Analysis Overview
SHA256
a8e773f3c44788a74314e3b8668d1150a2d69d79e8fe40ef911827204492fc41
Threat Level: Shows suspicious behavior
The file 3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:40
Reported
2024-11-13 14:42
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\AdobePX\devdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobePX\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxKJ\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobePX\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe
"C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\AdobePX\devdobec.exe
C:\AdobePX\devdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 721477718c0bcafc42c1e68191afbadb |
| SHA1 | c44dfa58168bc980a5b498478e99b0df94b2d827 |
| SHA256 | d643a31b6a09f036e6e8f8a8b4f38286ea7d5a364bf9a5878918c47509140124 |
| SHA512 | bfaa384617fc107710c34e7dcda59bbcc78e4fb170cf607c0d47f205e769b5fd55cab99626ceea3d9e5aa4e9a1d1070ccbdd4a4379f05cae4547395812b041be |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8234cc1e7f1a265f235e8eca06aa3b3d |
| SHA1 | 14ab49aea27fa3b44a9f6ad795e3dd23bc338d2e |
| SHA256 | 8d7710ce27f4686ecf57d0be2d1cd82c9d6b0aca9be48fda8bd6215ab8cf3fe2 |
| SHA512 | b0f7fc2a003978e08509fec0a8d0f00604e3cf71f351f4609841e861ea370438be89216ca816e47731b8390bd1f3afe73bb1da40c0d7686ab9ef5948c86ef25d |
C:\AdobePX\devdobec.exe
| MD5 | d47b303ecfae294b957bef71c3896505 |
| SHA1 | 40f180bc388756acfcf1e4629a0b1e63e29451e1 |
| SHA256 | bc419ed81664785ea4c3a302a20112c1dcc58f55a38b7e83e33c51e3dcf58cf0 |
| SHA512 | 41795af8efb29874034c2208bf166316030a46e3f1840ba7bd7630403be0ad92081fc2a0dc08b2bffd93330bd0e038f60cd1639042551f5e6866ddda1ee10ccf |
C:\GalaxKJ\bodxec.exe
| MD5 | d6ecc2579f30d242661c2faad8b555df |
| SHA1 | 1ff290353d99d542c5dc5727891694a72018ab03 |
| SHA256 | 1f505c7dbea9628d5cadae92e131d60809e487b3ba42478c9d4d4fe13ef35912 |
| SHA512 | a51a0bae9574602d896c6dffeda3088331ee1f89d5f2a2cc99db82021c266e19bcdee72b0383ceb9c7a78aa1af988f4ac66efeffaaf6bcc80a1810aeec38495d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 51ed8fdf8d408e5443a1d32eaa358c0e |
| SHA1 | 877573b84c55c3726fed5b28237f732d591b5d24 |
| SHA256 | 0e9180bcf865a551af6011754563b1051966c9c5f675b059836b7a755f8eff1c |
| SHA512 | 42e192e6bd02fe67e1c4af2a2639240b68f4960eee8a564c361f2b29d257d751a68d5683d55ba292cc93b974c326a1fc4546b146c0561d96fc69efb8d68c83fd |
C:\GalaxKJ\bodxec.exe
| MD5 | 1802f7b50497678989ddfa88745f9589 |
| SHA1 | 5f0485a134698d3e2af16fca36a3d8475a62d41a |
| SHA256 | 1c5f4f68aab3d17dbb52ef469bd3910f969b597229c1b93b937b6787782f6b03 |
| SHA512 | 59e99fe6afee09d6dbdb2715b480cd0e9d2b070759a040a9d4dcda452b2d28cc4bc2a21e870aa6e30c2290b8cf0bf86f4b8f13a2a955fa954e103cf3d9e88124 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:40
Reported
2024-11-13 14:42
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
99s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\FilesAG\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesAG\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTT\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesAG\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe
"C:\Users\Admin\AppData\Local\Temp\3d041ed6a12705e2b7587bbe5919dab769d4ca3db2e2fecbaa08a3ac516bd52aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\FilesAG\xdobec.exe
C:\FilesAG\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 4fddd44fbf95fef4f7c484dba2ba6e37 |
| SHA1 | c091681fb518f3909b20b0428bf09c1236ce8a42 |
| SHA256 | 0b785513ac368b98d5f580e0e21051bb52d0b893663d7d52c43694d33a2bf152 |
| SHA512 | 573d21bab61a44225280cd29b053161563ffa48b1a3c672a363b5066e70bcbdd8936e06f574528a95d76b0b3829fdb07a520d54dfaaf7efba0c64201138e0f38 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 464100f6aa735f4dcbda9383faceb615 |
| SHA1 | b80459d07ae34f48b96b90bba9836ecbbd12719a |
| SHA256 | 21a49ea6ccaf04508cbcaf04fd3661d36200b0108a0c58977dbe82419e01a61a |
| SHA512 | d929c8f22fa005492da8bcc9ac5878a8092ddb6743977bc98f473856756cfc9c03ba922654111b746b55fbdf958302b37a3964b41cf48fe725c8b967ce287014 |
C:\FilesAG\xdobec.exe
| MD5 | 2b59a7961ac0cd96adb9ab5fcf785fc6 |
| SHA1 | 4f790a6d838420763c0c184bfc96370559f83ab0 |
| SHA256 | 304458efd50ba617cfaac6ebcfbc8695390bc08e20fef06be99e131a002920c0 |
| SHA512 | 6a6de825b2339bfdb7c807c8673ec09207598d29071ad49a835516f6aef166a6ebc75d5b4461c23cba09a62839ed37bcc6977451f138ed68b3088b867d093a54 |
C:\MintTT\optixsys.exe
| MD5 | 37970055638ad3308035573809d2d42e |
| SHA1 | fab3b362c7d929c014edc260aabe855c91d32913 |
| SHA256 | 0dd004a9d7c17980e3d8feb393d86c7345d52844e8d2731981b091d7328ad550 |
| SHA512 | 37a7da87595f78ea29b3bc46c2b22dd0e0d72b86f033961b0e1b05b4de8b9b404a4a27c2907347b212cb2dcd3457a07c3a8119cd08a9f9e530c2e58fce601f57 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 10a965b6e96e3ca1696986fe996cd191 |
| SHA1 | 675865c800d96af53fe7f8366a5e52b080535c32 |
| SHA256 | cd5bbe7d5c237e5f93b58d40ef5f6c0ac4a54b09cb17565f35511109dcbf9baa |
| SHA512 | 167afd0c22f09c1a7d2482237fe149119f4e6a5c2717086c6202fe91cb0c32783ce5f431241ef6c1fe5efac08b167c3743dfc93dabbce4d52e7a5a2fcc3f917d |
C:\MintTT\optixsys.exe
| MD5 | e6aeb1ddab970bcccc1bce67fa3ddc58 |
| SHA1 | bd060c24d28154f9671fee213f3e1bbdffe68d2b |
| SHA256 | 0103ca23576d6356119b68edd4a27eabfdd37513515df8376e1756227f5c26d1 |
| SHA512 | cbf74d7c9ba6bd5fc6c4e8e90b96ad1afebbb98d2fc99cd384c664bca09edf7f9ceba19f81410345a059d705ce2120100059872132e94dc21286eaf698b3337a |