Analysis Overview
SHA256
ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4e
Threat Level: Shows suspicious behavior
The file ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:06
Reported
2024-11-09 23:08
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\UserDotDT\devdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9B\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotDT\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotDT\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe
"C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\UserDotDT\devdobloc.exe
C:\UserDotDT\devdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | a5ad3b148f221b4d65142905e01f33f8 |
| SHA1 | 04ee21a7d236bf5d33cd9db1fe79ea53fb1ed39e |
| SHA256 | f32c78af69e9c4bc7d7dace173934fa246e9770991bbbbe2b20569d56053a07f |
| SHA512 | 576eef01a3b7cb2a348976c8078136634a96042a4e1a72e9a505f4008155a319e56402cbdab7526c0e118115b88a7e4423b6b54ea75559dd943fd8bd061632c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 96949467eea8eab5fae728ff749d3bb6 |
| SHA1 | 283cd9e1cf67cb54b587ac8f19e7d16110cf0f67 |
| SHA256 | d729df859f018816caa251c0e87448a13db31f018ab03a1a4fb0532989c2fc80 |
| SHA512 | 58d96c70864f020ff403201cd015d59445a9b0a4744fac2884bcd2c35ca7f93b8abc568c1e4eb8b6bc0b8bfceba9f97e98e3458ee952d637c3b2b8e889db737e |
C:\UserDotDT\devdobloc.exe
| MD5 | 7989bbaca2b7f84dc6d9381b62d3a7da |
| SHA1 | 2913fcb6f306077dcabf049913c5fd4d84ad0083 |
| SHA256 | 4c9bce9d8b08e60133199ae19b1827f22b7aee08225712ec82176a7a5aee68c1 |
| SHA512 | e72f4ec40f93870fd2c38d3e09ab193a8b66e558d79780412ff325fc1cd29d1a0af7a15d0f6794dd4784a69a729b137f0e6af30a242fccc8e9cecf94bf957f97 |
C:\Vid9B\dobxec.exe
| MD5 | 541fec65455d5b34bd07a7b314994d2c |
| SHA1 | 55079bcde6bbc149b17389609709433e60bfb3d4 |
| SHA256 | a426abba53e984d2d5760dc5deb76e09ebbb0d0d03e5cd262861f7afb8f71d4c |
| SHA512 | da54133de62360679354767fa7c44ea7c6e60cadc731344357b797e71a220936653e216b468a97b415fa4082ee2e3120ff9ebb80aac7b9a7238c6b8da7769b1e |
C:\UserDotDT\devdobloc.exe
| MD5 | d9bab165974bf1e468a54ad6bd4ce05e |
| SHA1 | fe5167afc6bc071cc01f82afeee693220484412f |
| SHA256 | 42748049badf43a921e6ea7316ad9dce9f34b8767835659986b2afe56cec98c0 |
| SHA512 | 2c09e6e9edb0016a1592bc34a4f1723d458086ca72bf3264171180337e9947e1a31d40b8b01d372e0e93fb71cad30d41d2be69c0d0a107cda40d957defcd8823 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dcd09fe28575e55eac92983a6a751f3d |
| SHA1 | 43c2d4b36f8271926a07b0067d21750fafbc5af3 |
| SHA256 | 724e000385c277d368b0c498cd479451e3953cbc43df6ba44ca98a71b61a7689 |
| SHA512 | 9499da0a7bee2e5a386ae8a763f3250762f9f12566d0fcf6168a033232e0d2410e535634d36b62f15a780eca67d94a6942b39e149e9d9521f6c480a497e96a67 |
C:\Vid9B\dobxec.exe
| MD5 | 4db936fc5edcc9cd64dce836f811d3ac |
| SHA1 | 8094d4e8f780d31554b42412a6fc1901751b379a |
