Analysis Overview
SHA256
fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55
Threat Level: Shows suspicious behavior
The file fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:12
Reported
2024-10-26 00:14
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\AdobeUO\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUO\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIH\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeUO\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe
"C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\AdobeUO\xoptiec.exe
C:\AdobeUO\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | f854e8e23a4e852024226e2865eb7c7e |
| SHA1 | 6d7fd6b94a9d068ced4dc246b4a8349282fb6e2b |
| SHA256 | aa4937fea1ea0fce809e6e3980943b212198db1f71464ea2c5daddb6a8c7cd67 |
| SHA512 | bf5f5ede0c878ebbfa1b285cb0f681c400887d87dc7bae335c443ebfc278a7abecb38b703a12bf956d78423db74b3765629c1a6439bb085832f16b733caa7bbe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c61154b9ca7113fcbe6c2f4c67e15c3 |
| SHA1 | 851d65913064140c8ea4c0d96a21812da2cd5fe6 |
| SHA256 | f2d73691031bda161f82e28e858ae6bf0c5c38f85db7974b421938521542f2f5 |
| SHA512 | 211a629fecf9d224545d7a30fc170c8c7f5a016062dae3ca42f5047528fa3d1ee935a1e4cac4922e9f59533f5605e5f30463b26975e60c28faca34d2cbfde053 |
C:\AdobeUO\xoptiec.exe
| MD5 | 3a2395ec7103eb8947e678c0173f4eb4 |
| SHA1 | a1355e95741d3c4fd57b14add000eb3d9e9573e2 |
| SHA256 | 5cf683fcff4ebd21ac304259b331bfd7e0ea68180d8f13570512d0cdbc479215 |
| SHA512 | ca2d1d0dd122b16c0d29bb884e8aa258df53519e6dd768a9177e0d47649c77f32caf25382e8eedbb81e7b4456d8dcd52570777ab65282d46fdb4a6b622b471dd |
C:\GalaxIH\dobdevec.exe
| MD5 | ace2214fa9d9c241b4f87ba16eafc6d0 |
| SHA1 | b2a90935500fbfae6ff71b1ab97972d58aa8fa1b |
| SHA256 | c0501d776512f1db7ff9b37c9788c7ba5d1f1566424e47c0b5b8b13c9fac7145 |
| SHA512 | 9d2c9e8f80e3e9c9a1d4f3e5d7ddd591eaa14a9d6f65e73c8692935c3fcd1ebc96ce8784853b63ce24cbb8aa07f06da07325770881d62ff4dc5f0757dcf486cc |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 16f60b429e68d5719235976ce06e65f5 |
| SHA1 | 62d31d5967e0a783935016695d858a8495e3090e |
| SHA256 | 1289172641c63b485add18a9588fcb94ce23e802c5c9ab5e9170819220095b67 |
| SHA512 | b53e1fa10b4f9d1f22d421f43e897fe892d382133d02a71f01e27a16216dd90f5035914a094da30ef00bcab8eef9b0e92eb85a47e4d025f996580a14d009fefe |
C:\GalaxIH\dobdevec.exe
| MD5 | d9b37001faea8a16d9d78134d40de92d |
| SHA1 | a3906e125df8a1fb2fab7d0c316928e8abfa22a8 |
| SHA256 | a0d7ee9c1aa2e6779076085b6c52cff260fa5865d2858f0fb3932766039a6dcd |
| SHA512 | 7b6c61c1cebeb5f2b7b4db9f35e777645179f581f6a70cc4e5b02b23d5c6c23ba78269a12f621bd727a353212b6d40023d35dcc6f5518c7fc99c16fe7a978f8e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:12
Reported
2024-10-26 00:14
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
