Analysis Overview
SHA256
ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49
Threat Level: Shows suspicious behavior
The file ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 01:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 01:19
Reported
2024-10-26 01:21
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrvK4\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ3O\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvK4\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvK4\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe
"C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrvK4\devoptiec.exe
C:\SysDrvK4\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 3fb2e78aa3b2f2db6fa57db437ef19e9 |
| SHA1 | 8479352f6437d9a57bb6e1a3a75a29770a8ce8b9 |
| SHA256 | 6d09d394904c36a74b9a1cef03962404e40745792e02a5b4146e7de6908cb2c7 |
| SHA512 | d173d28e96207d5282a02577343c510768d7477972fa5de530e6bf6e731854b870a711890e80bc238d79b336c6430b2291e779ac7bfbf80a390b069095f71c18 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0f1083dbfaac1e4f9f8eb337f2890784 |
| SHA1 | 3df90398a14ff012da4ea436588bf0430f4c3809 |
| SHA256 | bef0b00845962f381913bb03f20c502953f36f8db3b2fb8075d296bcb12c1fb3 |
| SHA512 | c7f365e8c6743ce212618bc249afa37fe6f2ef91aa18535256a5bc71dddec6c286b15cabff1eef2e0f43262074ceb96d3b5e24e5b316b09ce71b954f4a876254 |
C:\SysDrvK4\devoptiec.exe
| MD5 | 1b664787b847f405ecdbc28c3e936f9a |
| SHA1 | 460ada94ac6be9e6dfd7ecad34db8636a8b49484 |
| SHA256 | a23717c84a6bca1ae0627932d2b09b05b526332311ab5fd14416d76c87d22fee |
| SHA512 | 1e006ea64620c527f3393ccaafb387fe38de81ae587420f9fdf1abbb4ea80023553e5902c3cb3a6eb6a59187b65603d41b6717cbf8463cde2bc8262a26de80cc |
C:\LabZ3O\optidevec.exe
| MD5 | fbe3a7d1efe51f30979d332e2e98fe8b |
| SHA1 | bb493c735c2dbb21db3c43f832a72cf15bc272cd |
| SHA256 | 0de6ce8008830d69fdde480f500c64c7ab30f90acd8e8ed9d6f108a4ef827cd2 |
| SHA512 | 102fb2f93736148da84108ac2f1f7345b385b2a15d998422c2acd7ae3e13e5e0bdedb5e5d6becfc3381b556074ae6d1e5f31d0055055d8a34b4d6482451f4977 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cbf7b4fab14d716d072bcf03d7c05922 |
| SHA1 | 5f612c3e319fde546b9723b6aa0112c4f00df263 |
| SHA256 | c63e945b01cece4cb5c7c76eafc3d7459e34385b7c2e23fd155a3031663665ca |
| SHA512 | fc7a0649ed7c7b2cc217fb5868010a156e3074436c45a241e0127d29978ede9a209cd34c854733235814a6541f802f0d4c57d8dd2c9081d39088f77644095a65 |
C:\LabZ3O\optidevec.exe
| MD5 | 566931f8e1dacad872bccaf989d75916 |
| SHA1 | e0635a128bf2878fbe6b0817fe09f745115625be |
| SHA256 | e4273b0617dba76a5e152e871e6277e016be1fd431f00eced9fefea96155989b |
| SHA512 | be91753922d51b1c4610218d33d6d6f912c516e2d29cc4030755c04cae090074df05e66ac548f485324123430398281bf57accb5c8766cad47ed80374c4badf0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 01:19
Reported
2024-10-26 01:21
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
109s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDotPE\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotPE\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWF\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotPE\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe
"C:\Users\Admin\AppData\Local\Temp\ac0ed0bc2fc5243a0efffe464c17f66baa8fa1d3bbf279a4b73d1857065e9b49N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDotPE\devbodloc.exe
C:\UserDotPE\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 7e98bb8f50d850c43703d28aca4998a5 |
| SHA1 | 6a528c91866b68cb9548d11eff395259518d7f85 |
| SHA256 | 7061b2bf032b5e357303a1075b2fda166c9948cbbc6a7be6edf048874b4e0629 |
| SHA512 | 755b5a7e9666d2691df7a8c46c35516c4b92cfdc1ef34b52f7c6b6e653ca12eda3a45113050bbcee549ef4681d8bb326b9ee541531f584084432bb28fc2a8820 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 75d29d39a1d24f1baf2da4d75e94ca26 |
| SHA1 | 5e5e810dad6f16e0040990205264627c0030dc93 |
| SHA256 | 18b822f86d8c8f8f8b9ffe7983efb6aad5b363a6ca55d76e4117eb6fe362c78d |
| SHA512 | be188c2b30e3701917db592294d96a4badef6dfe57fe13e95b7ea5b104ae69b0f237615b9f65d6415c6cfab17f7acbd8674625e9eb735a75b70a038f08f0f0e8 |
C:\UserDotPE\devbodloc.exe
| MD5 | c2d5f0de4dae356294631fdbf111fdb0 |
| SHA1 | 8daa78e1c4d55d91c993fdc381a7595c5aa9f416 |
| SHA256 | 72f350787808374bedc17f39cf367b38bbd362a8e7fe66b951abdc3d58192ea6 |
| SHA512 | e48aad4ac3dc5d178c96bc58d249a3e91ed6cafe3243562f3c073a7197650e6c558c9c458dcc48e65d2f6e7402deae240ef6ec5fe25ad2012ab7d6263047470e |
C:\MintWF\optidevec.exe
| MD5 | 61344045eab5d68304b89816caf73e1c |
| SHA1 | e6a4d0bc148739f7256914511f916bd0b2fdaa57 |
| SHA256 | cad53b86cd750ddd924a3067831362a6da88ba8ccde6cb9d76e0fb648a3d3f32 |
| SHA512 | 7f2aab78bd40a7fd6dda4eee7b4ea9d5ccc8353ff3d75f9c9d1b8373a565a4f1ad1d33b1461dce22ed25c18e788912e26d745fe7ad001818d374a2f34e8d4095 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4b70d3b8d45b6cdc7e605b25d881afe9 |
| SHA1 | bc45f063b8a5109ec82b229b06089dd33ee38dfa |
| SHA256 | 8f6a08b255230ad8fc8205a749750b4ac6da59b0bbff4efdc30e93048bf5cd24 |
| SHA512 | 982ab7df153d0152e1783024904896b05b9fdf9b29cd12600e90222e3cb86c426be93a034a104df33b47b1450644dd5ec8b74737b7ef06bf5403766e2def75f8 |
C:\MintWF\optidevec.exe
| MD5 | af4d06bbd4ea53a8d665a45ba1008515 |
| SHA1 | a96d31c1d786a497a0bb4ce408a4770170e354ca |
| SHA256 | 43e18519f6fe82330a0d6a7bc5b85132895f17bbdcdcd0e030dc0081073a322d |
| SHA512 | 6373e4774affe58299f660c077bc69b5c26559af58b8a79f72e1c6bc50ad66ae66362a2cb8d2250dd0ae9ac21e6a56f7cbefff79723e0fdb137a8493b0a85bcb |