Analysis Overview
SHA256
5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992
Threat Level: Shows suspicious behavior
The file 5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:22
Reported
2024-10-25 22:24
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotM5\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotM5\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidHV\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotM5\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe
"C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotM5\devbodloc.exe
C:\UserDotM5\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 32a573e7b9f42f8aa1ab75689ee33885 |
| SHA1 | adc145c574d2c2bbb3309d6909329603f113001c |
| SHA256 | a79dcf501fcab79f97649ced5262b25b06bc979ba9706d9466b4348c4e73c047 |
| SHA512 | d634c92625294e20943bff9b54e68249643c438e132be3e7f02cc997df19c61494d29556de001c32b480eca73555095737893959f8e95481807da1ec5b09df91 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 031c5d231d6468423cac51eba6a7ff67 |
| SHA1 | 76bd1fe94b5d8da029cf934a92cb8b5194f5ea78 |
| SHA256 | 3af267fd96b48e102f064d6eccd1e721f350ed31ac29ed1386dbef379902fdb1 |
| SHA512 | e0dfb455e134dd8793bacecd41cfd020d55cb3f2db9e42f7a313f70f89a71eef11f760ac8252ba9ce961f23556779eab43a9ed9e528fa120ea18c478889cc2ca |
C:\UserDotM5\devbodloc.exe
| MD5 | bbba37f4de4f46eba94000a38b17a15c |
| SHA1 | 835ddb100baf2bf6ecafa0eb53928792949731c1 |
| SHA256 | a539f8fbb9e4a3fcbe953260f41b6ba056abd5fc7635376411947a0eb4148d59 |
| SHA512 | 6a54178a51dc78911a3a98272887b3cbc558bf1f2eece6a9d3bb8f7bdbcf05d794c40c0eb9dfb0a506b83e5b9b79d6ded974d39c00d3b3381a6acbc4ead8c194 |
C:\VidHV\optiasys.exe
| MD5 | bae2e767294b0a7f9cf45f797ab80a7c |
| SHA1 | 1a71ee16213e663270f01135d60f6fbae2f7d2e4 |
| SHA256 | fd2b3363e5e359e5ca065ff6e3169dee5e97507d4c92c5d212f4c899b2f69eba |
| SHA512 | 631ad06bdb91c80e27b209e34a9cccbd973f2096d3ebcf06c0a7a19992440ff335d583922453759e199a3ad3490f5bdfef19a1445e361bc312d093f8b889e0fa |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8ef782ba36cae86fb6f64eeab07dda02 |
| SHA1 | 6653474cecdb05a68ddaf0e310da732e685555c0 |
| SHA256 | 54117748254ef38b6890f720a15dc85e21fb9b63e6e5ffff07fb962829a82af0 |
| SHA512 | c008cb75371c73afe4bc2aa617b28400bdc0ef650df0a3275075b0accc698634ee07b2e9e521a2f10b973707510c9f07e4391f82b7d5b687465996e1d459a0e1 |
C:\VidHV\optiasys.exe
| MD5 | d4a5de436c77964d5d810419c24fbc58 |
| SHA1 | 3b195c702687fe2179fe3d8862e4053e39e7f9dc |
| SHA256 | 0f4d937f6c90f72275b068d7f16091d21fad8379679d14b760da43696144d495 |
| SHA512 | 699df13c4018502ab25fe267bc8fdd9a277d40ab5c2aa6c70ccc0b33826a935842e55e139e00a34eac2c6ce4194fb7df5e01ca2696492dd5df501e153bc2fe93 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:22
Reported
2024-10-25 22:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDot22\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot22\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxA3\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot22\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe
"C:\Users\Admin\AppData\Local\Temp\5f2f5f1fc8830cf812d9bfafeb59b2917f3be149bfc35beeba3ec993c59b2992N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDot22\aoptiec.exe
C:\UserDot22\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 28373e0bf1bb87887a88eeca268f8546 |
| SHA1 | 1cfd6a2712569543349cc47e5518eedd94c6ab11 |
| SHA256 | 59f84dde1b2b613e48be2c578f7284d73fb1f33196d3e3e38085fb7ba4392a3b |
| SHA512 | e3be1792e33ba287d699fcc455d21ea99e918b40a3a5d7b13e0f37e2684860edae812aee2765aa7c912830a36ee68533e74f656bc68dbc7d6c5dc9bd49ba449f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 31901043fbc8afaf8e91de9caf068c1e |
| SHA1 | 54e98ada0715d01ad9beba3250c1991de5563f29 |
| SHA256 | c4ab7b31a9675d3f54b04d90a334e47423afa47a89a4642a91a52cf8232c2ac1 |
| SHA512 | 450b033310d6d40a26dfce0fc26c38e91a603b295d8003ee1b6da47feeb7191795ba792088e86022fc9ee04ce459d882b493020edaa46739f4d6984c37fa2ea4 |
C:\UserDot22\aoptiec.exe
| MD5 | 24e1ae4bd0ede641ff63b8b44ed50b1e |
| SHA1 | 4c4a3a7b1337ccb649fa98ef07cc31c807cdc72e |
| SHA256 | a083c6012553a1bc133f22bf04678e1245af759414ccf75a9dc35e6f6e4d86d0 |
| SHA512 | 04236bd69a0b6784d243e663e6814c2c338a530060144c5c87476c889ae974e648923b4860fec87c4c20e67c225048dbf3e62dceedd82050553b50b3991cf295 |
C:\GalaxA3\optiaec.exe
| MD5 | 66c963a84ec09972dae9bddc3c0173b0 |
| SHA1 | 0ebf33a5bbbbd8f18ada683d392c8ff4d6cabc14 |
| SHA256 | f63b79f33bc678388dc6cd855fd107bd4d26d3366b0be0f3200642fe52733694 |
| SHA512 | d6e0612957d5e8a18b9b5ef2c043a50fba97c5e32e3029d776eb99047b854cf1d137512bc91820063400172161a8ba41eef1d1a8ea3fe7f076dc34223308d18a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8d0cfb4d58fde24c07ac4da2cfd5d5c9 |
| SHA1 | 7651913a4422b1558a71fad26f3f21caf7b5f5b0 |
| SHA256 | 6d6c15e7fb80cbc6cb34fd4df91344d20da9950e7805e37ba6ea31cee5c5ef43 |
| SHA512 | a2d6a78d7355026d4204dd32cad24e10a1874b1f377d2b55d8b5c4b599c04d6a148c794f5cb9553acdf68428b41d4d04bf80cec7f29aa91b226342e8c001c011 |
C:\GalaxA3\optiaec.exe
| MD5 | 58962d0691e4bf1dec3b4f5d5fe7bc4e |
| SHA1 | 8508ea5c016af61cd8e02deeaf768af03b06024c |
| SHA256 | f1073cecf54701e62fd32ee77f35632e88e17c3b12b12ba30d679d09bacfe6fd |
| SHA512 | 12d30e726a190f8e7ca40f0437dcc0908bd9805ed4a4b8d24843026ce374ea6d9ac8591b52bb937c08c5078c9c634d0255ca88e86b18ed606b53a135a0dd14ae |