Analysis Overview
SHA256
9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff
Threat Level: Shows suspicious behavior
The file 9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:20
Reported
2024-11-12 17:22
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocEB\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEB\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocEB\xoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
"C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocEB\xoptisys.exe
C:\IntelprocEB\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | f7bbbe63d08cd2c4f03f1410c03babe0 |
| SHA1 | 78d6b554738ac14676d7983685604804f2e3c85d |
| SHA256 | 4ef111329dbd956b9ee54e8ead92a5d6d599acb3c78e3626f2d0a08f4f580e00 |
| SHA512 | 99bedb97a9316a71881c3aaddc87955e07d4c11ec869655622cb4babaa5d42785bdd9ecdd16dbc906c9a7793fae3dcad45f22c9a197c308c948c58370210f8eb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4e250eea6d637519d06bd3ea2e364c82 |
| SHA1 | d77a819b2ceed516bda6b5d9e37bc9a1d986ba61 |
| SHA256 | c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd |
| SHA512 | ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411 |
C:\IntelprocEB\xoptisys.exe
| MD5 | 39053d08c0de46ad50422e20f7bf0984 |
| SHA1 | c1f151635774d23df727dd49d0c717a4f93df878 |
| SHA256 | 82eebf075775d329780d34a344e6d2c0a62d15a77a608e8348796e7302002c44 |
| SHA512 | 362a38396bcb49fd5884a7bdf2ea6fdb082ea8919b4200b6995d10b8e136e6f13d554b7de7713b82533fb498b1475a7345cfee8fea0ce907d578e8d78791e04a |
C:\Mint68\dobdevsys.exe
| MD5 | 21724904412ced6ed1909afc0c065493 |
| SHA1 | 3633843e9aa433a89aa824bd841109863ca6b540 |
| SHA256 | 6d2467ede8dfe9fb788a93081f49dbe5b3e29d27e1c952940360672c9fc35468 |
| SHA512 | e55433779d916a7f1848baba58e60af3b8ba0eab438fd7dd00ba76a8fcd0d728822703e662d3e55373cd753d4efc8f0867af55f11a86fbf5664318a25b82df66 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | df1cf93acef6bbb50eb9363516f2b378 |
| SHA1 | 7cd95835b17875e0c0e39f3aaad16f759542bc9d |
| SHA256 | 3294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1 |
| SHA512 | d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77 |
C:\Mint68\dobdevsys.exe
| MD5 | 963c50449329f83f2066c5bb0a1785cc |
| SHA1 | cf8d9ef243caf8cf2b18c5fb23cd0b72b5d826b1 |
| SHA256 | 03e95f353f16e632dbf6f5e997a10ee8db10896b8134ec01c0552028b2e87202 |
| SHA512 | c2c2f4110fbc5ebd7fa3c27e25e256f3bc22ec169bb1c591ccff9c4021fa1d1d31b7fa9c229124457a40fdd3f6880765233895e0883ab0202b169f2fccd0a671 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:20
Reported
2024-11-12 17:22
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\FilesAE\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAE\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWH\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesAE\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe
"C:\Users\Admin\AppData\Local\Temp\9973fe4839005b51190a683ee34cfdc1ab13e097da8733894283aa96d39ca4ff.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\FilesAE\devdobec.exe
C:\FilesAE\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 3d9f11f7fe8c49c5ab088e5ee7a83380 |
| SHA1 | d0602abe6de37927984f9f94cffb6a2321355a29 |
| SHA256 | 42851bf91c8d5f9f9d4cea0010892691b8cba3a08d8f9b55848960a15946b7c2 |
| SHA512 | 605d180d3ea5102d9a9d25314b4e09f9c08d8061235c1c7fc4946cba106ac92b9de0fc93088813032702e827b4dc8b7a9429695d32d1fc3c016683bee069169e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8607b45399549c56d415a514d5422134 |
| SHA1 | 477cbd16a26f88ec71a6aff1e92ecc757ceac6e9 |
| SHA256 | a2b7469b14407ccf3591129f1f9fd63325d665f492beba8c1b9e92eb2c9e262e |
| SHA512 | 6330eb621528e81ad6055777306700950f1e5a7a7bcf6c612e693f60668552ea681f9f205cb1251f6a9a425b344a96f88cfc37176b10b10571788b80fc05c2ad |
C:\FilesAE\devdobec.exe
| MD5 | 50b85bb2124a77874a4f765bffd4eb2e |
| SHA1 | 245fc52e1d47a70d8aa1752a6487e50a498d4753 |
| SHA256 | fe23a8fa0351e0e177b1507beb0400b177ffadb2639706ff124e39fccd16ac45 |
| SHA512 | 0ba470edca3d14d09f1ffea9f7d4ff16791f3849aebd425e57c1278d68ac293cc68eb5f4c04f89e2ab362d3d234149e0470894b084d7c92eb55b43e23eca5449 |
C:\LabZWH\dobdevsys.exe
| MD5 | f5650fd987871096af4b663b2f8dad94 |
| SHA1 | d0236eb2f8108f8d2eaecdfcf5a92a531108bc32 |
| SHA256 | da5ac14e2514d6cad2e24b080f8bc08ba97ea0047ca769aeacbac8ea4759deee |
| SHA512 | 91331663f9035f94921d1372fce3c710370f602bb0b19ad2d4313cace4772c31f227f5aaebdda0625b9421fedded54fce9d7ee832018c1e51a5de8138c6a438e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bdb443e6527ca2e61c72869c7429a865 |
| SHA1 | a17c535c67f35ec3f7665fb8cf8897c99f45f39d |
| SHA256 | 46ba9a4c6ceb75bed5aef74ecbcfe3b5e9ae3a98468d33cf9e55ddda8b823ad8 |
| SHA512 | fcf4ef99ba82c892e0bb452fe74467386cdb4b456c380a30217334ae7d7835aa7e7e13c419d902da1a297b0a980301a935ac721545292474da527d85091fe0cb |
C:\LabZWH\dobdevsys.exe
| MD5 | 844abeb2bbb32a2267664a2676846366 |
| SHA1 | 898f0220d9b8e9f7a1497c0db61bd3d1693e22dc |
| SHA256 | 1177adde22ef21aa76e2f024ce306ff77221dee3a64ac815c756b2bfe729175b |
| SHA512 | 267b8328e1e998eb81f7deb91d646a747e944edeedc6ab9aa7b98fe7ace382db8778d8c5cbb200a564ad619fce0a4156c9c63e7eb2815750078d773a8b91ba94 |