Analysis Overview
SHA256
adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335
Threat Level: Shows suspicious behavior
The file adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:41
Reported
2024-11-10 01:44
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\FilesZT\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesZT\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidPS\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesZT\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe
"C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\FilesZT\devdobloc.exe
C:\FilesZT\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | db58bb8b79ec2ffe155c028bb74dca1a |
| SHA1 | 2098e7f0b41a47683123fcd4ad6a5b5cfecb01ee |
| SHA256 | 08c39f4db71c32abb28dc8240ff7505f6a5216f89218561ba2a2308b32e7d2d3 |
| SHA512 | 87ddd1f7ee93e4d111dff67050d545d898dc23fda816af8630c42971c34d9423d98a6db7393e681d123f59cb927e4f1f873e443f00ced9d853ecc1e145a5f142 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bf2d491e5b383a49ffaba18d2f9877a2 |
| SHA1 | fc843b4bfe9ef71e9d34cdd1fd869b37b88096ad |
| SHA256 | 131bed842082962b2532dc0738d11e3d3fff246080528a309072fe496809b54f |
| SHA512 | 2f554dfdece11efc9be1a5e6528991e8af4b3d821188dd3d1cddad2a8970ca79377c3c8657574752d88105c9738ee72a1707d4bc0803ef65e06776851a78bdd4 |
C:\FilesZT\devdobloc.exe
| MD5 | 0aab4cc7a0f4b5f1e7eea38f4b0afaa9 |
| SHA1 | c3bba314ead38fa9c2df18ec9530235eb5b34d63 |
| SHA256 | 334fc87481958a81795c1db2656027f94a618348ff02c5e3f1e3fcaa2730ec30 |
| SHA512 | 141d11bff3f7b8d1dca219fea0897ebc32cc957a9fc1c19f3c715f39b49255e8dcd681c47cce504f5a3668a04ca6f23fa5e16e1acf41a3ac73e960f2b1c57089 |
C:\VidPS\bodxsys.exe
| MD5 | 2875d101598bb9601397f40462f2ccc6 |
| SHA1 | ce1bbc2ad56c4a756bc891d7e962ab8d5961f0ae |
| SHA256 | fbbaadda49a958eff1dd08d9e2202c027b9d05242c8a626a7bfd88c18c552193 |
| SHA512 | 4bd01f6f044c1c4f80550f56005a50d251d89e1c83efe638b58f7a344bfa40329b64763f9b40c62639863d3d24c55f8e7e80117db42c0c5504d1564fc37b8002 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9651d41196231bf96964db49aaab1c09 |
| SHA1 | c7c14f6c8c2873cc05e64806d51ab1d67c2d0583 |
| SHA256 | 51d21e9ce1580a6cf3b104ba6982de60e1491ab753caab999ca5717d9db29fcd |
| SHA512 | 9efca22809bef33fe60e55b49647cb172ca5c07e0878544e7b86ee988e1b200d9387d9c7894c56622833b4158961d0ac954fa4aeca8803ba2c60050d88ae113f |
C:\VidPS\bodxsys.exe
| MD5 | 323aff53b53546ecf54cd68758600a53 |
| SHA1 | 3999f46d3060eb15ca5000d7cffe5f04c067b544 |
| SHA256 | 5f6f1d46fa3519dd8b078c3f89471f06c08c6445180fe9911afa4bc32f91df3c |
| SHA512 | 7370bee0b605f749b12f7fe011190b02b38d91d968b94bf3d704888283483e5652e64ac0f1f30da98877ba4ea74b555fec157e4c0bb730b4f3324aa53a6ef0d2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:41
Reported
2024-11-10 01:44
Platform
win7-20240903-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| N/A | N/A | C:\SysDrv5I\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5I\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRZ\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv5I\devoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe
"C:\Users\Admin\AppData\Local\Temp\adf05c1265952207aa4e49d7117ac8dbb1e6298283564cc3132dc87fc84d5335.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
C:\SysDrv5I\devoptiec.exe
C:\SysDrv5I\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
| MD5 | 9a3c868a49c2dc4f6c610e710fca6833 |
| SHA1 | f27bec7cb945da454421e6e764244f7daae54f78 |
| SHA256 | 4a7d7b808f1fdd6a25c2e2885cfc2fd7fdcf1adc79ba15c35a1f26a96c1c8ddf |
| SHA512 | 79117f659f1b229cbefff646025f775636d49d0e67b0d1f544e8c773ba70bd40116129aebfd6470d73d8262a895594836459209d479fcd1b9d54b879db5b1b59 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7021160d1d1850a1df1ce6339fc1785b |
| SHA1 | 2a848deb9736fc61c4f80683615b83b8d3d70b56 |
| SHA256 | 501fd2364f86f73c72b8d3a688cc05471be4680e1ac98de0606d7e273f716e8c |
| SHA512 | 87ca3a59e27fdc5fdcb82ef9473ceb61863aa653612d4a0a2e86d9375f88c09baa7a81675faad74374d935f610a54ec22cc95d88b4f3c28493c4fe1a7284f7ef |
C:\SysDrv5I\devoptiec.exe
| MD5 | 16a4bb0fc3d5c44be3028068af1ea1ef |
| SHA1 | 3525da0805ed7773dfef437f24482b727389e9db |
| SHA256 | cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d |
| SHA512 | b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b |
C:\VidRZ\bodxloc.exe
| MD5 | 4b15a8dc60fb28ba194308947f8d0bdf |
| SHA1 | addcf6f0cc5dc9577f5354dd3efdf91843caddb2 |
| SHA256 | eeda459c0f86c4f2c639edc7bc26cc6dc4f508b51063a31d85ac8a6f6e64b152 |
| SHA512 | 35c0dcc269feb3a6378ec13dde959d0dbc121e4ec5236b5910536beee95f1128b58b5d7711ee4f05359371d8097a799e57a11fa6b9dbb26c543666dffd669e7e |
\SysDrv5I\devoptiec.exe
| MD5 | e6506fff8a5b71e4f18698f6a66be1d1 |
| SHA1 | 9de54cf31065efc84e50a43c82a04ee3220f88aa |
| SHA256 | 768f37a2372d4198d2e0efd4f779058de772a1dd707d75b3a0915860c74c81aa |
| SHA512 | 09e8f034197d6c5c7479a8df2bfdb1cb31c1d5df75910cb01373228457089d5710a87fca4242cc1a672e9b81de6ad87b044e5fb26319fad482f18e5297fca277 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 46ab6e41f27ca2a473f361a394b6178f |
| SHA1 | fe90af481aa021b2624e4ea4ebcd80f3c36c138e |
| SHA256 | 25887acb50746a08253cb111854b2dd0152fa92fad085d30c7d9c4ec51c47332 |
| SHA512 | d43d4b508f7e6cf696ded3f8e46a54e44ae359d574edf5a5c43191d8553757b082c743165f8554b414e187cbcb59fe745b3a998b658d803f9efff7ee950f7646 |
C:\VidRZ\bodxloc.exe
| MD5 | 0d3beabd837f3aef510839ed6d446a61 |
| SHA1 | f210c1cabd85693033210b8bb5142b271dd32e2f |
| SHA256 | bc2a0eac38af86e2a40b63870a7b43c32821a44f7020b0de846343e95f601cf5 |
| SHA512 | bb36d1275372c134f29d6ae1c322408757dfa25ecc0ea64994d10d07c2830f576a1befeff5fa8b5f4cf8c41fdd1863de120bb728704fbe8f411f255dcbbe298c |