Analysis Overview
SHA256
a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7
Threat Level: Shows suspicious behavior
The file a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:53
Reported
2024-11-13 13:55
Platform
win7-20241010-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\UserDot8Q\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot8Q\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintWE\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot8Q\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
"C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\UserDot8Q\devbodec.exe
C:\UserDot8Q\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 5e038e3b54da32e5c2fec052224d0cf8 |
| SHA1 | 7dfadd45b28bf7d0ef16ac088443ea2c682a963e |
| SHA256 | 1b3c438e3da10868f9517a5ae3badccc8df2d960b5af82f735a3926e6e302927 |
| SHA512 | aa142f7ae58b64099fd54e58d90a251a10818b1603e2cacf09554876d7f8b0bfcc71024fe00bbf14b55574ac951cad4ca29a23adbe09a0f19a1944f3206f7026 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 76cd0da93c16f75f54f87495e33bf14c |
| SHA1 | 6a60026f16c8399ac354edcc9a04c47a47147aa3 |
| SHA256 | 3f578b3c4a32112216e4ce6735c49c50d5fc184acdb3a4428dd82ba051e4bce9 |
| SHA512 | 60322a2b7ce6686aa89bc0e574e6a63bf1af4aec3806ca35f38db21c08f041aba9aa10621951f97c824b54b76477906b73d41e7726886378d664b5e691298c63 |
C:\UserDot8Q\devbodec.exe
| MD5 | bb608717f32d2778266ec4f5686271b5 |
| SHA1 | 1a7b03186ab57417cba273e4bf48278f08954553 |
| SHA256 | a860d08a8fdbbdb124eae6f71e703110cba5f62a9560836ef953f6ff7b8763b7 |
| SHA512 | a0804185d4a8d996f2e1373a7abdb046742909154e310ef9d8976267ae5d66d3f8802e4c58987d96d4c74fd430bf6d84bdf5d55c7596162e7c4c6a15bfa9cc70 |
C:\MintWE\bodxloc.exe
| MD5 | fc908d4feb76b3359bdcf5d2fcdab4a6 |
| SHA1 | cb176e532916e63ffeca20ff1347e48e25a869d1 |
| SHA256 | 71ad0d29720f8cd577decd05bfe8afcc4d38954895873f6f7d799581e322b305 |
| SHA512 | 3ed8f5ceb0ddef5d4535d3bea254ce701679ad9a7e0bb77b3ff58001a735cf113138f65c1a5f167f3705fff6f432bef03628b7a33c75d651e2b83d8c2dd4312f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8747ff0a41173d9f1d778815e79ccd4c |
| SHA1 | 086e66576a87a205ddfdc267b60df5fc46b6e4af |
| SHA256 | 1f99f9f216a790637f6e71c178668752c34e118d8b8e149494c849a650392cc7 |
| SHA512 | 31066b0b57da75dec741f3bda11347af13617bf51b5718918423cdb721a040e09ead8c9426d9dd7c179324c581be4310bcb3299d5fd038775314b61a606adae4 |
C:\MintWE\bodxloc.exe
| MD5 | 64a7f49f5b5066cad879738fa461cbba |
| SHA1 | da40a4efb8861113438dbb64e2b9a9424063777f |
| SHA256 | 9849455f6cc7cc7d6c5d7a4a0de8f2c40774ed6b0ebfd7a5b1820b0264303837 |
| SHA512 | b2948c6873f7554e664d7e782c2bb9e32863fc94f8360c21242a861a09bdd09602be198f6ad1dc6278dcbb5ecd9cdc2db1a610c2175c199ba3b05648f9beaafb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:53
Reported
2024-11-13 13:55
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeZ8\aoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeZ8\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY7\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeZ8\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe
"C:\Users\Admin\AppData\Local\Temp\a554f597d840653c741859b8e20c490ee739058dca9411a96b0e9e318a4507a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeZ8\aoptiec.exe
C:\AdobeZ8\aoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | eb17d93a7576dc57780dae8b2d83809b |
| SHA1 | 489bf164d26a985968c59bbe134a1b69ccddc243 |
| SHA256 | 086edbba1d636aa7bd2ded459f11126af8f294506f24082fade630de62c9eb4c |
| SHA512 | 6ffc3f104b1aa30bcf52d7372177aa31e24f0d182b0d988076cf4570eb157ac29cae74e24ac36dc8ea09d1e1f9368554c8b765742ad14c16e5ff2a281b633f37 |
C:\AdobeZ8\aoptiec.exe
| MD5 | 57d83120f986ca9db08459517b2ec14b |
| SHA1 | 7f0549bca047c32d241e8a88b92fb3ed21c6ca9e |
| SHA256 | 06d9affc0cc0cae90248361fed1694f6468e4191f6e976196d6dc55371ba4f9c |
| SHA512 | 23b8a6342f365916d086291a01f6956c45ab44f3ec3776dd8e678061a5f05740fc5b2c3c95787a39642913ecd4f8ab467cf50165ea3c3ae6c25a78d41ab74191 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 735b4c1bcf04ef7b3323004f295a1c6b |
| SHA1 | abdc828f6118b8e54d88f9224089c44a51a208e3 |
| SHA256 | 320c2bfcbeb829195d7ab157ced953b631e0a6c5d396ce26a52fcf70717f0ed3 |
| SHA512 | 0c73f0088abbe809ec161c54ad8dce624affe04816e2535dbaabb6fbcfc726b9ec5cdcc7d6112bb81c1eae96cf39f9ef49317d967892a4bd72099714f644847d |
C:\VidY7\optidevsys.exe
| MD5 | a67608901df8317d8feb584893809d39 |
| SHA1 | 0095f03dc9fe59910ee0ccdc5de8fa5938b95ba6 |
| SHA256 | 02bec78a0ad5d331fb9b1a7cf5670debc725ee154e5b0943d3279b51ae7e9efa |
| SHA512 | a28445d1a34cb592b6da9171f285fa63e91e785ef543bb8c1623535d1b5a088021c0bad62dd39e5d833a8327255edeb2cfc76b63c877cef1e7510e0f0e86af27 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 79ded9a225e5edd59586437c91705a83 |
| SHA1 | 00927bbf3b312deb041294619a0ccc9f3a261b84 |
| SHA256 | 07652b862ce06b991990bd2ab8a6aa7dfe41013b7012b22c4ad76c68fa4dec64 |
| SHA512 | b8342ed13cc81aa04cccc92924fd868161b7d9e329fc82e744d181ae8e5ec377798456f86e60a8f3c1ca6872d37af44cd6f3f32b75489181114d91649d47a4f5 |
C:\VidY7\optidevsys.exe
| MD5 | af5578b726edee5612a9b2bcb9b6a54c |
| SHA1 | 0ac385a233e5a40d00a8f6753c3705c05dd55c3f |
| SHA256 | 025d5e9378bd62d46c115e16239c85643bf1619c564f344fd90dff0743a13f30 |
| SHA512 | f63a1ef166ece21b2376518f434c4f3497a4e8cd162cff1530457a93ed88b5cc3571cbb68705175ed14c2934881a5c3956d571c640f9f913c9528dc7a226369b |