Analysis Overview
SHA256
acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699
Threat Level: Shows suspicious behavior
The file acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 13:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 13:29
Reported
2024-11-13 13:31
Platform
win7-20241023-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\IntelprocPY\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocPY\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBBM\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocPY\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
"C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\IntelprocPY\devdobsys.exe
C:\IntelprocPY\devdobsys.exe
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 4ad3510a2d7a001f054951f118210e89 |
| SHA1 | 7313c496f6b20c098ecfbef58580439aae9d18f4 |
| SHA256 | 3df8c76a1d839427c2a69ee0d63a725d652ddaa98bd2ffedb8953bc667cb60bd |
| SHA512 | 60ea8a289c7dd7383b06bf4daa49163be6d42f1ed1261b4d9321eab615ad40349e0eb5e2699e09fcb452ee77c5e9824bd764ad5501cdace9f15222b3fde625c9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 072bb19ae9212a926c42cf0de529f0f7 |
| SHA1 | 5f93461997d3094f4207eb0227fb41d1f654e793 |
| SHA256 | a4cb861a4f407f2c3c27c5d5de5d9cf9f8b70ae33c684a6ca860f92840e07ce8 |
| SHA512 | 3bea77ae2db85c9ae67dc42737c07c3b5a964c26f7de43aa3bf659d74a2b8965a88f957ba880e28a07e2196072c61c5536f567356daf4521005c3bbe1545f597 |
C:\IntelprocPY\devdobsys.exe
| MD5 | f9a4288fd482fb077412b3534d46fa7a |
| SHA1 | 733b4a3f9b4ab3efdfd6040fe01a66b3d3beda7e |
| SHA256 | bc3ce9900a875cdd4887aa518e5c37ef3413f7262facd6557223290194f01ff5 |
| SHA512 | b6b2f2059e88f14bb5dd8bc841b7a2147813abfe44435b2f6a129a4ed7766b362634334c11b7b728768f0236e8ba5623ae475d3691ac8812e49d9af34617706d |
C:\KaVBBM\boddevsys.exe
| MD5 | 882fbe35b80e55ea56238f8bf34ef21e |
| SHA1 | 96190792374fc976b2cc7a32ef9283901b0d365a |
| SHA256 | d267027755dbfe289030b58ff850e6670de8934bebd6ad325468a05f80326746 |
| SHA512 | 43dc916f41494d9f101ffe8b4f8e1e0db02b794730a047dd5a0f7534efba800814694549a4d02ec03cc3655cdc33556a353ea3e622ed73660befe2f9c9f368c5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 67d36e89de2dd323c91b113e2f962e4f |
| SHA1 | b619cd837f9c06e517dddfc8a9962e19998fa2cd |
| SHA256 | 0a98b91a54540354ef5c8b03a8ec81764a9f936014728346c39e57f149681a25 |
| SHA512 | 996bd897635c6e9a692f33183b304e7181a118b87fb0ae85e1d0e073df6f9c0cb0c597d07327faf4dba1ce308bbf62884cb938dc79d6ce172a67cfca32fb4f50 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 13:29
Reported
2024-11-13 13:31
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
100s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\UserDot23\xoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot23\\xoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidVB\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot23\xoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe
"C:\Users\Admin\AppData\Local\Temp\acdc069b115f4b24845c89208ad69c0c6b6c166ea9a12db073ed262bc829f699.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\UserDot23\xoptisys.exe
C:\UserDot23\xoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | d8ee8dc43910b478dd7d9d92fe0071e1 |
| SHA1 | c777932663e0f5f6eec327fdb2969f7caae01a33 |
| SHA256 | 3e18f2bd334c8b66dd332e0817e091cebd125bba22c1e128fdcaa025a968def7 |
| SHA512 | 855d29c3a9802993bc8a2614c50f22e655ca0c87728f51cb3fe2d3e7b0ed7af7df39c2819888117061d1f6808c9e6ffca97269824bcb21c1f7be37d51e337161 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f3ed21f118893b12486815d2656b758e |
| SHA1 | d438044644371fdc7ead55a675971d60ba5b6a5e |
| SHA256 | c5dff8a3f833cd2ed34392a0496541d2de72cb16a6536f90df3fde5826dc51c0 |
| SHA512 | ffa72064dac6dcf740fab2c3db12fd5462e1ee2224001deb80b6f5ddbeb180cb352d7e69f0467910d3f439d23a7ba400aaeb3e7d82332f5b4ff348a8c2a5e913 |
C:\UserDot23\xoptisys.exe
| MD5 | 9b788d88074071a373372ff5c4fd8285 |
| SHA1 | 35b88b7248ca9dcdf8c23bc60ce8c816562b6219 |
| SHA256 | 1c511c565eae19d9a8244345375baae20b530e088b6dcc0e8bdb875d7c37e131 |
| SHA512 | 30393f29820a1954626a41540f15950a3fce4526ed758486bb949cfe4ee8cbef2a634f8e37f4973a3c6c8a45c429c03ada6511593b84dd4c988f8e0102fbfcd0 |
C:\VidVB\optixec.exe
| MD5 | f454d81522ed7109ede29f80b0be07dd |
| SHA1 | ffc6a0844a6f2028191300bdba3979c560b76f99 |
| SHA256 | a45c9ff8cc901b1702f139060c27d0c16d87861fe226b4182c816940f6ffc473 |
| SHA512 | 70ddb58be6167e7370c3fe74ec422aa52e045756307959b826bacfb977820e85dbca354c04aebf39d41329c036c750e232ebdcef4bb1ea15a09d58e48780743f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bbe8583f9e8773d0c675439989bdb09a |
| SHA1 | e0269974096fe7555d89b6b359217730b6b1b90d |
| SHA256 | bd8808b03f476f52ac53338c11ce9d75f92a5d829e20dc5bcc7783cc01865807 |
| SHA512 | 31e0cd58dad137136a4843a85151efee8f34cde8c282e1606194cac807e2945c7c5edcae3241ff28e37b98020c492216cfef3b19748c868209a68c7b2f48ed19 |
C:\VidVB\optixec.exe
| MD5 | cdaa677df0a72ca1249b443945efb7ea |
| SHA1 | 8394e1140fe426e2c3c2c0d8434ba1262d5177e3 |
| SHA256 | b16a5b08e31dc92faa667ba8f280a734ab16ba01da682c3eef5469414f1880cb |
| SHA512 | d0fe457dc200f5f7bee1cfbb80d6a1d2e7b58a1a9956a6a4f2d84fc065fd661d5fe54bb2d628e498dd9f7536f479d058c784dfd3f7add299d3570f4d57dc68de |