Analysis Overview
SHA256
39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948
Threat Level: Shows suspicious behavior
The file 39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:56
Reported
2024-10-27 21:58
Platform
win7-20241023-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocSK\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocSK\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ39\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocSK\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe
"C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\IntelprocSK\adobec.exe
C:\IntelprocSK\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | a14787e9cb5f8fda016bb1ee2234f244 |
| SHA1 | 7ee213d94995a0455073a09639a885cb1a1cc9d3 |
| SHA256 | 483995ac7b53d91a12115016dea685136f39d81ab2ac525e95b264587f996fce |
| SHA512 | f2ffcd2de748fb8ad31ff3c2b9782362acb7e4782d7e4e352f00a42cd584570335f9902de972528961d39482a02c2d3e2105f2a59d099604f100369f84b78759 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d91f2ae795f557fa52784b72f36606c9 |
| SHA1 | 62a799f3b788ece5dc2ee665901ce780deb2ad49 |
| SHA256 | 1dfe9e2bcbc859745741269085ee4341b39ff69b383ac279a89b97bd79c824ea |
| SHA512 | df1502b9326f0b52e55b0b2ea224454f872d7848844130097e8ad298e955da490d42232cdfdb202a5a251658ba95d7389c223105c5ee0c65a9f71e28ce5df7ec |
C:\LabZ39\optiaec.exe
| MD5 | 0372b88e426364f69ad770e968e605be |
| SHA1 | 7d43ec437b7675d441a13e7677a851d081a08092 |
| SHA256 | 3efb522f9222c37a3c3dec683c2f6dfdd645ac0a798d1877a42be9938d3b177f |
| SHA512 | 553f27ca63eb8fa753075451557245ff3599925e6ac04432d738f16dd725202749e8417b85e8f263bbc7486b20f9fee6dfe90f009ec95b0e9c3d1175750d0b9c |
C:\IntelprocSK\adobec.exe
| MD5 | fca72ca0584f3210a856877353571686 |
| SHA1 | a814ee6decc602e2d4333e14abb4621ba69e23a7 |
| SHA256 | 155bbdc30c2c466d81debd946d43983c7594eec62935ddda19c67c5d5c9bc9d2 |
| SHA512 | 8b07e54a7b59ebccb295e22fa9f90d97e831188af6ec476bef7a540c2ca03d0dd835c5f84a32b9b9c23c23e8c92b539c35b70ba33ac852767aa7765b195ceacd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9e5ddf03b1692fc7d6bc5155c5152898 |
| SHA1 | 7b0773211d92e9a3cd1dd7f4038b473872f27bc6 |
| SHA256 | 33c07c926f1370f6a38cff20e68a3019be4ade480bbd8521faaf8f839a8d3095 |
| SHA512 | 206157ab31a383f9c708d504b8e20642ac2a47df499641c16b29bc32830673c424fbeffde78132a5fa7ee0af386545b34cfb6a40398e7838a0da85243d750b71 |
C:\LabZ39\optiaec.exe
| MD5 | 1f870dce2247be677f64fccce7b56c7c |
| SHA1 | 077128af3bd5e984b9d33b5c10ee1f51ed1a4296 |
| SHA256 | 7b9ca12ae696d7dcfd0a88839b44ef236113b45b2d4c358ac620f2569e3e9c8d |
| SHA512 | 02e323ed2b2899bec590c46f12979f604baa0f08648b134e7fd2ca08c94f549de86453676983c0e52264418bac553525c10d769e35c6da0f85310a2e902e045e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:56
Reported