| SHA256 | 4746d873c37eea986c2ca5b78b63ee211019fc49699e1b9c13787f632539f84e |
| SHA512 | ec50039748be48e52551e39b8e9cf57111100781927dd699523eeac1aa45040107f83bc447a50810e282f048b120b59367a6560b1c3e5de2d79b8086d301f3af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:06
Reported
2024-11-09 23:08
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\SysDrv7J\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv7J\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMQ\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv7J\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe
"C:\Users\Admin\AppData\Local\Temp\ccc8149a75ad9644a676d51b80e0bc4990f4d9c09b5f2dfae5ebd48ad5cf2e4eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\SysDrv7J\adobsys.exe
C:\SysDrv7J\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 7dc3823d00c590a9298781010d5d8aaf |
| SHA1 | 3e9726a3f6a9e8ee5a631889e2cd54aa257a63eb |
| SHA256 | 7c41f0452c01d9f4e0902875b17b6f4a8291e16acb037a8d8c680dfa4c826918 |
| SHA512 | e54cb72335608c4c6a034f192b52625da1927340a17b6e381e3b44e07d634f9fbefd520532a268eabd10bdd999f38f3d69e10c8338f5511f67f37addb5209e2c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0261208089e9064837b47b30b3548da8 |
| SHA1 | 7ef81dc70744ae24408718af3a1899379de9c64f |
| SHA256 | 160e1894bdf236d987d726c2c579b91d4610eb3356fa83b88a91278435ea23d5 |
| SHA512 | 7a4b8d57f8562f7a55f32496608fe943c01009ca2b73dd657dac2a1fdaeb6a382b323535b1f2a93e1011339d9a7e8606d70a9d36cbd56cec9c11c05b2eeb90f8 |
C:\SysDrv7J\adobsys.exe
| MD5 | 1d0c2ed1bf74ce6afcd11cc88a1eadc4 |
| SHA1 | 6cc880380774b1e3496a54818a0ad124e8ce7644 |
| SHA256 | 7c5220c486d4ad4c457306e0b2c92e44403e58fe6b91b197c2d2119cf6aed121 |
| SHA512 | dfdc6a5e7d56ac84879641a666500d3891e6204d45e8759ff5f78e17245db483cf402835205f7f619bfbb7ffb1ae8d3fa5ffacb1d6fcdc6b208bd031893015fb |
C:\LabZMQ\optixec.exe
| MD5 | e3c1e89df95550aabe019bb6189d84fa |
| SHA1 | 0d9bbf3c481dc97fb5f488d17f1b5c22a4e9e78f |
| SHA256 | 3b396491ec9d42d52e15981c9ca1741600c22aea981ef935ae83dda3126c2b84 |
| SHA512 | 8b9c7568b59be2cbb71e330c7fccaf3e9f0dc924f5f9c4451d96bca632b1f2c7fedd3ad9684504e18fd1cb7f8ffbcf1d74eaf04bbb02e3c2956e54483a8cd0cd |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c87f2d0470cfb6c1a72a3cb66b3c03f9 |
| SHA1 | 6595c28aa20c27d18ca50ea62f9c19eb3aa44d1f |
| SHA256 | 6ba332bff99bd057ef40aee5b4e3b1b6035807ce41419b90cf82a81380d6a792 |
| SHA512 | 455b2107bd164989332b49f69dee1a4ab50f90e85411f40d30026bcb0f73a0e4f4b1e421c0d45d4ed49c85c1c86a6c2cdcc6fdf896c5ea9aa77fdc829fba0c57 |
C:\LabZMQ\optixec.exe
| MD5 | 1c31992317278cbfbb062cd4732b9020 |
| SHA1 | b2953bc21d0bbd03b25aba4e7b3d56cc63708195 |
| SHA256 | 0b2e7da6fe13e1abfc05dc31898f9758e2b90fe94d3847eff578d06e33ba20b0 |
| SHA512 | a5b02c17136be2ad9ac5c6a2585c1d7c84233d35eef6ba3067f7e8ca22977de16026663f8caeff0cd96ab4385a960bba9a5ec07876508d7fcf403cee572a75bb |