Analysis Overview
SHA256
a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526
Threat Level: Shows suspicious behavior
The file a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:16
Reported
2024-11-10 01:18
Platform
win7-20240708-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocM0\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocM0\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidMM\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocM0\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe
"C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\IntelprocM0\devdobsys.exe
C:\IntelprocM0\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | b85c10824ccacc8221bde1336898512f |
| SHA1 | 7c4e8617e62f9822a1cd634261840d89f76573e0 |
| SHA256 | bbdc9124ac0651e9e155723c66a16a1e897d5e6cda1ff9a2ede6b643642c63e2 |
| SHA512 | 4cd5647922c2bf7cbba03958824a1c002583f3d540030d9167b67adf555d8e455147411a6f8bcc4ad913fe6288ef6fce100f3f56a8ff7f33a7dfeca9d0548e09 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2fb258ad28a2cfec31d1d1f82ba19c37 |
| SHA1 | 33edc57cd922f01b2e40ee5b0205a2f4f9d6479f |
| SHA256 | d4ac7b135d019c49b514f0c9d7825a712d37695987a78c1f94d0f8edd9da90b5 |
| SHA512 | 0185360ba22476110fa589234f9e7cef9408859fdcba447eeff51e9653d63e4ddfd67c15d17064a65da2f628d522fd42375cab50588698968ff4e9a19eb5cdaa |
C:\IntelprocM0\devdobsys.exe
| MD5 | 4a8ecbb858a393503f9c2c419b0f792a |
| SHA1 | d1c54c4fa8e343ec86bc60eab3227c644907a260 |
| SHA256 | d3571251c1f97284e9c80e3498a75857c602eecadad865aacd41c6d38204a129 |
| SHA512 | 74c8ddaac5ebbef36d1d5171f515efd7a161a939c455b36288f49efe558f3bc2e2f09298c773cba10c12a7dea470c94bbb6b8caa03ee63ce8eeaa92dd22c18c9 |
C:\VidMM\bodxec.exe
| MD5 | 5fca3193bc1596a76b40926e40eb9269 |
| SHA1 | 40d52c8c9aaadf9c7179b3aae48c787d82952e8f |
| SHA256 | 11ed9dfb1e904bcc37c132c49f5178ecc443fc19270afd5e47c207b05c012705 |
| SHA512 | dcb3ce99756cba01b110201a5b2784992a4365eb06c977975156ca53397b474a9b711887524aceca861d0b9d2f0076374f2d4a6f37d314f331d89d7efc2dff7f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 50bd0ec766749aa606de0aca5f05b103 |
| SHA1 | 009978d0b5146213dcd1ecff4977daafdd6e2b66 |
| SHA256 | f4b6e3e0b214bd150730dcd609767cc69f8c63d68094c48f566fb32729fe6ca1 |
| SHA512 | cbdb9b025b664526df2041355160e444a3047439b5e9aa10222e982cb2a6518b9c8f2076835f89c5b7b613fa18704a2ca9c97f01acd30f81d652b0361fa3ceca |
C:\VidMM\bodxec.exe
| MD5 | aa5ac7fe03d220418f1bc9f39164088b |
| SHA1 | 49ea3925bcb8ec0fbc2c7e88b82e0f9f387c691f |
| SHA256 | 2bb96813e86234e85e25211473e0ce996d5bcac56c4a2eb4c0b9280e6034324e |
| SHA512 | e21bcf77218af7d626e452b4ef56fb9706ff7533a9499bdbbf348d8ad74198de909433c4248b031e204362122c5f9081ce55af0f6da83d9aceff401cf6576bdf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:16
Reported
2024-11-10 01:18
