Analysis Overview
SHA256
40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf
Threat Level: Shows suspicious behavior
The file 40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:23
Reported
2024-11-11 23:25
Platform
win7-20240903-en
Max time kernel
119s
Max time network
21s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrvVZ\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintLJ\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvVZ\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvVZ\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
"C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrvVZ\adobec.exe
C:\SysDrvVZ\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 1db421ed91eb4bb42d37f5ecbc8a651a |
| SHA1 | 7f88ad41dd2303fc3e6d1e3ad48643aea0dca0bf |
| SHA256 | f0dc27b4cd13d06a57d1a972de371607864e49b0c951fd480e3867541ea0fc30 |
| SHA512 | 1c89c0ed1d0a0b940be186232ac040b11abe73467f92761803e58530ae300dec8e75e5e6987804d975b57b3515d6aa0835ac8d24892083b2b036048c68aba04e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f057c45aa54911fb3cd95e183009b9c7 |
| SHA1 | b8b2fa3a6e439b7acf3134b78c7ddc79ebde3bd6 |
| SHA256 | 1f3507e576fa49ab0cdbffa727c70c231d53a65a7731a90218ab06ba4b4778d2 |
| SHA512 | b476109fa0e1e033fd301b282a2ffb8959deb5c3f4f81dd9557e14b22fa26f4c14f23ea8bb70cdcac4a6b3383f5bb42dcfe3ccd42e1b18b63d772a6c8bd56db3 |
C:\SysDrvVZ\adobec.exe
| MD5 | 99c1951de7e0d21cbd66c30e8a185fcb |
| SHA1 | 7fbda20aaf41bc3d9ce063b1ca98ac25b8b21f6c |
| SHA256 | ea6596a1017ddecd01afe779e1d0a44f94e4648e533b30777eae863be31b4521 |
| SHA512 | 82401eb19f3d42f0683141cddd0fe41e6746df18747b5ff63daf81d5644b1e032a0992b36f9c3ef1dee849f7bb03d83620da312682d6d4f15ab7f41d7afe596f |
C:\MintLJ\optiaec.exe
| MD5 | 9a08d056ace9e50025817279219e1d78 |
| SHA1 | 14b4c1794c5fb00d85162a3a5f0aada37fb91ea0 |
| SHA256 | c7662ec3027c000a55e8faf065ccd315941ee3814a6463a2e010a79900309ad1 |
| SHA512 | 5ef4243676c76a080909d21fe3d5cf9a6c1e8dd85d509c57a261d98ea5dee7687b5a4ce1cffc1c3109a117808b2ba79059448c7a54332e8b37079dfc62d0c9b6 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dd4f0a89278139fdef85e82655e9b4e3 |
| SHA1 | 87ae512d19424cc49e6fa67195309f203c46be2a |
| SHA256 | 8397ce8229501c9f3da606fda44bfe5e98bcd313c5d969cfba5ef9fb209561d6 |
| SHA512 | 62ebe27bfbe8e5fca32b0dcd35bf0834e320bb2f3690e7ac54d1be347c8d57a43677ba091f58399090eec88de886e0e3dfbba6822b1f52be11ae7f208bfeb2ff |
C:\MintLJ\optiaec.exe
| MD5 | e8e68023b6f3a46310e33bc164b90cbd |
| SHA1 | 872dcdaa4087b3b4353d1bc7bda02f9887757c12 |
| SHA256 | 7f7ac97652169d4d17d537e46d53c77f2395a3e963cd19980b9d9ee98af6c292 |
| SHA512 | 0e0535fa571bf776c9a31ebb94071022f84600c961f2c906e609e00fc3a57901626ea3495dadd10f4a36e8e33998c456037789ec04bea4471608bf45d20fd7a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:23
Reported
2024-11-11 23:25
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\IntelprocX7\aoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocX7\\aoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZQ9\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocX7\aoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe
"C:\Users\Admin\AppData\Local\Temp\40a19f5726ed8ac595caa771d17233289ee6b93a7ea58cb280a6ec14ac3bfcaf.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\IntelprocX7\aoptiloc.exe
C:\IntelprocX7\aoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 304cf9add85867d5d8cded1f02b271d0 |
| SHA1 | c23b6913f42de1af7a58a9f1a1ab80b9cc29de75 |
| SHA256 | bbb7b7857fd05a515f07dfe814d34d5a6b8a612cda9e5cde22bcc0454b21b7da |
| SHA512 | 0c2658a1e524111b6183efafc5db3cd79bdc879114a1a30a0076c6e9f885485f80311be764ff7f7168bbd7f6118a6f1261aeaf0fac8b55c987b307189c7f4656 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f72c6641f65846b3897873642263656f |
| SHA1 | f760e7fe1da9c13a96e36f600f22d5b697bdfce7 |
| SHA256 | 17021cb0b1f2f42aa9c4b3c3ba82911e595970d0a812bfb2fa465c145fa754b4 |
| SHA512 | 30941d93aa03fa981366aa29661d9068bc2b0b4fa2a42bb9c5a762e96be67086905ace7224d0dc080ba4fa3b455300db7e482eb707ee76795a8bcba6d0990075 |
C:\IntelprocX7\aoptiloc.exe
| MD5 | 2af0bd5ae01f91857312e205249995d1 |
| SHA1 | 15545f051e50ae35e2410435316f63229c22a595 |
| SHA256 | f719e1c91547caf5183f75e548f5895b71b140e2da525f945163fbb686bfaaa5 |
| SHA512 | a1c24aab3116419bc6370980f8503f387d0064a25044db6ecb95fde40938d302c016564557e6fe6c527466e0d36393a13bd40e0c97736254dd9f8edc1f3ad081 |
C:\LabZQ9\dobaec.exe
| MD5 | ede40b36034d11420daf9b761d447622 |
| SHA1 | 83e69cb72e12fd8ccd507bfa21133e1fca0fd5d7 |
| SHA256 | 6e27085c9b049479ed4b5d515c82d49091d1d0d6a70cc1af4fe1e085816236d4 |
| SHA512 | 0fc2330cfab1d7a2fa7e55f9cc177aa246de7f672540212721ca9232920652a2306906719e60af2bd37ca2fc9074d2244a5514fdc7f344e7c4006b4c69a75120 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0b09938aa678b5ee0e8547df86070fc4 |
| SHA1 | 6353d418f3f66cbdd151acab931d584369be46c6 |
| SHA256 | 9c6180bacf11c7c3ffcd5888ad67d3299bb3ce897f0072972ac6840651e18eb9 |
| SHA512 | 98ef93fb21f5e99196c9dbcc740f9d041979f511a5de21b4ecdebf762f604c7c20b720d2b9b58c5ff730a75dc2ca67226f7d3c7b5b0b76611f5e68d875158ee5 |
C:\LabZQ9\dobaec.exe
| MD5 | 8db449dcb72c9cb76f3b40a45fa3b7f0 |
| SHA1 | 5746e2ddb56a8e87296f9bdd26afa7556d134c18 |
| SHA256 | feabc132898df8d45ccf390c9cd43660f291aed81f63d168562c4a01f24919db |
| SHA512 | 7a9e218404df7227dc36d9c805ed5bfaf1ab1fd52af11def0df7e41f7af2f15e64a5a8a51b36edc4ca3fd64a4a8b07d27f83d072743d13ba8afc37a99d0892d4 |