Analysis Overview
SHA256
40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c
Threat Level: Shows suspicious behavior
The file 40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:16
Reported
2024-10-27 22:31
Platform
win7-20241010-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\FilesD7\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesD7\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid35\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesD7\abodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
"C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\FilesD7\abodec.exe
C:\FilesD7\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 47704bb52d7290328c42680f8eda6b64 |
| SHA1 | 93a2bba13ee20d505c1111cc7f55da10c83749b1 |
| SHA256 | 9defb65c7143be6ab09f2a4d8d70060bff42343d65c5666f13b49e9107d16315 |
| SHA512 | 3992525bf949e8934cc89f522660d49eadb1a2d3e432193967c72186725fb87f557aa6d84d58a4380d046c4774b799f75b3094468722632524fa07a2c6328e89 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 928e51fbd1d112d66f0e61f3ef22763d |
| SHA1 | 581571dfe027d3437557da1540efccfab3727503 |
| SHA256 | 1ad3abad421f2b3e9c98107c35edbd280038b07c8b33d09a0c1d93784bd699bf |
| SHA512 | aa24ae04d448f6cc5a5852c5c42a538c15c421c715e7811fa39c78999126f45c6d0d9ef76579ddecafef847a7851921faf2723a754d1bbc80011efc6a88a8916 |
C:\FilesD7\abodec.exe
| MD5 | c7f8f576a441c0a7e48b356c98f8d922 |
| SHA1 | 009e7b6a151411a2b9efa98d14fce160d69779fa |
| SHA256 | 90c6590720caad565d2584f86a36db9680104c2091ffb69a7ba8e9b6e8a3016b |
| SHA512 | fd7201b7b8527061ac804fc73c93ed4f02347e1d54f950975fd442c4828bfa32da0d4b3cd705d96378464e238a027dbabbc48cf774a2a4ffcfb0ee214c9c4c0a |
C:\Vid35\dobxec.exe
| MD5 | f0a8bb6ddf75b7386e58ee0a8e8b39bd |
| SHA1 | 42c03117e5152f43d21824bfa6e9ddc0ef49d3c6 |
| SHA256 | bf23db7c9dce8b4feba341a51b61b65de084dd00493e9ea76f792ca8fa4b35f3 |
| SHA512 | a223777826c1dea7d0f500b8ed64d22a2c3c7042fe3e62d3db8c6691aea68094bb4c1eb7ad0bc6087e6198fdeb8e71f32a9872a1155846588b9c86df524d94ef |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b47a9e5d87a05f5b2e063a0e02815264 |
| SHA1 | 7499dd5a54964ccf62ae912435e7c25a18a82726 |
| SHA256 | d6c4e7aba22485f8e9749b44d3d39246ffb381b4f4f389aaa29853fc335e9183 |
| SHA512 | 161370aa51cfd6795bddd7723a5eec6f62b05ce08100a3d0f1065e31776e897e51ee87f1a13cee2b04538dfcc7c1cca84cac2e2ed1791c00fb11009f73e6320e |
C:\Vid35\dobxec.exe
| MD5 | 4c38a90d6af908639dd94778844cff10 |
| SHA1 | d37b67266b711a57b755e269d7202c100ff2a1a7 |
| SHA256 | d6b4251701cb862d70ed189783f023267af64b0a26e1ddb36876fb6e96b8922e |
| SHA512 | 208f0074e0bd2e94eeaeeaf51efa6d7a2cdc791f044071a5d1dbcb5250cb529906eb9e36de79bf8dab70bd126515dc33dfbb963c0443140d7db4af887d4eba2c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:16
Reported
2024-10-27 22:37
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotLX\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEC\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotLX\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotLX\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe
"C:\Users\Admin\AppData\Local\Temp\40cdfd21c20c1a2a9d9d51190aa2e87365339f33c6c6d9725fadcd8a2b9bed8c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotLX\devdobloc.exe
C:\UserDotLX\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 8a5a6f7ca8bed35cb8efcc368f7af5ea |
| SHA1 | 6c5894f20220276f74601d4225b9a1b2fc1f9dac |
| SHA256 | 8f0bc24531895220d51dfd52b059a35394549755a43e581e49b0a423eb4beea6 |
| SHA512 | 6a946ecdd4492a31156c2121e9f741c9b6f31d66578b9720bfa107a96fad5a9ae5dff60fc5c20f2d46a20b5145612daa438f318753dcaef537f01577e36b1f7a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4d602bb0a7707030ac8c3509dfb9c7fc |
| SHA1 | d50d8fa4d3560d37265cbba09b9c6ed552e06273 |
| SHA256 | d502fe8a30449ce13667b982330b576fc679169b900c332140e6f82719287240 |
| SHA512 | 4c5a741d27a59c0bda0cc98b8ef41a9b869337e6ef5431ff892cd2839ebaaeecea11490f8dfa344ca523036ce14b5f1f024c3fa9fbc0e93040de61bf91b21111 |
C:\UserDotLX\devdobloc.exe
| MD5 | 83daaeae6dd76ba6d4ed466dc7a6f5a2 |
| SHA1 | 779ff48645068044d59ec1d06e512315345010d5 |
| SHA256 | bc80bbe40b1251cd8abeb06c3934d0aa90c6a8eb40824202a39f1de755ccb87e |
| SHA512 | 75f9a3ded7d8826a9bdf3c73a3f2a1ace1a0efe847bfd9f17ae748d58f1ce00fd4a93589361cb3a98da1678835a86ba257d2786dcba106369619750cb66d6975 |
C:\LabZEC\optixsys.exe
| MD5 | 85b1c4d1f752a226debd7fb43c853b96 |
| SHA1 | 88f87ce59d7ff1b6dc4616717babf6ee2c6cc0fe |
| SHA256 | 510b64b9e2cd6a06acded41609d538dcbf33f0ebf09dc594e0d1f3f2f85d91e6 |
| SHA512 | e06b5ba9c9eeaa49d32e9aed48d22e87fd9eab1ac50af2bea22b7e386f7e4773c772907a1d8496898e459236001c29406768fb34b4d9b9d6e460b465c36731dd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | db28aebc37103645f7a83d57e7d07902 |
| SHA1 | 0b1b8704b176fb2ff70a6784d7b4e1a21bf798ff |
| SHA256 | 238abec2af50c3e96d9aac7d5855c21c57c326d449e8db7c5d7c3b791dc859ee |
| SHA512 | b909ff905fcd17737459c1a77a3361f16be5077f6d1f23ff994825debfd11d9298fbea950bbc77576fc10b95480c906058e102dc358886f1da75851feeb7d2d6 |
C:\LabZEC\optixsys.exe
| MD5 | 6eb07a56cc7b1f82a8460375d9a03f3f |
| SHA1 | 53b16784d04cb731e87fcb6ec2ea14dc53ab49ed |
| SHA256 | 20a8837dbb3ddfc0071f863cad93cf282d0395b2d8103a8fe8194dccbddc4245 |
| SHA512 | 5a0a0f428e9207b6019d7a1d0953bdf43191b8eb0cb280670cf809fff082b5a3821f33fcd168a66338e9d16086c0b9f3742690ef5db4e0f66bd69550ab58f682 |