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\AdobeLJ\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLJ\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ7\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeLJ\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe
"C:\Users\Admin\AppData\Local\Temp\a442f99a903383c049a16674d081e20372585d59bfbf2fcc79e86158d8dd5526.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\AdobeLJ\aoptiloc.exe
C:\AdobeLJ\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 1607a92c3c22cb10e3bc0bf4face4fd7 |
| SHA1 | 4457fca756ce66caf48865c4f793afb63bbe8a02 |
| SHA256 | 1047eb9908913a0a3771143d8d21feec363195970849a85b71ab3bc49ea7bf6f |
| SHA512 | ada13d4f07fbcf686b3c3c7b99865d73a634a2804157466cdcd0d736410ab802a828a7e45c50a3eee5ff19cac1acc366e147ef733d2b549790f18b7cc5150fd4 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e6ea5db60f39685375521c82e079d17f |
| SHA1 | d68045657f6a2a625e3011277679c1f20341666e |
| SHA256 | 0800cc70ddc66a787c6a11fdc86ebc9668e71afc05d1b7e94dd5c1782a45473b |
| SHA512 | e0fb306b25d147d5943ef508ca1d8b566501489ec97d671a70494e065b9d66423e542aa05fe59161815a6a4976d9038f04a9aab27d21f5cb13ebd71e0ae3c8ac |
C:\AdobeLJ\aoptiloc.exe
| MD5 | f40ea7c92192e16c399545d2bb7f8037 |
| SHA1 | 06beae775a1209ad23c7e90fe2f9c1759106e93d |
| SHA256 | e9a7042e033ff33b499696614394b92e9e5b460334ec6c529413a8cd556456c9 |
| SHA512 | df76bfd5bd572703d7c49101a7ebb55526457dc18a11d3edd59720336b3e36222260ac4046acc896d9a0484b56765cd2dcdbced1b7fc21d02675dddf1b3a6d0d |
C:\AdobeLJ\aoptiloc.exe
| MD5 | 7211d8678d65804f03d3156b27f57ad5 |
| SHA1 | d4a0d4addf88985c624d8edcd7154f0765c5f7f5 |
| SHA256 | b20af789ab4a7efe6ba50eaabc80a81d2a58ff71861e7ee2ed8541cea882c0be |
| SHA512 | 6db56794e2c64eeee6e6141296252acd9b5cc3e49a3a4369084a8f0cd2f7350d247d816b3d49c49e0416458acf5287486480675f524d79a0ab9a77e6e284d767 |
C:\GalaxZ7\dobaec.exe
| MD5 | 8fe14a9eb7a4cfb67064a95e7a1ef602 |
| SHA1 | 8944f900779ff0b83f0f6f3a9f12c496d2aa6594 |
| SHA256 | b150409e0c1dab3b62e495d19addaf91cf5b56ea0626869e862fe4c4bd2c4239 |
| SHA512 | a0930909d8565d39fe31c384d65bdc2d8881c274fd6d27a04ad37799f16f44e2e633cb0888fe57dcd98ec00a59a6346b19816d6c93b3ee3f1d23c2057546028a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cd38ef24ea5cb96f006d0e3ef07ca38e |
| SHA1 | c2bfbfb977f18d2d2385d2c2787530e7eb7cc2a7 |
| SHA256 | fcc08a61dacd021b1ac88428b2608c084391a0abcc97f563f688aa20c8e14aec |
| SHA512 | be282d7c62c6da2b1b666fdfffdfa5fdd10f2c9065f97a0f6a5f85731baa86fafdf48660cd06c496fb4e555502c01122b3f66d2654639e26af5193c6dceaa0c8 |
C:\GalaxZ7\dobaec.exe
| MD5 | 207777e15db797758484ec7ce7ad9725 |
| SHA1 | 118e2d7f80f681503cb8052c07251d4870043ea4 |
| SHA256 | a6d7bd047c16df6a830a6d4b90aec3907cc4470f3c7f4a3ad36bf301c0f72d3e |
| SHA512 | 3234fd1fc352c20f0afaa3e546cf2537baa8209ae0da43915b0a023ea07eaccfc5db17d56d7b1a0504c4f281689f1095de7a592f5886fc0c1b3f4241c7b35657 |