Analysis Overview
SHA256
c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783
Threat Level: Shows suspicious behavior
The file c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:27
Reported
2024-11-13 13:29
Platform
win7-20240729-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\IntelprocEB\xoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocEB\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint68\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocEB\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
"C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\IntelprocEB\xoptisys.exe
C:\IntelprocEB\xoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 53a8ec62937901395ddd3c777656fff0 |
| SHA1 | fbe0057feddb6b63d1ee26d5fc7358b2f48af8f7 |
| SHA256 | cde16c363af1a76d5ff3cc1053bbcc1602cbe8691506f16253155c664bf673d0 |
| SHA512 | e04c7e68a816604bc7772af48780e4f305c5780e5663f76f2795e9a80a0d22ad34aaa4cbaa25fad8d964415a80cb7733b81f9d5f3d294977fc88189aa6dbf2db |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4e250eea6d637519d06bd3ea2e364c82 |
| SHA1 | d77a819b2ceed516bda6b5d9e37bc9a1d986ba61 |
| SHA256 | c12da5c4990437f98a18cc056471a65736936f8f5c584fe43679bb075417cdfd |
| SHA512 | ed01a5ac23af60618ad9a7562c2104c72fafaf7300a78bd1d87f408506907ff13de22bc1524bb5d4d513e60baf8bdc8d57a7f47fb06f1d97111e8fadcacfc411 |
C:\IntelprocEB\xoptisys.exe
| MD5 | 79d383e3d531e74d350e470ee0e3ed83 |
| SHA1 | dba6dc9fce16b7b339b7e7b8ec4aedda84c92636 |
| SHA256 | 4cfcf39782a4209f3ec1ea0144ed2fc189ce42fdd173e2830f7a109997774aa0 |
| SHA512 | 78f1c9854ebf99154dc2215f3a16dad29ee53e6ff6d4f0e6c2ce7b715662e509931aed3a6bd36b4a5539472004478bacb27745b15035a72b42bdde718ecd9560 |
C:\Mint68\dobdevsys.exe
| MD5 | c369d3e671b551eea36b38784e7f3537 |
| SHA1 | 96e02004e8abbbe93477d2f0e85138511c39da95 |
| SHA256 | 7efe999b04ea71ebe5939505bd7a516e907fb86642279133b248c542e14d951e |
| SHA512 | d2125acad9293a313af8d5c5aa7278eeb068819a978bafdb00b83e455ef596d8277f312c7eded80142062670e1f3ccb16ec827154c4d54404b437d9b7ed5ee2a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | df1cf93acef6bbb50eb9363516f2b378 |
| SHA1 | 7cd95835b17875e0c0e39f3aaad16f759542bc9d |
| SHA256 | 3294e26fb7c2f441575b8a567be163e0e7a4bde79cb345d93f500129c7f523f1 |
| SHA512 | d6b256a96b9e6696fed550f41cc7579ff67901bc82c4739be6b4b5d053d20b0fd94fa983843deb9bd7912d4ebea154aab8dd325a1540787ee4262fe9b787fa77 |
C:\Mint68\dobdevsys.exe
| MD5 | 51626a14336f53650899b49b1f1a0fbe |
| SHA1 | fcd89c2275e65ed505a6221f9f113c3825b00a80 |
| SHA256 | 3d7c19b0a5abd14cf56f2752b52bab5ca74426278c7ee4bbb25af35482fd80aa |
| SHA512 | 50ce7bc374185cbaaff7632b6820905651c54b2d705ad595ceda59647e7bc6313ec59ce8834f48b27c4610ded74c97daeeaa7fe566f0073d4b3977e5ee326e22 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:27
Reported
2024-11-13 13:29
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| N/A | N/A | C:\AdobeDO\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeDO\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxSM\\optidevloc.exe" | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeDO\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe
"C:\Users\Admin\AppData\Local\Temp\c526f391bdbc0203430a11e0cd55cdc053ffca97f05f6390811e45975f3d7783N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe"
C:\AdobeDO\devbodec.exe
C:\AdobeDO\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locadob.exe
| MD5 | 3becd49dd4617a5ea68af95f3504433f |
| SHA1 | b9a1ae8882c68dd40d2fdd62aa5696452564172c |
| SHA256 | 0d7be94a58b6355020875bb5076b30dbcdea4c953e17ad36e375f6c30cefd488 |
| SHA512 | 7b90d6b0ff94fb88ac551fcc4f84fb3daaee8f58a57a872a7058193ba1175215cbf8c17cd07ee8ed4fd6f09518a5ac93c667c60c0d1d5cf2305570f7a6d4e546 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 384a9b70ce458578ed7dc3201117957d |
| SHA1 | 246268d2aaec1b220d2ca04af171fb09dd67f22b |
| SHA256 | 22d8c2d93af75efb6de5e79b78f0f1df30adf50f961891139916f6a9e49e5bc0 |
| SHA512 | 9f534b79a4615d88c2533cc920f43bf5c91b04ae5b7c8abe108fda722d5f59fe3c3b055b484649c87c368eafac79903ffcbad9d42577a331c2d5862ae2982b45 |
C:\AdobeDO\devbodec.exe
| MD5 | da021311a877ad92428dadf37b62effc |
| SHA1 | 208eac6390b879473ff82902156fc17fe51ec5a5 |
| SHA256 | 87b5ba3764a9c636815a3958141b01bcb58b3bf4dad3cd664070330f9096a0be |
| SHA512 | ad2d2df65a9eb7f7e3f9da8c5e0fad4f7778c1cf5e480bae9dcb120d44590eadba96a9be506273b081e637f9e744f041065cf5e05ea2eafa001e77056a9a00de |
C:\GalaxSM\optidevloc.exe
| MD5 | 8173e9adcc429086444ee929a8cd8b97 |
| SHA1 | f8e88bdbb67203b3d601586119945ec615ba73d4 |
| SHA256 | 223dba21fce6654e1d4c3994e18d42bedc8fc466e81bb99970deca48a840ebff |
| SHA512 | 5316c077f735b6a0b5abceb8aa07279a5a95bd7fb1a13f62b9d7b79a0c8a1cd83abd11e4bdab4429ac0cebafc71776c045e8b01068d0cd584dd44e9081c3a23a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | eb23fb0691d5be39cc1bef1d515d5b34 |
| SHA1 | efd919013290c8cc5433801789c557badac31345 |
| SHA256 | 2ab3431ba546a2ba596d80b9cfa2c9c8aec8fe20499ee563e96fb0c75e68ee7d |
| SHA512 | a7bff44fbd2f9cb1b8c6cda10da2eac91e7e9a5f2628092953c1d49687459615acb83d75702b963902a11819a45bacb6cbc6d4a1b31f70baccd9963ef441afbe |
C:\GalaxSM\optidevloc.exe
| MD5 | c003ad024f7a20ea22a7e854edb21a28 |
| SHA1 | 0802eb527b76e43f3fb6152ae1441bea475f4f80 |
| SHA256 | b7db689568c60d34cb2a6089105b0e15aa241524bfdd1168e4d93b2976c98574 |
| SHA512 | 7331d783c9650cfb44470322ebc00ff2d28c322c6fb7ee6ebd11c28ecb3d817621db908f683360426842f072f84b46e38909b1fb3b10ae473d84c26b5ccd29d2 |