Analysis Overview
SHA256
8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141
Threat Level: Shows suspicious behavior
The file 8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 23:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 23:30
Reported
2024-11-11 23:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\Files7I\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7I\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZZ9\\bodaloc.exe" | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files7I\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
"C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\Files7I\xoptiec.exe
C:\Files7I\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 884258164a96dd50fcaee578b8b8cb66 |
| SHA1 | d3f166f55c6341b10dceed7308c87c756ee82cc3 |
| SHA256 | 96ccf2a9fae99b4c00a5a8b0adbc41dfbf8089de278a6ede5da8e26293c66172 |
| SHA512 | b4ea22cc0a9a7ac34ebb47b466c08d9c5f357d2c65c604529d4dc02b0d6350eef7c2531987cd4febe9c90a6980c0a69c81e2b3e497ded4202d4626cbf5b17781 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3270e4295a4849f3b480a79f0d72de87 |
| SHA1 | a44e7e0a448e71290ab888958e7a5f261841e128 |
| SHA256 | 63694d73739f549bf123d27bdfb735ff24dd49a66275c032883b809110102379 |
| SHA512 | fe672691957fc51c949ebc43d77c787fa42f5a5a3c800f84337ec7fa3dae47a0aefd093d7b6dccc04410d9df3370faba7d27076ba63b4feab7d9fa871a810a56 |
C:\LabZZ9\bodaloc.exe
| MD5 | 4f3fd7970df59ce9914903829e83a7bc |
| SHA1 | 7725d9bf00bb80c5e8885e70d5b37bcb182478a4 |
| SHA256 | 30763c9a1e8ead3d04ffb2b2880c6ec8e3409fd0c7647148472369afb535f2df |
| SHA512 | db0d0d90ea347c06a8cedee62a3627529b2da1402b9d3ae19def6a82852f1cce4bc4c43a189eeef92a8ddb0c59f1ee7c9dec228f77e3e174c6d0559ef56ee5b7 |
C:\Files7I\xoptiec.exe
| MD5 | 96d71bc48f63357d6519d94ad8f617bd |
| SHA1 | c1c8e9e2fd51f3a8ebbf71295a817d8eb6dff6dd |
| SHA256 | 212fa4d62d24dbf07a9bd6fa554eba9a4f221c4c8ea9bc0addf153449e69944f |
| SHA512 | e7fe1b7e8a4ba639a5acdea473b0c9d8faf13edb359f17fc53ce9415f4513a94165708e2970626061aa068efa3f224d401a2c4b0c7bb0044d4df09325a867cca |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8cc4a4fefbb5813737f2023bb3d7629e |
| SHA1 | 4467cd95d21badbea58b7ab8ed24c2048373a9f5 |
| SHA256 | e6ec685e546fe09bfec690358a2d280d6f750aebb9e6b1faa65e39ce77533bfe |
| SHA512 | 5ca98ecdbed8f3335e35b5a11ac81a918123f1a98b3e342e4d3af3d33bbabbb2f4a23c6f7c28e16c364d711624f633c5ee862b512091a74776516dbf3763a2dd |
C:\LabZZ9\bodaloc.exe
| MD5 | e913180edd070e473406dbb8fe884be0 |
| SHA1 | a6ff350f7aebfea851b7107f87c4ab74f9d4eb1d |
| SHA256 | 27a6405f50f9d82ad5fa873ed0feb79f0bc2cca02823768596793992f37963b9 |
| SHA512 | 17372db9b72a38beaac15c8dd9f9ff4704195ce1ff86eb24d1b489c121d4c4bb1235fc57d15c8ef55c127031ec0419f0bc890232ad28679c2870bb0d15367f50 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 23:30
Reported
2024-11-11 23:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\Intelproc0E\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0E\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidJB\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc0E\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe
"C:\Users\Admin\AppData\Local\Temp\8e050550a8247055dd1b391a22f4c984ca33f83b3bb521a744fe36ac8172e141N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\Intelproc0E\aoptiec.exe
C:\Intelproc0E\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 5933cdefdad094e75a166510b89f0e9e |
| SHA1 | 7dbb983188ca7fa5418a4020a988b91a8a8dbe08 |
| SHA256 | e4abc9536253a97547d89c9ff472e9bf1751ca8be3389102d74fcf5603a5b993 |
| SHA512 | aea12f8f51667e17477a333bf1a36bd606d493a554cae21e04c53195a3b783784f26e0be8a7489a270c4737f3fa76934afe22199f85a3a058471b8dc66a4ed66 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5956c438f20edb92abb9bfbe0d32898c |
| SHA1 | 3e9913e2171b59bef5f8dda06998e67f984643d4 |
| SHA256 | 9370abbfe9cc5e05024a9148e024dc238883dac0d346d855c634d22d79d0ea7a |
| SHA512 | cbee199dac2ee63814e4f0f4c1fff1d08bb7bf5acc598275227e21e4fc2a046b5ee01e351ace01562d003f5454f63b68b7d21d521266ffd0c6b378654c3e0c95 |
C:\Intelproc0E\aoptiec.exe
| MD5 | dbe22823c7022a2ca08e09183f69c5a1 |
| SHA1 | f20a210b2d8d193b046def7e50d1d6d68ffb858b |
| SHA256 | 37b169becdc2af09818564b23d1ab585e522732df01e231667b04e8464bf941b |
| SHA512 | 3d7a30e9d21aaaf67802c3b875e8ec0ea94349164280e74cb30aa10b4ce7a54f23d00ed86a7abbde52866a54a866633d7047091ef05d4c9e2dc794a1da943e6c |
C:\VidJB\boddevec.exe
| MD5 | a0990a322d88eb89c7f828a7aa4d0548 |
| SHA1 | 36f0a6b2656310f34302bf0013856be5ae37fff7 |
| SHA256 | 28d50350bf4349acde64371c7dffc78b9097dec1d54f745f58de13575e2a79e0 |
| SHA512 | 8e8da40d6c1c27d42bd6bfab611c36d4aee3d764220d8e73ad19b67584ae698f0d7672bf2f26130e8d697a41e18b3c1f323c62d98e96d02bd340992bc640fbea |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 29632ef342cd4d058fab7081de8b38c9 |
| SHA1 | 79fcb2b64984de7b955f2c445e357c46c584fd7e |
| SHA256 | 119125a768af84827fa9d16285b175f411b6dded4f33c1311d14f5c561cbfb3d |
| SHA512 | ebfb6db3d898e4c4f05f8187d4eae5a09647e3e4432d8fb4021ce02261d729ea8831a761500aaba028139e648bdcd351431dd9332b3786bea68ab0fca79bb82f |
C:\VidJB\boddevec.exe
| MD5 | d6ef944603d160b8ca825a93471a86fc |
| SHA1 | d117d894fe73e8cbe5a09bafc0cc8890919d74ce |
| SHA256 | ae5a5c4498946e8e41773d2b484fb1c6a500a96eec5634e9b7b72332a1db95d5 |
| SHA512 | e7df1acc0d9ed243403cac264495a98bc335f538c479b79e0d047c030a5649ff280e0257a5aa11838f229bcf5a6dead3c87d20d73a124a8800c1d3dcaee7b844 |