Analysis Overview
SHA256
09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc
Threat Level: Shows suspicious behavior
The file 09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 19:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 19:27
Reported
2024-11-09 19:30
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotE2\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE2\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLT\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotE2\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
"C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotE2\adobsys.exe
C:\UserDotE2\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 87926f62d416e5aa2aff2d9005d31c73 |
| SHA1 | f84b207f12bfe782be63ed8ff4dc3f0a60611c26 |
| SHA256 | c11e17cdc0ed3d051973558703a97f2a318ecfc1b010a3d6967a3f7b591a9a48 |
| SHA512 | d1f3290b4b4e6e708c895d38eaac9efcbad77d8c871f0a49725f039ba42a19c1b89a0f21fd570f8fcb466e80227878b8637accd71482f524baee1e0dfd6b98cf |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3c0e30121450fe1019dc3d76bd6d00b5 |
| SHA1 | 1fc7c4082a18eaaeadd5700afc71f7bf6fd0185c |
| SHA256 | 1891170a2825f9bef1620d189052803192ac79baa8abf84ce5a33facd648bd0e |
| SHA512 | d8966ea5280eb3be6868c648745104f30ebfbbca556fbf718330c17f7975e217d3636892de9f0c393f117aba9f6dba209590ae2dd074fdf3fc9a14db9e32a028 |
C:\UserDotE2\adobsys.exe
| MD5 | d0fe65c282ef3f766a00c468798f5446 |
| SHA1 | 001eb1af754fc73fe4c0cad3199d7b6b762c26e7 |
| SHA256 | a8edc7f142fdc17bfb7b403cff7f211ba71fcc7c063815e4860b5b43a90365bb |
| SHA512 | 2d621e86047e6e705660b5afcc24adca02cef834d7a2532c56975863434f09ee6433026e49a169061dd2d3168d5783aee9e04755893605a91b6775223c5984ff |
C:\LabZLT\bodxsys.exe
| MD5 | ec3143025916fc8ad37c9e673ad7fc61 |
| SHA1 | dd35affaeae1fe228649d00c09fc25256e978078 |
| SHA256 | 99dd6274207e9e7059323ef0d2aab2353290728c378eb9caf1ff8ab792a13972 |
| SHA512 | d4740d81373cbfdcea9b49abce3b9b0ba71e5e741e3783d47773e7ab42675e52e9022ecea21d8352d7764b05316bf4844448d4119eaf6e506211a8e14dda03b3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ce0c498349d8df71f6531ed484efa923 |
| SHA1 | bd74867684c8b1e21bdeaae662a2f708711b000c |
| SHA256 | bc0a4465c1f0a8450b4c3e27aa5bc2c9c599f5978501dd729c88869ddd8f3736 |
| SHA512 | f6bc3381925d1640351c5e40433cc67e9f69246cfb14066d1ab1cf515a07c00fec2b57b0318bcd68aaed783b228af6e3c360ee6bc9e29c1783199e1cfec4d9dc |
C:\LabZLT\bodxsys.exe
| MD5 | 7b3af07912640805489e8c5cf4d13cdd |
| SHA1 | ebbf740092a005c3977c248e866e368bd740fabe |
| SHA256 | 796cd64f663a3cf7a7152674d09a6e15ce855b7bcc484e09032d93e380273de8 |
| SHA512 | f38bc3460dcba201e04314f8585733c0305f097921a1c45a98e6211fcaa629f95a25f4bb5248e9228ee4cfb91a86eb34bb42b10cb8f1733aa492b0f8ec1da96d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 19:27
Reported
2024-11-09 19:30
Platform
win7-20241010-en
Max time kernel
150s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrvNM\devoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint33\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvNM\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvNM\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe
"C:\Users\Admin\AppData\Local\Temp\09c2dff79a51916317849bbc3f77f79580ba3c096fa59ab2fa23aa9b11cf9cfc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrvNM\devoptisys.exe
C:\SysDrvNM\devoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | acd3ee7536df6a9951a78c4ca62417a8 |
| SHA1 | cea9df8dfb005d4a0df1bcbe47f3a63d99707bbb |
| SHA256 | f8fdb440f4064f7863d55aba585597d8d7057c2d884e559681df276b79fa610c |
| SHA512 | 5245ca1cc43cf9a4baa3c40de698c608b9b55d3f3231e1f5cf4bc3356c4261d1854dd61e408e069449a6d13b3c383a55b46863aed94a12d22954c1865a56c477 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 96252d91e9553bf99cc252eea203ab23 |
| SHA1 | 2d5adff41c57bdea337e0b1d1bd68c9c179fe6cd |
| SHA256 | 3e6653869c0f6b58bb0859e964666b8dad8ba56578251653ce15b0c2aaf45518 |
| SHA512 | bcc3e6cf1948f4f2ff65b8feda5d9850c47e845b49fac201db843763b650806a1ae19e5cc97f902947e703d8bed81b3d552fe683375602d57e90a69ad84d0eef |
C:\SysDrvNM\devoptisys.exe
| MD5 | 74ed46df2ccf3d1b75e4d3b67a539492 |
| SHA1 | 7b490d1225b8b3a924de6a67f6b8191544fe0f6a |
| SHA256 | 759fd8effc718d28a42ac255b4b4f66d5e7e2fc67173c688601929393931defc |
| SHA512 | ed23b0219ffbfc48612c5580fa64d97b9a9bdeb86f600b02cd529d5d597d4878e7b2667cc92e31811617d685fce56f9173e613da4803da703583f4ecdeefc31b |
C:\Mint33\bodaec.exe
| MD5 | cf19b5e048af2bc4220c814fdf1cf7c5 |
| SHA1 | 4862d2152ebc482e24de00d840b4a06c400ecd31 |
| SHA256 | 2871b6a285f21c592999ed747b64ef3ee19a1529a17663acd326028be3959953 |
| SHA512 | 2e234a66d17aa25f4338a75747d9125a28be544ec03e49de58b3b0b04466a53f891f8b17ea078c54532ba64a09f0db59805982f1512ea56f749e13e9a6208519 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 730b79f68cb8da026309af1dee9f27e2 |
| SHA1 | 22df0fefc3166d75de33c1f6294bcad6ba95321f |
| SHA256 | 45dcbbdd0b52e42e0ffdb6911f50fc3b411e1f86af8130ed8ad6d6fb61db96de |
| SHA512 | ed9e16afd5a3356e41a84950074f26c6f2e3a8d8486f58671ba76467ea951029d4a9ff682f451f508d6cc317cd228902eeed0ed685a7127cd25425d5c19ef60c |
C:\Mint33\bodaec.exe
| MD5 | 25aa29c07fc174ecef23d18549358829 |
| SHA1 | b53fed6ce171589af14f1e467dfeda21c2dcfaae |
| SHA256 | 9d312039e170639732b40f40dac83ad56f8ebbe300c08e89032ef554a883afd2 |
| SHA512 | 50a8f5084c867d5adb96211f05f35f73d394df2d1493c7bce99b2801892171aee4d666cd424640062a9cb664c4e6be1c48df9be7035db76ba2667299ba5237ac |