Analysis Overview
SHA256
bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914
Threat Level: Shows suspicious behavior
The file bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 14:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 14:37
Reported
2024-11-13 14:39
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\SysDrvGM\xdobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintG9\\optialoc.exe" | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvGM\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvGM\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe
"C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\SysDrvGM\xdobec.exe
C:\SysDrvGM\xdobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 30cf0b4bdfc7c6fb62010282bdaeb8e3 |
| SHA1 | 174cfd94b333788fd581edbc672192a6e0ac4c71 |
| SHA256 | 125c4289ae5af322bd37ea81fdb00cca7493fd5284dc8997a9a13f10f9a6e7b6 |
| SHA512 | 8b0804c37c1ed6bfa8913f5a01045d47255766adb360e5121bae7cea05340257acb04a50110043fdbffeaa28415cf0e18608314452b30f902ac83cce845b042f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6f1b8aa0f911bb7a9424d8fbfe8f2f48 |
| SHA1 | 3a2cacf31ff2fb9f1c92365993443e2af562e203 |
| SHA256 | 3d851d58fd9fa112b2dee999fb8b6501be69cb32dde8e179431d2bd9694fde99 |
| SHA512 | 3fc550b9430cd265b053c5705d7bc4d04a0de36581ad7c4c0ff1bcc5b6984e973580c839f7fe3acc854c4397eca2fb0cbcd6e56ffbee67f050c5fa346df76957 |
C:\SysDrvGM\xdobec.exe
| MD5 | b646265f07f9f16a9eedf6d5027f9e3c |
| SHA1 | a47300f0e83643f499e1b7c1be83a375a1293ac7 |
| SHA256 | d9d3e8602e7f445e99a6594bba9d12ffef0a099ea168321e788dbde80f1fe025 |
| SHA512 | 403b6c7a5606ac30e67478febf3210fc1d0e88e15fcc0544f80a00e2249b9fcf6ec71a25f5e36eaa2528ba1ab9c016dc5269cd1fe3a9758317b2abf1d8553f67 |
C:\MintG9\optialoc.exe
| MD5 | c3cb9e6be70c78065d931b80cc108e7a |
| SHA1 | 5e33fc9bc518eb4e63c80cbd7e7d509aa72ec796 |
| SHA256 | 6ba6c608a6f45ac5fb29f389885c1164e47f9b64d49c1b495bed4fe658a383ef |
| SHA512 | 50af9d1c6dd374fe3cb5323af6695dea6ab8080eb78a7590f2d43bb73c3e71a8c9ab7c6e49773d215d5e96a240c817fac77a8a7db1f4d5a5401f4c6d3bad05e0 |
\SysDrvGM\xdobec.exe
| MD5 | 263508d747a2294b1e2ecc743409517e |
| SHA1 | e3c1b87eddd1578fe15995ddb76f9a3d1f97aa05 |
| SHA256 | 957f727a944348400223027b673fb27914fcd7fdd6f18946f2f8271e0f48e5fe |
| SHA512 | a9e20e4f571ede485f79c24feeb47fa630f74bd262ba82a7546ea4f7dc2f50bef91b408f719a13d1527da12404f21b6643734cec3c9f98368e6d65da0ae78921 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f82356373817b2514032b0dcc89b2cb2 |
| SHA1 | ec470287d10d655c9a8d448a5844229f86bb885e |
| SHA256 | acd8d02e82e2f0a0c220972ae48cf73b6a885eee561fd3fd8b6b5042e0492f42 |
| SHA512 | 87b9fd8f80309b2f7525e77774a65ea622b56e6bfed5781939f816d04fd4af63ac8eec0db00aa852112a26803dd3f2173105c54d288d7413b6b3d490898f7e85 |
C:\MintG9\optialoc.exe
| MD5 | 61eec9b964b5f80a6991b6568954fd76 |
| SHA1 | 3c70697e39a8b7195b9134d5a15f9598a71113f1 |
