Analysis Overview
SHA256
254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9
Threat Level: Shows suspicious behavior
The file 254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:43
Reported
2024-11-13 13:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
19s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\AdobeRM\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeRM\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxMK\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeRM\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
"C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\AdobeRM\abodloc.exe
C:\AdobeRM\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 36a15dfca77c71ff36f791f039c4eddc |
| SHA1 | 2697c8f840bffd8826b9bcc1fac3e9b4b00fd803 |
| SHA256 | 5bcba13481c0db6843788f03676a544a315c74b7e7cecc42e57f10d325e8a7a0 |
| SHA512 | 7a4a8d2dc3f2221a7be256aa35ca08f7cd141a332c81d1ec8f38af5debb5bd3a8e0e9fee6de5852b444470d8f8740d24ad709bd0dab9d1bce983cd716de64218 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | dd72145ca1a28a2057ba9ff9bbaa19b0 |
| SHA1 | 655174722a687f4c18c670a89a49081f13a50fb5 |
| SHA256 | 81889d0c638599faafe55b3baddc57f17cbadad673a9278c1870588852546ab7 |
| SHA512 | d50c558eb967ffa8ea90fae5203baafdfa128e19f21f65cf2d11a2da6798695c6c1ea7d1bdcd054c64d01a21d3f4f008515d8ce27fcaa969b9238d2c79f04c58 |
C:\AdobeRM\abodloc.exe
| MD5 | 00dba6ebfa579573b247364c15fd22a6 |
| SHA1 | 17f6f39c89a59c9956ab2f2e78c344c2645e389c |
| SHA256 | 60ca215e194e40d1538f4620ba0ad51ee2a06b1249a7ff1650b3eca1f3d671bf |
| SHA512 | 707731e32e84c83afc1239f06543e53c7198bed19b85af28c19a6ea91b58cac45efecd5f16dc587f21797f5bbab63a91219fe6374cec44b544e8ee8a4d57c2cb |
C:\GalaxMK\bodxec.exe
| MD5 | 35f9efa4c6c295a5a03185ba83ab3585 |
| SHA1 | 5f005917eae6e6b3dd32ee7d7ff4f223046c2330 |
| SHA256 | f88c487994fad7af5b73de251151e5b54d664c2f361c55d777abb0acaa1cce55 |
| SHA512 | bf9aaf162949e9227d8375b9fccb63c32186d151807ddbe8a39ac0ad6d8481c3ee386f8c3f540c118a2522e8745074c945483de6b9433d1f2c64795ced95f134 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4ad6b703d7980854b1064f85007e3955 |
| SHA1 | 5162e6622a9550b818fa5399416e59431214c80c |
| SHA256 | 1e5f8648ed00b31b9257f0dbb34141435efe1c457be9adbb9b4c941202b40a6a |
| SHA512 | d20694005f38e2a14f733d4e297224c3501cffb977819775c560f0d6cd42d80e0c493626ab9cb5ab5fc6e7b66ceb31f885166078589c2be6e0ddb0e35a607d7d |
C:\GalaxMK\bodxec.exe
| MD5 | 7f87faff6f5a4c6be9fa102366148ec4 |
| SHA1 | e26bf725165d640e64e19e49d0765bc9663f95e7 |
| SHA256 | a2ccb7f4b4eb6ce3efe5c44b143e518f0d5623c895a142120396fcd942c08a44 |
| SHA512 | 304f2ccb267ea4b2e9f6b9dda5578a5f74e302d27c1d5f6cca6a5757e97af91e914d0ef7057f6c4ce286863bd24f2b39c6abb7cbbe91eb7be9e614c3a2111bea |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:43
Reported
2024-11-13 13:45
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\SysDrv3G\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv3G\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidES\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv3G\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe
"C:\Users\Admin\AppData\Local\Temp\254b7116f093982a2d12d69e870de18b68d46573513efe79d23a6d31bcab27f9N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\SysDrv3G\devoptisys.exe
C:\SysDrv3G\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 8ea25827e6f6ba00f55fc145c35332bf |
| SHA1 | c2e639323fa5e7f9b044d43e8e4b91cda4c9af9f |
| SHA256 | eb6a33d33364fff6df9265287726eacd001211b6881fb5f951ab120db0eec391 |
| SHA512 | 01c21d46f846d96d0f2dc13252c224d385ab9464319696b434d0e32e7fa8b830a87568a2d049cf44a5b0a5ce07211ca1c8d87bf2edd8147e611e0a929d760fd0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8bdf6ba25702a210b0b19a780077487a |
| SHA1 | c78564a68da3ec3b4ea85435bbd897771691f5cf |
| SHA256 | 7d41e0c7b065a768070663c920f57850694ed5e5c30ee6359aa785ce0efe32bc |
| SHA512 | b49183bc4ab81b5b4b0c56d70f2c71d7901b9d72593ec61a372db181fd47d4aa62f583f3233cc245d4f26d24a55a8f0a2fca8614ddaec13091cfa243523c143a |
C:\SysDrv3G\devoptisys.exe
| MD5 | 1b8d209a916e4df2fabae7e6b4223451 |
| SHA1 | 6d758c0f47189b7d688f68541c37ff6fca29206b |
| SHA256 | 31ebae1d8b321f0ae14fe7992d34db5fe42bdcff10ac94c3839b9aac763ada33 |
| SHA512 | e0ad7920904f937435f7ab5591f8fbabffef62a9e8b01dff5c2176ca1b8d513b6c054e72b9807fb52f83331d4203d226f13b1fe046bc2517988207d96a70fee1 |
C:\VidES\dobxloc.exe
| MD5 | 9262cab29eba6c8ec58cf55dd510774f |
| SHA1 | 9c109088d1dc40745dede1654950cf3c14a07d0e |
| SHA256 | e30f45b4f1ee5afde05ab748a8efaf1830710f480600bd9792e3a66ea5f9f945 |
| SHA512 | 2241d5680489d6b0281a7b46d1c23f8106426f9078273c98fc99c381f0e3e738acc7e4684387d72ceb40a071fa85ba9a8df3e8edc6bb55c25a029dbebf437004 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c4792cf4c53acdcaa73b6ac606d92ade |
| SHA1 | ec561364b2b1d4a897d73716037f10040969b0db |
| SHA256 | 18e2bd71f1147b028774719b10a0a8b6cdaf1140134beca8ee88dd1022a03d20 |
| SHA512 | 602c36eab0b4bb650b76081343acfaddbff8cf63def9285c22c3e446e39320852b33b90f1967a53bd5678f25636b21f352c2cd37b08490b7f3a9cb88331e073e |
C:\VidES\dobxloc.exe
| MD5 | 4dbea43aa7eddd1d9b9d39a8073e13ef |
| SHA1 | a0e2a404da25eec1c2ea91bcdae2087a7f29755b |
| SHA256 | 0ce075e00ccef6294dddfed236962290424044a716afdc3741e495774d96d5e2 |
| SHA512 | 6b3d2842a4e4433414e0aa91dadd58cf3ce95e3e21041d63c152a603c16fb1c7494c33a707e9091dfb349fdb8ec071ac1fc1f9e7cf20d901b81da49fbca825c3 |