Analysis Overview
SHA256
6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426d
Threat Level: Shows suspicious behavior
The file 6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 16:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 16:30
Reported
2024-11-12 16:32
Platform
win7-20240729-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\AdobeV7\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeV7\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVK\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeV7\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe
"C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\AdobeV7\adobec.exe
C:\AdobeV7\adobec.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 795d1a8433846991e452732402f8694d |
| SHA1 | c5baf8b53ab1bf0763f45a88364be4dc54ff241c |
| SHA256 | 7207856ed561c333c185a6552da9e8ec6da47bcee12bc91520e54060ef73de2a |
| SHA512 | 1c9d1eaa65eab9fd8eb4fdf42785a2a52ac4c8432d480c4471301ddbd10b62002fd2fb2cad9c277defd8e5d685ef6b5fc2e33ff78ca8b03a656937541e9ac748 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2f1124d4bbeb68704c772fffc8263e81 |
| SHA1 | 6be17ce2a3095d5dacaca6ece20023dc4b112ef1 |
| SHA256 | e82ac0ef04d784c265ba81e1d7b365cb1eb31376116fc5a6eb820f59dc193344 |
| SHA512 | 41d3f957742cf50fd75debf07b5191d1aec0319452ccb6708d4902c3943abed8a725589c66c94e2cb769c588d5dc022e683a46cb0cc7eae9da5ea9e385bf8771 |
C:\AdobeV7\adobec.exe
| MD5 | 5395b0685a74a8fb26cc4120beb6bb1f |
| SHA1 | 68b6d5c0a0d5177c711c4c0476b83f1e8f954c5c |
| SHA256 | d5c064fb38e53667b5c4340081468694da2b9cf9e20f424c8250c20e85813241 |
| SHA512 | 0bc58c4e6e719c838ff4d5111e7a5908b215fbe02aa832d7be93242c30f61b3537c0edeea4fafcc0dee995bf589dd45c3f8cef124012e655d0a6e68a23eb5a56 |
C:\VidVK\boddevloc.exe
| MD5 | 499c99ea5e9fce55980f657559f1d7ee |
| SHA1 | 8e47d11db29fb413fbfddaabdc85fd33c24aea65 |
| SHA256 | 40cad28a6037f880c48f4955a01bd9b40454764cc1f28df0ffa6ebabb0917604 |
| SHA512 | e1dd7e0f90f4e8a9a41ee732ab71461256de675a466a20d3f4e8853060005e382f3b4ee816e58e7e4ce37dd026e25a3fa13d0e51300a943bf948126046b712ae |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7914b75ad252b2e12c67bc2a1c878f74 |
| SHA1 | bdadde5d31f86e0b40daf37a8f2a5c31d908ea49 |
| SHA256 | eaf95235fa38c61f024ef8d6e5a2b0b2de538afd021c41c81bee1614d3547413 |
| SHA512 | 2cc888e9af75ecf1837c5f6a6339ce40a29fda736c35b3c541bbdd03b93b1e6322429e19584996ddcaad3eb141cda78f8823b0799a7a6330a8067a807a69a0ee |
C:\VidVK\boddevloc.exe
| MD5 | 16a4bb0fc3d5c44be3028068af1ea1ef |
| SHA1 | 3525da0805ed7773dfef437f24482b727389e9db |
| SHA256 | cab09a5b3c3d84c5b8a2e11a35c3fcb95b6436b3dff8502d6b224492feb4c94d |
| SHA512 | b487b3eb68c80afed0c6cdc0573c466508b36730b7cb654a78fd17c162030a3e5fc360589888ecede135747d71fa86eb3f8f59425aa66780d4645629b11efe9b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 16:30
Reported
2024-11-12 16:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\AdobeC8\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeC8\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZO9\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeC8\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe
"C:\Users\Admin\AppData\Local\Temp\6c9f460d683a17f755527ba44aab6bd58c7bf10fe6d886a5a12887a29abe426dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\AdobeC8\devdobec.exe
C:\AdobeC8\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 1f8c7ac7bef783aee0ca3ef93272160c |
| SHA1 | 5df3a67854a0e4be64bb98e7c08582af38c3f2ca |
| SHA256 | f07e340b765e4d5e97efcd33e462300533e7d5c0fbbf77e8a207bc23ca1d1508 |
| SHA512 | 2841494d6adeb93879872123b3b3093f1bdf25b6416a9b88ef99d06ffaebff4ef1cdd714fd2edc053ba5dad24439ab5192de99ff788c1f6ebb1b565f6342572c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 990b37d892a862925751b1da18ebd4ea |
| SHA1 | 82f1f22c0288d32eb841ac67cd1d41c09fc0442f |
| SHA256 | e5934874e65c3e697af01e0271c2b20678b143dedb33d14cacc0293457a7fd14 |
| SHA512 | b1acdd03c6dd138ad704dd5a111361410706051cc2dfbdcce8869a7023900f751d97af3aaa4a2bffd4d87eefbd6a1c0bb54e2a30ffabb3471df3fbcb3e8019cb |
C:\AdobeC8\devdobec.exe
| MD5 | 86e8500c36b1a9dfa91433752d94ca8d |
| SHA1 | 2c09190f55c18a11200f881ca680901d2f9d49cc |
| SHA256 | 8a8b0b53b826fc5d597057026920bef7966d9eccd6d04cb4809b6d2c3e541f6e |
| SHA512 | 8fbf7c22dd315c71fc74ed13698cdd1c78d9e0b86cc3cecec3636794ef27ac86b0a8d0d9dd49dbd82e4e9d576399b11d62f603fbd56efac997edd7c9aaaa1091 |
C:\LabZO9\optidevloc.exe
| MD5 | 4b2c9451c3193e04923fadbcf694050b |
| SHA1 | 0fd5796987674a0ed46f590de846652f06716a29 |
| SHA256 | cca2bd5e101f507aab4b38faaac5145914d6fab0c0c34fca89aefd2c08e1f6c4 |
| SHA512 | eb5fda9870eb978cfa68b8e79ee84e24d417f913e049a04356f3801c3bb89a737b198dad18c785aad98d1875a0abcc7e61d35cbe7b1ba7a9125e7ef86acea15f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c136b24c9581402a4a71c1fcd703a094 |
| SHA1 | 3cbc475114ab5b5d3bb251718af6f4572479411d |
| SHA256 | c088c8b0af231181c8510344c8e9b76e37ebb3d0d02d7fa5afcc5582d22fb1e1 |
| SHA512 | ab3a55970ecb204a74048e52901b2a2e17776f93986d519bbbcfa3f3fa9c1d4df639ea3e4e9923c24892e87b364c1d7fc86bc0f0f2caf1053dd7fd483ad90fe6 |
C:\LabZO9\optidevloc.exe
| MD5 | c13d6c5b009165454f06d69c49a066af |
| SHA1 | e074e818c3739783968ae3d0ffe24aff26182957 |
| SHA256 | 2193fdb1b2f60a56c98fd8d4b9a8ac67b5625063c7bb5b4b7e2c9416ba86ea84 |
| SHA512 | 6e0fd70cbf9c6734ff17cc0dbb31ef0787cb5d261e58c671893d2a8a34346541dc2d638490808e2f5e16107326f5ced8804aa25f1e3da83a9b8b2fce2ecc999f |