Analysis Overview
SHA256
27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729d
Threat Level: Shows suspicious behavior
The file 27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:02
Reported
2024-11-12 17:04
Platform
win7-20241010-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\FilesGM\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7K\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGM\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesGM\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
"C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\FilesGM\xdobsys.exe
C:\FilesGM\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 73e44f1f47e4972799bf160f015e6382 |
| SHA1 | 128ffe5f83a41f37aaba14f6a64f6080f045fb23 |
| SHA256 | 547c87a1c89f76dbf1bfe39aefc8903a2067ee62606e2bf47139f4397b5b7292 |
| SHA512 | 8da0e5760844bd76a9b3f391153a62127ee3f678fcf1ff867637f7b082c591874d49b45590bb2ed137902366c8e82e26a4eaf0bfce05a4e73221cae7f1a0ff01 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | e37db96e75a868e1ad3d3faac6e0c733 |
| SHA1 | db8aa4bf67a0f6dc962766ab0b84cb92b1ea191e |
| SHA256 | b4bd4ef879b7fa336c229186de61743fbe83293630568aa16c63ed58a3a2d9f8 |
| SHA512 | 8741a8c16a43383b7e49e40ebafc1f660f69d8d435848c57d66707b0f0b8f79c4d6858657fac56a7decd0c6a57bd778d561d69d96cf6e84eca7b5e4e672e1389 |
C:\FilesGM\xdobsys.exe
| MD5 | e22de5f41576f07b7da12b235e19cd86 |
| SHA1 | fcd3338bd3498381399ca2704bc7cf3ea2e05206 |
| SHA256 | 75cb20e5b3f2a2011187aa8dd996028246297da0546bd2dae57a72050cacf00a |
| SHA512 | 61fd65ce1311b906a8c45636c816079bdead81e5b871d2cd89998fce42ad79a4aaf711509e00837957b9313ff21fc423d16666c8fbdfa9288b182ab29ae47dbc |
C:\Vid7K\dobxec.exe
| MD5 | a2af908747e0303548cbd2a5c06b8ea2 |
| SHA1 | a793c506ffe0cc3ddecf62f3eb616df558a761b7 |
| SHA256 | 26b4a8936b61a7fba4027bd690fb5b8719ab5f18abc27a51cdfff6b11bb99f12 |
| SHA512 | 1ba28df9c2b46dfc326249fc620be0a56588aecbee45692faf4644ac6c18b2eb182dc23e3e55b8d57581926d595b6503a60e8d705ef3dc6e2771bc6ade28b48a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 08f2f11c2c26b0daf18924f338b2c1ee |
| SHA1 | 634fbd15e5744ba735bbc9ba7406b7178098c281 |
| SHA256 | f4352ecd63843d729949ec51ea54f85856cd80920069811ce841cc086c70d07a |
| SHA512 | 9b1f295453bd62ecaad4239e3d1d656a733f177bd6e1f39736f4b06680e6324295656a14caf1a8c2cc3b5cef38447f8a2d7372258c0171452e98e501fb7b8fb4 |
C:\Vid7K\dobxec.exe
| MD5 | 08cefc228d02dd6c33d4df6381be2da7 |
| SHA1 | 8f686c55c4b54cf955a804ab93d328f829c7279e |
| SHA256 | cde0fa3aef7a9dbc90832e063f82e17ba3296aee5409825b0c2b9ea0a2e57ebd |
| SHA512 | fccd8a43789d7f50d745941770b18cab500cf736e2c7594bccc13b97f8892227806c64b9afa09cd13cca70d820d135cb45b1e4df7d5864cf74509a841da6fca3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:02
Reported
2024-11-12 17:04
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotVQ\aoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVQ\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid6X\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotVQ\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe
"C:\Users\Admin\AppData\Local\Temp\27c04b19777e433450a56d2f684a14ef525fc30dc40a6467215d0d473ce9729dN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotVQ\aoptisys.exe
C:\UserDotVQ\aoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | a2a581db026de8ce1166289fc261d645 |
| SHA1 | 7ce634202504c4ef0982b7bd2b6285c50e6f8c42 |
| SHA256 | 796f6d70eafd68abb4dc07903534361ce2022b73010e856f92ff192550a72f0a |
| SHA512 | 783acf2ab32d43495d8fc8188520bbb37e01563c715423d59c98adb9a1fa077a7f5d91f5ab2f936cf7ef37929afb6779db2cb0b7193397dd892fa150b5950055 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f58efc30fa7198ae7901d121359d131d |
| SHA1 | ef7a854eaa90538992292d354fba180f57cf46d0 |
| SHA256 | a403724323d870f9120b28d860f9b29f905e68cfee08bb03119ac40272ba2d1c |
| SHA512 | 2699ad90d8c4bdf0f40a70e893f694c9b7adc72513f20e39f78371169c2d50e3ab2a844a85241e500e3a40eb186e4f307712fe08387dcddac818332157b6c958 |
C:\UserDotVQ\aoptisys.exe
| MD5 | 4b518263202f498f7af5c6619fe49bb3 |
| SHA1 | db79fb2628061b174d0260c33ddd44226f6a68ba |
| SHA256 | 09454710f5f1cfed78935b122b403dac84cabc870af3dae7b70bbdbe2638ca3a |
| SHA512 | 431a00ecf19073fc898b4048bd7f19759da6454e9d42030a4a925bd546ff146eb011e7ffbe384463b91f7290516ced29435b51af4d5e872e4086699b6186b001 |
C:\Vid6X\dobxec.exe
| MD5 | 572f2f89fa83cd0e724756eb089249da |
| SHA1 | cbfdd4e1e893e9f876d46a79247f38ade618a89b |
| SHA256 | cf6be1e16babe319685181c0bc39e48b663392fba1475e11b83d9b9b772a2f54 |
| SHA512 | 16d7748321e538202b878a175d219dd117f409a88d9ea0f79d0f873a9872b9c287f5166a26419d18ca54609ccd763dbef4b000816d7a243b0822fd78adb35950 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 48a32d6c46cbdae91007ff6b258ee926 |
| SHA1 | 1193bda0a694270e046718e698707e43a2731215 |
| SHA256 | 1e5deff6e23c5670224ac73e516b1f50997708887db2ccb2e05d4cf7ab632344 |
| SHA512 | e2149d5682e8d429766d06cae9004312aa1072e0ee20c4fa4ecb85941d8c40ddaf6b7f7a4d55ad9ef6329891323d544f423bcbbe3494812048440d5659862072 |
C:\Vid6X\dobxec.exe
| MD5 | c9556a756eb2979a539c7a3389df8db5 |
| SHA1 | c7f3052341b162c945d112a1d85f94e0596b4d0e |
| SHA256 | 6ce36fcd53b50604507da6f65f2b2b08ffefefa43f9c5091ab631d3e8c68cb2c |
| SHA512 | a23f7b8cadf569031aee70f6356f49ccef19c3be2682bcb59b34201a268b4d391eda95ee98fcd3e2852c797fde8ef67ae9568814848427cf4e01ac5c0b5196f4 |