Analysis Overview
SHA256
ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331
Threat Level: Shows suspicious behavior
The file ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 17:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 17:22
Reported
2024-11-12 17:24
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\SysDrvWH\xbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvWH\\xbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZEP\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvWH\xbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
"C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\SysDrvWH\xbodsys.exe
C:\SysDrvWH\xbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 3dc7ee1f69254fba07972b60825b540e |
| SHA1 | c2a9b4a48256f2e0fe838d8bf82ffd7fb11230c3 |
| SHA256 | a00a95314a0e04c864de38743fa8b70a49699b604a8e5267dca984353f1d54bc |
| SHA512 | db5ee79f61e9d455746eea32760ad71dca54162577134fce011fc18920b8c7b4bb5012696f23cb9a3ca0d0bea645d042f75ac488e2da7e7864b7331f820cff50 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 98150a99aec28f4e80b64a41956d1a67 |
| SHA1 | 8f189c52f7849a68e2f8b9b1632d184ce24dbf74 |
| SHA256 | c0dc2eccb22454e6012c149539ac69ef7ec0e03d50d3823cac35443d7e1f9b33 |
| SHA512 | 14243089cc2b1f5f8a87a85910b6427d8c43656157ca31327611a800c6b62eb01c2866144dced80e5a8e45455d7602a1aea83f4ffca597234c36c7a4a02ed488 |
C:\LabZEP\dobdevloc.exe
| MD5 | 7d47222147ee3e902bda95147d228264 |
| SHA1 | 371298ce45245f1cf5037bf7ac24c474efe14e1e |
| SHA256 | 51df71e7647a7173053bf754f808f204e7aa349cd530d6186150e693e18dfa20 |
| SHA512 | 78a26ecd1757778f679988305264b14906586485ec68fa6998fd5adbb14235d8ebb46f9d3527ef78c65f10af6b51eedf624db763aff706cbe16c2c180a80d628 |
C:\SysDrvWH\xbodsys.exe
| MD5 | 0067969e69198d306fe2f1235089e81a |
| SHA1 | cda5b88389ea7974c097040fbdc6c03690d13475 |
| SHA256 | 2e6058b631ddd92e15519f3b0c69e2a7f77aefc3d1fbf7dee0ffaf748651e175 |
| SHA512 | ae1236abd1d2654f659953225c2d429d4ceb54cf233a10211ec9fb85456abec399d1be1641ade73de03dad0fcfb0c905a68e27c366678ff70fa41196085c8a46 |
C:\LabZEP\dobdevloc.exe
| MD5 | 0d9513fa1094b6712076933063efcc59 |
| SHA1 | a59fbdf06e170a1d3e7939389e39f48d6af1ca87 |
| SHA256 | 5dc8fce67331de9f3ec7b583855aefb9dcd9d610990457852e3c6d881917e867 |
| SHA512 | f22b67dfbc57b639c79ed98d24ee05a2db8209d207db4ebcfb89db7b43f2c520a9dc6e6451ddd890a3df66909104ba5dac3fb7e165205114209924963b826dde |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f7a6642f3aa36c7c795f15f6353b164b |
| SHA1 | 5582c18f6b64fe987ed087a86a97140ffb5ce494 |
| SHA256 | c077a394758b06c315bdcdd3af5917012d882614a46fc6f23a8f3582816dc0fc |
| SHA512 | 141cb045801d5e8e170dba8c3a62b8bbc1a757a35b3ff9ff8824f64db29274471ee929a402ffe6f24db6deee4ac92279e81a8d5b2f2c961bdca92d9270eff336 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 17:22
Reported
2024-11-12 17:24