2024-10-27 21:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\FilesPT\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPT\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB1J\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPT\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe
"C:\Users\Admin\AppData\Local\Temp\39a3a5f324caf2a1ca53f1057f23d9e3fcdb4650d3fc59e92479857e882c2948.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\FilesPT\devoptisys.exe
C:\FilesPT\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | 955a392a323566c4d3102b783d5dd760 |
| SHA1 | c982281fb804da7e366b146efa4bc14e9a3b1024 |
| SHA256 | f0cdfa9098675ab13cf69788420b4137e38d288ff4c84c2ff688190f7cab194e |
| SHA512 | 8e0e8f887580e48117c0af1036a9bf922956c093be1262210e0e7776f904f3d5d66ff099b3af25329a521a114c0647b9ae9621e904ab37e94d35b3efa2158c1e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ee1cf67d9172909ce39a15281ac386ed |
| SHA1 | 339454024a181852f019b25728e4fca43af89c60 |
| SHA256 | 56da45ca68987a4f0f31cc99bf1e48c581f920526e2c013ad67b82d4a0ba4208 |
| SHA512 | 64a05f4310319515ac4ba87d11be0362ad2ef5d7fb7e4a05fc3cddf05d455d0a3a4b66b1fd112b1f82401d3f38d73e0227a21fedc77939ab15b8a28c7f4753e3 |
C:\FilesPT\devoptisys.exe
| MD5 | 2f9f4ef30269d3518a7748c653b65c9d |
| SHA1 | 43d457298baa0f834b38875bed46b78e8a7105f6 |
| SHA256 | 34eae8a32d8cd6730c9de22bd6434e09f37480eb22ec1c1337e756cc22017db9 |
| SHA512 | a1c10621aa79aadb07586cb69b8b5a7f160d8083c8a061227b9e003162521227eb0d0a7c3ca225d66c373ae50bad1475f16c7257c626a2243980caa75b26dfc9 |
C:\FilesPT\devoptisys.exe
| MD5 | d433cb7603b73293ceea39e1156083e7 |
| SHA1 | 121390e712d695573ef3ea5961f9c31037b183a3 |
| SHA256 | 370ad7dec1c227d90b556aea8a666dd219352fdf63c85819e6a5fe7fddbdb3e3 |
| SHA512 | bb61270eab4e8b5bd039fe60083412cdd606d849cbfd44109b6886d13182db053776b640e708bf4e9af11a00741b70616e4779fc05f47b93fbc5b6fe00d0aa97 |
C:\KaVB1J\optixloc.exe
| MD5 | 3ebc04c7951c6aebc72d586a7d55b678 |
| SHA1 | d6eb6a4baee774e18abfd6d7996d04e9640d8b6b |
| SHA256 | afb11ab789cf01432925c728db5ce38c7915ef624e6ae4f4b6777c7be10f0e0f |
| SHA512 | b478be4c81f8c4cf6d8f0bbfacf8badc240677f5dd62c37cdbed5f87bf2d1b143b2dcffe46c54bc41061d406c3f3c94b48d02c6d0dc141310c0c0d9b25c1d8b6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6e3bdb195e070e710e57de7bf7cb8741 |
| SHA1 | dc19ccf827698802393abcd784f0a86069fc3f92 |
| SHA256 | e20786d300b1d3c9cb8842bcb767b5403c3dd3702be31335ecfc0f381bdefdf9 |
| SHA512 | c7aabab185c13726b4f9167acd9af096fc37c9fcd1f18b0aa1acd5ff5080b8b33d0ddaca06a2687908cd98ef515c27570bf68a5f19a7d68fe2c3cacd991f304e |
C:\KaVB1J\optixloc.exe
| MD5 | 39adb5ed4fa5bc79aba86fdec348afdf |
| SHA1 | c857155106d68cfbc6d2e824e3e8e8c7e5aeca31 |
| SHA256 | 48d46c440e6f623f6389dd063dfff554801245472d324f467e3a5cdd464e5739 |
| SHA512 | 6cdfd7a3bd52483c9632a1d4cdb02336fcb11eab3d7b61044ef5256a1de600d44cfc8ed0e3177c878889a04a1a97f8069e058821ca2dc0a5c5b4a9ae31fa0edd |