cc740f6754964d24ccfef936ad070062549ff2cb21a0e4731bc985229887f6900d0d0b6f90884694a32b56fe58cac7d853317e969a57aac1da097d1141d7c |
C:\IntelprocWQ\xdobloc.exe
| MD5 | b3cdfdddc4924c3980a844dba91b7965 |
| SHA1 | db5b5c0e57a7b2aad7c08eaa98c524556e66db59 |
| SHA256 | 020ba59ec97ab174829428f81b09697e3c189673887ae16596ea0c66031533a3 |
| SHA512 | 03d2610fdedfbd530c6587ff6aa61d488c742b1f5e06709fd4214b340206e34aec9d71fb56794576e7e3da7227b6fef91561c759481d9c90f43caef7831436dd |
C:\MintIS\optiasys.exe
| MD5 | 316445b2efca97fb1f7fba529ff72de0 |
| SHA1 | 81945f11cbf2baef52ec172f179fa43618ba3a8c |
| SHA256 | b7b704b22cd97e3ead48ade11b81b13ed6c51c61ba66cf9d6bf735fc1bcf52fe |
| SHA512 | 374a26346234699bd19628006b8251d8f33971f251bfad343fceefcfefccee54a677656c3a4cceb9d49b8bd8fa2a4c60ace009e10876af012e2ea4de5dc9c638 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2e229de393f6dc3f4bfd48dbf596ea00 |
| SHA1 | 88ee8fd696bc9b6065edd0905b7aa5d5f0b536a2 |
| SHA256 | 1eb5d2637c6bc66e98b6544c209722e2a3eb851daaa4016daca99807961da5bf |
| SHA512 | d3581ebf1a8734231100c112d9f9f69423d1d4dacb8c35f888a33257a34852dd0ca6a20f8a4050549bd0330187aea82e7e9a8c5f298b6dd646c18807c648fbce |
C:\MintIS\optiasys.exe
| MD5 | 44e2cfa25c86ead731a8273f9cf975c5 |
| SHA1 | 9ad41bc40a6c4fc5df0aa623d1604646a43e0eab |
| SHA256 | 21a8ef39ea8dc18c5f704b055b2d3cc705bb5e4a4ac5e1f56fc2b11aa86638d9 |
| SHA512 | 7a32e0873e72f901f26c6029398c48952d4486c1268ad52b1463af843114d66fe00061ac44257c82fa30878cf01f450efcbbf85ca6727e4a8ecd045ff17d9785 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:58
Reported
2024-10-25 22:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
104s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\SysDrv68\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint2O\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv68\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv68\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe
"C:\Users\Admin\AppData\Local\Temp\ce19770896b004f5cfbf593525f251f7421f4a5c6745b4443317e60937f1236fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\SysDrv68\devbodloc.exe
C:\SysDrv68\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 42472c97ae690a783407696e705512c2 |
| SHA1 | 9ae503015a10ac10215f510cd963ce50bcf030a4 |
| SHA256 | 5488aa257d3d80eac18ec0f7692edd2d8f39aee471a0b9f2b8f61d37c86e7bf6 |
| SHA512 | 27e6b4fedf76cab37c3fd05202cef550560e40d3cfa13291d59d08a0a656b51f1602fded405a17004f0085f9b9e1768d8c7a039247c305a268a2da06251d3aa7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a03e6643c7e69b1ce51f263f03ade424 |
| SHA1 | d5cb52a08e58566ae4108521a533532c9ee4ee70 |
| SHA256 | 6555ffcddf7aa3584b2a84a8ea19147adbd9286be9c4466f1d2d1e83c5bae758 |
| SHA512 | f1379042e526d94bd7523799d98cb189925ad98c0e1f044266d7388e700621a5bd98ded705a1266ac47748b170ddf39de6d652426b4c0c03e8e2c940c39ebcb0 |
C:\SysDrv68\devbodloc.exe
| MD5 | 2e0a4a7ccbc58b27e2167d9a09f0483d |
| SHA1 | 230dd356d8df019a8836c7178b1b1e980f3b257d |
| SHA256 | 71c12cbd1f4745b0ae34fb3276d21874d8318e1a3cb98d0dea86acc71622173d |
| SHA512 | 3e79591cad3b02928d2babb7f7e059374a0dae991243917b9d31f272aa52327d2881875810af9deb36adc9add69b281e4f64babc5f2bcfde75266651267ef97b |
C:\Mint2O\bodaloc.exe
| MD5 | 303b307276dd29f1f8dfbd38549ed1bb |
| SHA1 | f710a41926631e06dab01666a1130f39b40e4cea |
| SHA256 | 6f46e5d6db4932010bef427521575c827cec17fd995220680dab7796a06a4d30 |
| SHA512 | 6aad15bdc7d24357d6643bbd259107a8f75368067f51d0141b80c116b620fc4f4ac3b28959a56cfb04a8a2a0c538dd217121d524d31c60724a8796e49a22c129 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fc893a099681b6820a664cc9ded89444 |
| SHA1 | 6b53c014a11870e2525a7e0bda6ff4c0bc11424c |
| SHA256 | 2b58304619b9f0f07826dd5ec25484c9ce83f179cb5a1d5c39c4e8aa337b48ca |
| SHA512 | b365010c63c7f7462ba6e11934fe3c967dafebda53faa7615130b1cd3830c14dae9df27b710c28b9b60d090f8e1fe772639960c744b963a0564f32d6b7811ed5 |
C:\Mint2O\bodaloc.exe
| MD5 | 06e2e9207517673319e7cfe17b6d36ba |
| SHA1 | 87ad64c872fd68deb5093263a3250c5644a5934d |
| SHA256 | 57531a697780f6200f5230412c30e1f6ffc7bd35ef2089c88fdb18197cb70e85 |
| SHA512 | 56da74f51d9b534bea9a1a93f1c0d6eb05296bb5a5ab95f6f308f4aba3016f819c42357d6fbced9d8e3100419bedb5b47ea3be1ef96f27a5cd05ae6a1262df11 |