102s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotSR\xbodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotSR\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidB7\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotSR\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe
"C:\Users\Admin\AppData\Local\Temp\fc196cd65e2768cd1697ea0079697ca596fbf0182eae1173b4efc7b55e6d5c55N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotSR\xbodsys.exe
C:\UserDotSR\xbodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | d4b90ad1c368ee15878155375037f4cc |
| SHA1 | c77714b0f6a7baaa51b626df7c2b81cdb762e545 |
| SHA256 | 0366373f1f3fa9b5a0b05fd0dcaf02b1004d26c5fbe8b7908cf3fcf955597cf9 |
| SHA512 | cd46b2af7e7f15b1f7407421c11622536deb38406c581f4ebc0a78cf5e11875b974929b04a9be78f52f3019205e9b18d49826bf194987e54edd17dbd2dc979b4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7cc49710400c16526684368b7496e1f2 |
| SHA1 | 57764909eee31a446de337e09e465691be07d224 |
| SHA256 | b11934e9031df45d0c38131c8c4e8641fe5f4dd58aa672b72f352fa4c2e72bec |
| SHA512 | ec8f4a36cdabe3bde81695326c8d6455e1958cb022c9b7270939c72c7eaf319e4a04b6c5910b4b1fc8abea72ac508b25cbd038a70eccd0ed6e8d41d664d2b005 |
C:\UserDotSR\xbodsys.exe
| MD5 | a6c212c259988a8bb58b47d8f813fc97 |
| SHA1 | 53d897648804ea8302d7e1a00ddccfea01280449 |
| SHA256 | 5aab24e8d948fe3ec6a4b299027932e75f67d2403b964562694fa226b801ea71 |
| SHA512 | c2d30b130ec0dfe684c5b1a0898133a3106bab42dbb225845991fd622049973ed167e3480e3f7f9d5fb6929311ab08244a92ac1c6f61b9beba3bd3770cfe3828 |
C:\UserDotSR\xbodsys.exe
| MD5 | 0cb8813b8747f7a1ce644662c4c6baf5 |
| SHA1 | 06b6b5236e844e8e1750b8a791f535e70f1b6cfd |
| SHA256 | 646f2efbe560aba99518afafa4c24cbea63974098cee644b8df7c3cbc2693268 |
| SHA512 | e5c5ffae865bcab1266429fc383ca7228c7f7ff2546d7b608a4bc249bcad2bab70d22b46854745ebbda6d11e651f7eab71ebe7c5b67b831d8de7b99caf8f7140 |
C:\VidB7\optidevec.exe
| MD5 | d38086bbdf4b02848071c40a07072616 |
| SHA1 | 07b5d28cbad97b090073cfe90700f9cf16479f57 |
| SHA256 | bc01d2ac7a95bdba051b74ec792174a78f5db0350ba842d85e444a4a60deffa2 |
| SHA512 | 149b26623091153a74bc5dfa40fdc770d44d85a6522ea2da26034c93ee9635e35df05494e80acc1e531d772ee7548c7164be310dc5472e1bc54fae5368efdd72 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 637749ac8586997524e4fe468a1c837c |
| SHA1 | faa397a0644809be1fde632e67eb4c32d2416ebe |
| SHA256 | 18e3545ddc047359f098ceb4d99b5b99787878fef81252e1ea0f3af70790b6ad |
| SHA512 | 09a75173c074ac69550d3e29a3b44e9622ac3c8be11514c7ed162021c3b834ece54a23af705d4c68ea8b47374abbb5bc35bb795797292ecd7546ec6a39e563f8 |
C:\VidB7\optidevec.exe
| MD5 | e3566c6d96fe2a82854956355909dcc1 |
| SHA1 | 66e90338ac1769468750ef0699a6003bb748dbd2 |
| SHA256 | 31e75c3d8e35af01b8898307fea196f88054a74f74b62b4976e5df0156e8bc59 |
| SHA512 | d130723018fca138d83524e4a3c314c274ae75c9bfd84933f879786723349adfc7d331bfd3f1f3baf2c76b0a9f38f8db0375c5b513a8669eeb3fb8bfbbc743fa |