Analysis Overview
SHA256
040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7
Threat Level: Shows suspicious behavior
The file 040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:40
Reported
2024-11-13 15:42
Platform
win7-20240903-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Intelproc0X\devbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc0X\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax7W\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc0X\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe
"C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Intelproc0X\devbodec.exe
C:\Intelproc0X\devbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 866ad7ff9240ea758177b8f0517d5c91 |
| SHA1 | 35d4bba9da81c867fdec7d9237bf0d34749a5814 |
| SHA256 | 61610503d88f42e7cc7b0c5e9f7a7d14a78f44b6ef6b02e2d768346874e9992f |
| SHA512 | 1faab75b41adb84a1a5d1a2510d1be25f71d837eeb0982a4ac544aa0d60578b3bf7cc2649b5c8cc67f94f1f4961d086fd40a7012f4b1bd19fd707a854a415cec |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 417b9cc201e2bc3640f50531dab705dc |
| SHA1 | 29e5eab7b746de5ff813fab6f2bc2c5e056e44d5 |
| SHA256 | 3f18c64e1ba83af59caed41c02df11a4197ca3d7c2c5ab48b17ccbb7644865dc |
| SHA512 | 309e87a7ecb76d96335fc8afc9072874bc79af2c5b62d1a15fdcafda44c0ddd3d5503c4288bf2d2b0176ec299bffd41736bf022d3895baef03da7089cffa7505 |
C:\Intelproc0X\devbodec.exe
| MD5 | db3ce03c7a621986cc739ede245a9da8 |
| SHA1 | 4f5580684c49090b8669bac96d9bcbd62d209a7a |
| SHA256 | 0d1a4b001350181bc672bd085806964751df61c1272bb4570f09e627179488b0 |
| SHA512 | 0abe1b13426e06f8a776d29b5a3110a0fce532f50efac471eebd7dfe5ce5310e1b19867204ccaacb45b4a4c47af36cfb883d6005ae90121e1e33c6ea701f072f |
C:\Galax7W\dobxsys.exe
| MD5 | f451be9892a0f94c7a3268c3dad40d70 |
| SHA1 | 45d1eb4d2a0e168f2cad7d633f4d888b130b8faf |
| SHA256 | 87cbbf4c17af8907963ba15bd12ef7cd3f5c3866d544d261da752c07837b2cef |
| SHA512 | aefa27d883b9055db477f35a35afd895973c60193c52789ffcbb3f98e9b095d283969a922b29c029195db4d6b13b9ab4c20f4dd908a299646a1ad6a530ea11b2 |
C:\Intelproc0X\devbodec.exe
| MD5 | aa9af2be8d7c8ed1175731d520d879d0 |
| SHA1 | cc9e19d1fc337b78348f70de4650d3ea6edd0657 |
| SHA256 | ff20f6f63df9f3b3224eafd27f4eb1282220768a572a4478ff320413131dd1e4 |
| SHA512 | 940bca4aea65851b8ca0628ad1f4e2b67b727a8847e611cafe052c9b3f186947c2e1bd63f81cf23902d27fcac813b0a4c81e7ad295dcfa48c7e1887113ef31db |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 46c0989a141118fb95e7bb07262daf39 |
| SHA1 | 11f67969525647b1ddaf859b8fce55bd4596e41a |
| SHA256 | d49ca7d641f62552754c3a7b809637b0a76915753ff507d65be84c40afb8da19 |
| SHA512 | 2132f3d7d458f2d168f734e8aa83beac0d63458b271fe490ad60eb03d9bec12acdd3425403b9c0badfa10c588922cb3392aecb12186fa64606bfa5ce01ac92ca |
C:\Galax7W\dobxsys.exe
| MD5 | 42a7ed4582129bf6e88ba16101d8f152 |
| SHA1 | 241d5037285eee51cdc6c0086f67c00fc42bc9c1 |