| SHA256 | 7dad52c39bc296b73ff1835c8cd01e1d84ccfac5474d74a36acb86f601144ad3 |
| SHA512 | 296d0d660dd2a9f3a22dbaf3021dc3cb50048614640ca87a63affbdadd1fdcf6697f8f25625e2e95120882245d2d5d28e9c7db137794cd7581d76f470a9d1aae |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 14:37
Reported
2024-11-13 14:39
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\AdobeLC\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeLC\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintGP\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeLC\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe
"C:\Users\Admin\AppData\Local\Temp\bacc0a124b0e82dcf472825b2a7d56ce853c627f23706cfe0696b6100f907914.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\AdobeLC\xdobloc.exe
C:\AdobeLC\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 7a84e95a61c2b3ad1e4657b2fc4ec562 |
| SHA1 | fa5df49789ce065316d76a138ea6591a805bad40 |
| SHA256 | 2d939b9b84f5071673a777640f952d642d992237c4d7efda3a81e665952e3aba |
| SHA512 | 41908947464e33ba639839d92a0aedee1440d5f1fa4c341fc38fcdf63f450fea9254b968c71834c6e18166a5b41409e2f6111fa6100d28c62a26ccdfbc6e2690 |
C:\AdobeLC\xdobloc.exe
| MD5 | 36ce8d8c02bbe99374a12a2e95959900 |
| SHA1 | 1b657082abbaf19273171cc47727ce0b8b55cf43 |
| SHA256 | 6a15150428315c00915fde23c8eb1b81a7e9ccc446707a59b8760fe0c15788b1 |
| SHA512 | 4599259a923fdd3e57082db4ae5ae8185514308b405d839cc1e747935bf28bbde187fd416f3767aa80214a809f3c107a08f49c5bf06c7cb63f0a2eb7c3f5a78a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c4b83a5530f7a7413d3cc0fac59bca71 |
| SHA1 | eb08ec924d6fa3dd0b953509cb7f42e727b0fa42 |
| SHA256 | 13fbbba9eb09a8522796a82524a9adadbe2d9f848a04d98eab5144437dc319c7 |
| SHA512 | d99d7e1fc006d30c4bdded763a6efb6691498a82d4c0aa082f8cb8a99178d07e4e3d20f7907b6e45562b855343fc654cae8a922b8518c5d66242a9b8d696ba89 |
C:\MintGP\optidevsys.exe
| MD5 | 86038140dd57c370efc619ff958b12da |
| SHA1 | e7b3e1a5aacd5818e97c5cfb5a5926280f19289f |
| SHA256 | b241b0fc512acc2a60094ce6608a333e2b835899f514539b30bfbd4fb512689f |
| SHA512 | c85d1b852dfe599109dbfebcdcdbdbfe221586de0af6ceeb5f645fb8d6fdae83fadb2be606ba0928cb40f4169caaa17a1393e3f675690056c897db6833345c44 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 83645dbf630cec6e33d172fac7d34ffe |
| SHA1 | ca774fd6275fafb4dc9e54126ca9b341e2500524 |
| SHA256 | 463816bbad8ae4dd5be1b2064fc0e22f9a9da15f8d374108b3924c3bb72dc1db |
| SHA512 | 88b8d7bdcd4cb182ebaeb6c7a02adb3c21c817509fb9c1e837167f9ef7f79c1c8633350d2808f7e8d9bebeee18195cf613ecc9c4e1a922c9f6d565b3b12d1c42 |
C:\MintGP\optidevsys.exe
| MD5 | 7cf3f71ea878db8b1ba1dd1351848b89 |
| SHA1 | 22f3678062e26ac4104e7f0c8de17425b75fcfe5 |
| SHA256 | 155d38f1e3f4cdbab6259deba4a90c44d4851727d5ead4c9a2476c0b72f8760f |
| SHA512 | c19bf2dc12b635ab2d178918fa8e387f252f7a53d0605b79b30c9b1ed92a131ed8434a92fbaac66cf581fbc79da2f0a5d774c6cc12eb7e200018c989bc933c80 |