Analysis Overview
SHA256
778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb
Threat Level: Shows suspicious behavior
The file 778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:51
Reported
2024-11-13 13:53
Platform
win7-20241023-en
Max time kernel
119s
Max time network
117s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocMU\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocMU\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZAE\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocMU\adobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
"C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\IntelprocMU\adobloc.exe
C:\IntelprocMU\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 482e37d03a1881a5e4dcb1efa21ab11e |
| SHA1 | 137976633784ad76a06d229d67d823dd27b58736 |
| SHA256 | 51ddd8eb098a2f84bb9f59ca4aac5bb3b18b2b2464d6eb8485c37749a7eefccf |
| SHA512 | 45266b00f66e1e83a39b243729547393efe162f97c64251ea2cef33f0d16261575ce9f473396f61b27b51ba61387315f5193aa5c4534f6c5f93f112320a16b81 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 52e4b03353bbe09174388d71a040476e |
| SHA1 | 18f5a7e86d84ce9e548bf669d6c69fa9ee9c0e1d |
| SHA256 | 91f56def559fa3778c6cfd79a512e06aebba0ef85a7743718ef8d97cf99919c7 |
| SHA512 | ce7afce8080d17c8d4464db140d08c9154f7c9399bd4b87207ad4e05d147c4ad87af51b0a91ed05d78773e5287b0cf2d8043aa3a60d276b842ef33ac8c0db699 |
C:\IntelprocMU\adobloc.exe
| MD5 | a706c8baa8b0b12b7023bfd712e23f5e |
| SHA1 | e262a6a517f5ae526cfb9797ef102ad0c419ce51 |
| SHA256 | ab294209a9f0f881fe9fb981fb2189a2bbfd1844d0118a468e564fda5b2ae2c4 |
| SHA512 | bb82273dc085745e6a1abf1703d4c314d7ea44a4250cca6920711723214a50e2aa1e589fe367669f18d319c83af67604e434bbf0c13adb3f3f7587bb585aa56f |
C:\LabZAE\optiaec.exe
| MD5 | dab8ff3571b3172ef4ef8e579a1c9ba9 |
| SHA1 | d1b6e8fc0b7f29944e3ece75e825eb91787c1b4b |
| SHA256 | f6f8daf7fa8cfa4414bcc8d256847822d893b99aa71eba3a62042e241e8cf4bb |
| SHA512 | d7c0f28ceddcacfa986a4e2785b999afde4bcb62c63406bba2b1eed682770ed28460f4606fb7b0270f54c4c85ef602f3bd432f994bb0829264e8ac2026e568b2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b3ca6af2db8208c473c801dfaa890ea5 |
| SHA1 | a8e476a3a1a09ac4dd79d86fb06f5a69516eac3a |
| SHA256 | e0ab39870c696813f6da52f288084953051a5a9addcbbbf48e7b665f8a80de57 |
| SHA512 | bfe2a9c16d9b4f163eda4cfc9332adc58afe87c0fa26e073c6488eabdd97243b358c08baa9159937b984fbc1cd7f9564e5b1e30a013d896dc60c7596442daee1 |
C:\LabZAE\optiaec.exe
| MD5 | 5d94eab258146b91f8f3a3e75dfc07c6 |
| SHA1 | c0aa13aa4ad0fba6bc5da7c968aad439b4103cc4 |
| SHA256 | 121ac97b8a7a52a72df9039f6614b6b5f12f144ac812b0afa297972f7fdc0ff4 |
| SHA512 | e9ff0e9805be15e8cd9a3c2e722aba2208ea111b0895ace8d3fad165c0ea65ae0d50c39585a79af66906c5c134b0b332466e62d205345b489a146a8236a1f0ff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:51
Reported
2024-11-13 13:53
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\IntelprocC6\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocC6\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB2S\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocC6\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe
"C:\Users\Admin\AppData\Local\Temp\778655b63df69ddfedf1f30664f597ccb6c8e468e7e345efbc1b4a3aa5a81beb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\IntelprocC6\devbodec.exe
C:\IntelprocC6\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 25575e7168bc8168a14f556a89928e56 |
| SHA1 | 19dd3ff4588c0b4f07dcdead51612798695e613c |
| SHA256 | 2445ed3fc264b0ad40cc03fa7aa05239d3211d1763879d67855e4f7e4d95f5a9 |
| SHA512 | cd58a26082f76ee3808e4230c2620523afba86f75b4421d6942899d888e922d539755c7dff605d2578242a112eb0dcd0f6002ba9403bfe48cd1198395a93652c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 7c97a222141cfe806981508621c31d23 |
| SHA1 | 2a4ada46e919b83cf01e2cc92d9c93ead6748c0d |
| SHA256 | 8cb9339849b15b433e7a0b987657ca000781a84520cabdfddb5a4d41569b091c |
| SHA512 | 9a0acf843fad85fd09ae54f8a793ec395b13730293eeb8972e41ae9f550a887d081bd20fe0ebeb002d17571571f4711b277fee308ee2424dc6b28099789746a7 |
C:\IntelprocC6\devbodec.exe
| MD5 | ba90945c50dc76629b19a2d3736c46be |
| SHA1 | 23916a68c2708b157c8f45bd791d53fcbf528bbb |
| SHA256 | 5c734b18e6a604d0ffc61ac3d4e729013e576db11cd3afb3f37f29c89cb85552 |
| SHA512 | 4cca798af1519e8f14d4dde5f8c792665132be6f052a75c52daec3d40375c95da8ca91d5da5b91fe378c1db1a35bfb6cffdfc7020ef076723ab9c28c4aea11f1 |
C:\KaVB2S\optidevloc.exe
| MD5 | bae5eb085a9f023b8d36e2a083933bdd |
| SHA1 | c8f3b383d6ce74e8606027a03db4b0ae08c513b1 |
| SHA256 | b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab |
| SHA512 | 93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 9f22aaa0f43d47cf3e91fd643d4e6b60 |
| SHA1 | ee688f0699c2ee569074c443bc9ab9f9b7e21a78 |
| SHA256 | e17ea0e1dbf000af8477d8d9ff80633c1312207c8272f103845dd012df772349 |
| SHA512 | 1d26fe7954b2d8efc5b465cc25f823b03818fe10cebfcd3af95d644a5b78bd5be2c8de1c0f2e9065594fd5d99c2d2c8c71b570dfd56825527f699e9f2c08fa0b |
C:\KaVB2S\optidevloc.exe
| MD5 | 4503f43350c98c8ae658355212079b8e |
| SHA1 | 86a7c7b6166b332571b70f2c7968ccd7041910ad |
| SHA256 | d3ef657c1718994cb918dfe420c88ca1b61057911ac87c1c6259f4b6c7efd3d5 |
| SHA512 | 429556b723819c1abb3db86673b150b85b621667926e1510e8ace318e36bf638cf4531a27c8a9a224e1acc8279e94e041f50e88c9b5b824c6bb8f7dabcaa6307 |