Analysis Overview
SHA256
f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89
Threat Level: Shows suspicious behavior
The file f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 15:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 15:03
Reported
2024-11-08 15:05
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\Intelproc1E\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBZC\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc1E\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc1E\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
"C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\Intelproc1E\devdobsys.exe
C:\Intelproc1E\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | ffb9d6c2f0655550e2de2dd15f1d9d18 |
| SHA1 | e177d68885de634ba38656b1971d92ea315a917d |
| SHA256 | 846c1e19f9b88370ff3ab8c215733b3d15ee9fc38014fa33424571f51c7575ef |
| SHA512 | d1dce4bc5ae2a48d3246d73d44f92b2f247015642233bc600d275c50f3ddb23a78e4a01f1c8b6df287587a4a71d4c715c45576e632a793f5e0ed414abaabbe3b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | cec03702672449a152529efcf5fe1f6e |
| SHA1 | 8c8dff3dd43a46b908976601a09dd364275b3391 |
| SHA256 | 7b3e650339e8b96315ca1fa60d207009080765cdd6a1fc3bcdcb7bffb267ea4f |
| SHA512 | 0821aad878f221b2a21645609423286f83145338cc6a0c9354d157ed904b1a1e3552506e11e0d9c363a6884b0e805d869b1184794fd317ca1c1655044c11a8ab |
C:\Intelproc1E\devdobsys.exe
| MD5 | 38df838ec7348d7c5bef329612675002 |
| SHA1 | 3563d8896a3d67e856f8175cb1e2f558efe123b0 |
| SHA256 | 4675f8dfccce5ddd59a1a88cf5ac0790242e0c934e191d8f09aeffe9db5df3a8 |
| SHA512 | 21fa247ba1ecadae805b9608b25d04fa95ce977aef53710e766e14e1946afb24ca60a2db58183de27a9d16ca2dfb00001e12616cc82292afe4143d1f09c07581 |
C:\KaVBZC\optixec.exe
| MD5 | 59feb39f95b809ee69ebb18cc032a9de |
| SHA1 | d1e25d355e0dfbe4741a216b04f89914186a3be6 |
| SHA256 | cf321671a0681bdfa8669e62b96c981934024baf3e960310ae8617f955ef2ef0 |
| SHA512 | bc3d6ee2d8666460da3fbbc40cb215df782e13b1abe0614ba77680b01ed1f50ce3493c8e7a9028cc82e9b782d0a717ca53ce6a08bc38e1c3d2404f326b634c23 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e54a91e36bb15aba4982f93b957539ff |
| SHA1 | 53434d4c206381b818903f495f254ae0df8ff527 |
| SHA256 | ae3018e99941c8e3b88d9d4c2905c2ad9e76d0a94e6da5034716cf0e284023ca |
| SHA512 | 75c0daac721ac7972144e0a6099f72813f83e3ec769f9b2a6739d08f7a0cb4f4ea58371807d36adecb54dab604685b6e3ec7374b0d5dce4472320bb150354496 |
C:\KaVBZC\optixec.exe
| MD5 | 2c0587749a273b7942fb53b32e8f00c2 |
| SHA1 | 9ebbb7a842022c70a67f7f18a8e356c9bcc768dd |
| SHA256 | 7800b3dba1ffe9ae409d1e0a63f318ba4f8e294534b3a9cf7dc5cb60a7b101cb |
| SHA512 | cca9644c610afdff3809d34011edb3162ce276847a07d22624daeb6ae1cba9d91e9443f5485cc84cb57bbddc07874170033e89f6bec8112a6bf68c5c67566475 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 15:03
Reported
2024-11-08 15:05
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\AdobeTW\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTW\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidLV\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeTW\aoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe
"C:\Users\Admin\AppData\Local\Temp\f4ed82e04cad02e53ffe4dc1caac2e3e24471f8e25c0a6611e138629d8282a89N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\AdobeTW\aoptisys.exe
C:\AdobeTW\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 6b302f7dc8673ebaf2061a662bde1a1c |
| SHA1 | 3185ef35d7a89aca77d7c265dcd918a61518c09b |
| SHA256 | 6be21a6106205c051d4ef0f4452438610b16d4d8a7a686c5fac66190c21ac22b |
| SHA512 | 58f1d4bf896c764f93655e497594483188d56afe6592d53198b7b531fdf0b6d838eb61b97d37056220a9e4152350297f364bb3883988b6303485cd47435f8f45 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | aa1b45a1ea25bd6cf6fc5ef3b4287fa3 |
| SHA1 | 5d28f74f1f4f2ec0257c39c1511b023a51be8250 |
| SHA256 | 41ca38eb8ccecaa5ffc193b8940c28d6c04df1f6f3eb70869af138008da91f62 |
| SHA512 | fbc1b54a187be5051083f1388f6ff5210e13e662f9eeeb24c93ac26ebff0a3b8c2700e74e3a9e0919370f1ecee0e6aa0959325e57ad6e147e6651249343a663c |
C:\AdobeTW\aoptisys.exe
| MD5 | 44fa6dd20cc9bcbdf0dbc7dff836bc5d |
| SHA1 | ef259ffddac644b54e59bc7b5160483517ac9dcd |
| SHA256 | ec7fb2a4b594ae866937f41d705bd64a6b3732e64cf10b2e17aa9095113936a3 |
| SHA512 | 0cbefe7899797e6c9137bfee46fe15c82e69e3c0080f73d4dfa507a05c235eba06343aa14c21d407aa29a23f2e518f78971900247a4ab4550185d474920136c2 |
C:\VidLV\boddevsys.exe
| MD5 | 181a9b545e504945ea9376e57a6b9275 |
| SHA1 | a01811041668f50073d65b2d9e0cd68b71c52683 |
| SHA256 | 86b43bbb32d234238d68c88432f3cabcfccfe5c96f6b681a1dc9ecad0f1a27d2 |
| SHA512 | 63c6b1aa8b633c7883b9313292f5f240621e9df0f6a6742c089c7595e571c6556b47c139b321068b10351ce9be83cabb93d5d711a6a569d5051363a08dc5a5ba |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 11b78c4930d594aab0063749bc331487 |
| SHA1 | 8167724170ae7279bac9c6ee24fc0d8956e1e45a |
| SHA256 | 4c763b549df43bc07ae8113975de24344a22bd00f84abd75d047c5400f368a82 |
| SHA512 | fda701284014962af69449381f21608bd9da858d3753758991cf5f5d31f513adfdba518ec4c0e0470d6e9860f02b14735dff6d462fa869fbbf3447b780521b80 |
C:\VidLV\boddevsys.exe
| MD5 | e4e369ac8ea3b3528a61cb14ae4def9e |
| SHA1 | ec32ceb4e86bcdf16736867316405238f9b83064 |
| SHA256 | a298eeb403ee116c3959f5bc17ea60bec7026f78b3fe3692d601ac7dadc41a79 |
| SHA512 | 9f9e92f82b8be15328374310387a26dcf8529e7a2c25fa573fe3d70b85c1b1968684740bc7106d2b2e4f27e00b957ba55d0f5f67236a1eca1bd02a84f57e9b54 |