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| N/A | N/A | C:\Files1J\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files1J\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ45\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files1J\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe
"C:\Users\Admin\AppData\Local\Temp\ff435d9095ae80cf76a3214def9bb7943e9a6f34e094cc149ac2431618a66331N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe"
C:\Files1J\xoptisys.exe
C:\Files1J\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxopti.exe
| MD5 | b938d0099c2a961641242cf99aac9610 |
| SHA1 | 0138825a28b45515b7b59501bdcf7184ae94b866 |
| SHA256 | d52942c03bee16dd90507955085a71cb2a1dedcc4525a0263454447df871a73c |
| SHA512 | 0dc77a05c94fc7d1b120ae68b6966dc21df0c12cc0ebc3b716322233ddf12a2189161b4de2c4e7406de704145a0dbcce436f61101138d64219a0773a11e100a0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad0fce00d09c0d51defdbe8f2b1fb857 |
| SHA1 | 1bce93f218b383f6b55ee72bb0f2b89ea2556a86 |
| SHA256 | 1ef3497d67349180f60104969cd4cd75fe4e80ce502c4f0cf479c9adbb345db0 |
| SHA512 | 2f21ddb0a27601a04b821e4c959c87bed8e8eaaab79a33ad463babcae8704e5b005713528df2edf773f071eec446322ca460d64710ffdd3bccb2a8d7fd08643a |
C:\Files1J\xoptisys.exe
| MD5 | eca5ea25f6a32a95c09d2d11f140c43b |
| SHA1 | fc7c4ffc46b345747cc079073a62c80c129f2442 |
| SHA256 | 7d956fbd2f73b9d56dbb1fa91bb438857ce1495cd868cdc6d6daea38edfcff17 |
| SHA512 | 27d28a94c6c9d88714e07d1c5d856b348aaffe7164a680aa4aa760c4a738cf9fed9f373ea895b3dfa3e80ea1b8702679ff32bafeb7e84ada4fe30ff30b1add61 |
C:\Files1J\xoptisys.exe
| MD5 | 8839c5ebad72a548b63c216f9a0a7866 |
| SHA1 | 553ac8a0f653d43563bef4ca4d614341ace54659 |
| SHA256 | cc64494d6c698ef37df4dcf77fcc72ffd5f11539d3b10cf3e17653b59d384561 |
| SHA512 | 3d131492b919a98b6e663f7c94270dbbcd05eceb705229bad26487d1253624dfe3d320be3fbed5546dd3f26e561da1f51d8b338ca4409562abe0b83ec509d892 |
C:\LabZ45\dobdevsys.exe
| MD5 | b852f911c29e5fb4b64d7e631de662a4 |
| SHA1 | 74f74ea12475b1e1c11ea996c2248920bd01133a |
| SHA256 | b07458d6bba981daf35b7dfd19ce730cd999755457f340f263e95b32718fd9df |
| SHA512 | 6837804c20eb4aca1bac2b378a81a44e4b9fcb7f8736fcb10176c5a7c461a7374264f7b3e9590ed7811fab8a66667744719c4548acbe94e0297b0751dfd6c980 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9623edc11a67c4d60781f907a3bdf39f |
| SHA1 | 8fadc3a92a44b8086c3f7929072389f3d19ed135 |
| SHA256 | 237190de3e4706378702eeedb1dc8c6bb832f6474607c18f46d0cf0e9f20e91f |
| SHA512 | e9bb2fd8a953311405bdb12984365f6dbb1e135bd4f2e17a518b8f434ab0e0283b9a59b98c20b75b73fa682a93496109702033ea66a8ee663dfa84f1a9a70128 |
C:\LabZ45\dobdevsys.exe
| MD5 | 63a0ef76826092fea4e01baf01c034cd |
| SHA1 | 7928773c93e5415d90fd843aab4e88e2aac63b3e |
| SHA256 | 352b43cb6571752f0384b3ed426685390fdd95e60df6c0b18aa1f88a8218eb8a |
| SHA512 | b2733d1ed6b87c98dfef20ace52c15ca20dff53f02d54fd5a6c2b737b9466b7558f984a590f2e4ec2e2d30c0096bb1b2173787d969cc3ab54f96f3428c03fb0c |