| SHA256 | 5b9987ab89bd51fb3c5c563a2dcab933091ab4421557e189450ec8bbc466163f |
| SHA512 | fcebc59e7d3f7ac594647a0b72d3b91447ffecfafe040aa73aded673610cdde844a6e26c709bb815b0f5470d6b4b2377e961895b1e207e6c81ef7aa08e79fc78 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:40
Reported
2024-11-13 15:42
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\AdobeE0\devbodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZFM\\optiasys.exe" | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE0\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeE0\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe
"C:\Users\Admin\AppData\Local\Temp\040abb5382b7069585b2753376f8f099ac4f54f49fc081bd34f19360bec98fa7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\AdobeE0\devbodloc.exe
C:\AdobeE0\devbodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 66c6e7ad05ae4a69c67f199fef6ae285 |
| SHA1 | 7fffbcea769ee72410f0e5b7dbc033f58e273ea5 |
| SHA256 | ef369ac2d7a7ca054a5085b824d5ee4a8fe34814ba92598a54c47d701654b881 |
| SHA512 | 2d550445d69dd63630210395416da58ef37619eff2f8a50b82927f18b4550e55b01763f7bd0b4606dfd329b8cf54342512d91a6539d0c422b51ce324c289f541 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a06fe3df257c5065bedbfaea61d6534d |
| SHA1 | 62e120894782fa0b23e10c14c1e3c26eb7ca7afa |
| SHA256 | a9f102c0650cbd342d3f2c5d106e38785da1d30d435d9c70b8e80cc6c66a2d91 |
| SHA512 | 4957b9f3fc694c7851c452235d29fe0d716674a2f2ea3ed241214b7b71fc0f2ac53f33e550e6c37c3de7684ef32293cf24597338fd00624b07d887ca820f9180 |
C:\AdobeE0\devbodloc.exe
| MD5 | 6d5cfdc798d1e7dd9574af02b896acd4 |
| SHA1 | deca63375e4086984343cc27e8405b9ae5439e08 |
| SHA256 | 35e4a7b0173f2458a4e713004cd937e3e23deddbf6a6f83eff12c2874602e0ab |
| SHA512 | 22474381d9aa2cfa81ba9e2c5b9918ae37830b06391f36029711faff19b686503c941e216fd627ceadea46ed4eafafbe4336d55f88aad15beb86a3003a6302a6 |
C:\LabZFM\optiasys.exe
| MD5 | fe2bc8915771601fafe1d350be38e60a |
| SHA1 | 5c7e8cc79a940f84f9e8a282dc806e60d9dc8ca4 |
| SHA256 | a102efd70c726ed00dd0d3c5586a64e0748f2236a4de0ed3f925fc70b52bd6d9 |
| SHA512 | 5df936c2291862afb4c4729ba826ea656c2637335204f278e80c4f86358d7cdd9389d1a0bbde31105ff502fc27a2b9e08f010dd7d60d000d2fb23073a8a5575f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cab530b3bf0e60b9cfdd1c812b99daa1 |
| SHA1 | a774c3307270779387445634e284a35a1116441a |
| SHA256 | 45d3cc46b4ef9ebc859765980af0cd262317a0381db4827905cf4e1b0df96f69 |
| SHA512 | 326a18c4325063fd52518773eebe1575a35b8d0b936826624e37e3c4045678939836ff7848565e6309fb1c7598dbe0a21437363f1aba2fbe334c95f291ba9aec |
C:\LabZFM\optiasys.exe
| MD5 | c96ba0430736bd39b17f1d927a05c7e9 |
| SHA1 | e03ab35cb709613dd09b70ff4704227d974fc9c2 |
| SHA256 | ae90adb4513d96832d5dedc3955be9102e7505503d1dfa4d5b4cb4434138d29b |
| SHA512 | bf21e23df7c2e3df717989bba2c70e886a61b204f59d0a091859ad2be7e967e93b22917e09a3dfdfd86c340afcf5c8df96bbcaf8f8e7b01f38d39b878de67116 |