Analysis Overview
SHA256
e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5e
Threat Level: Shows suspicious behavior
The file e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:58
Reported
2024-11-13 16:00
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\SysDrvM1\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvM1\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxZ2\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvM1\adobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe
"C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\SysDrvM1\adobec.exe
C:\SysDrvM1\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 56c96a1895a1c76716b5b0176e0037d8 |
| SHA1 | 01214e23e29910beade697bfb6b36c6d2fa4a6bf |
| SHA256 | 90f0ce07ce34d1e14875608d0bc33b3fd727016416a2fd26b860431790c17636 |
| SHA512 | 4755a72f104a9b0187e8b0ef5e07b73c7f21769d86992544f3919776b8a30344a32951b69d3ce2de9af911d4294bdd5221efd3586e10454ed2ae5ffbd1e2febe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b13a57bc91c229eb7732fe05eff07ae3 |
| SHA1 | 860916942e6f1ffbc05fdb8d5d369ee191e66f6b |
| SHA256 | 580bff4d40b6fe5c3e67e3c86cc35f72435435a1913472c047b687ccc1adb33c |
| SHA512 | d08dad55964b76dea563f72d9fac2083d2e63bd53c45ea01688e55b7f619ff992689697cd20728ae2119d00b50aa6121b73bae328fc26ffa267e11fdcbe82887 |
C:\SysDrvM1\adobec.exe
| MD5 | ab451231007114ac2e06a0f534cceb88 |
| SHA1 | 9d3b44c422c0920852187bb00c3e5991dbed6d51 |
| SHA256 | 69093fa81edce8386ee3b3cf5ca91b65d59c7bf2517f6fbe9e4151c3e80bf796 |
| SHA512 | b0505f4fd1757e47300c3f3f8f13fab64c34cd3c1549331ec8b98ce964be7af827c4022c862f4243402c926a5b644712ed0f65c18d00c98d9dff6e6e1a3aa85a |
C:\GalaxZ2\boddevec.exe
| MD5 | 68416a8f2a62129446cce03e5b820f15 |
| SHA1 | 6b852f83c0b0106ef2488caf3708cb8f9596c34c |
| SHA256 | 3babbf94eb0c9085c6779ce932897bc662fa2870d25319d4d1ce9a58c6e1036d |
| SHA512 | 9561ac0948207cf81b152e49697efd29921f129ba9a677d43cafd5ab2f793b9ebe2e85cee10d9fd57002d94959752e5bcbf78045facb5045966e77e2b153b2a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ff16b9425e951d67c19345bd5df30c88 |
| SHA1 | 91405f4f688df57341d2b276030bd6de0f22cf53 |
| SHA256 | cb23ef16f5476a54b60bf1277b4e73def786c04a8076042d5b807d1397174e44 |
| SHA512 | 76c927b5ee52856a42161f2d2a785bf237b8a70dc89fa8467f67587c18f2f2e82797a2c91cdfc737a53f21c15348b31dc86a6dc0e94eba232d119058530bbad5 |
C:\GalaxZ2\boddevec.exe
| MD5 | 9074ff973e9c559acc5a2fc76d52cc9e |
| SHA1 | 8c0fba641921d1b4f15dc982e494960d81338146 |
| SHA256 | 42df7c9a463cb258fb182b3b42285dd3f8b6a0768d90b61ce742a244756eada5 |
| SHA512 | 6beafdb3aff6b6b01050e97d30b57c8cc637234a9d61f9702a1ca6f18c1653d8baaa4b9d727834c6b37669195277444ed10a3fc78fb01b4db9c0152603920877 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:58
Reported
2024-11-13 16:00
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\Adobe9Y\devdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe9Y\\devdobec.exe" | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3D\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe9Y\devdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe
"C:\Users\Admin\AppData\Local\Temp\e3ed947b87412cfe5d9611d29e21f40b37f82d9e02d37e7131caed72eb3e9b5eN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\Adobe9Y\devdobec.exe
C:\Adobe9Y\devdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | bff6a9c635c28a325702a91199908c3a |
| SHA1 | ed50fa10573f3d2a8468bb72a6e1305c6c07b2fe |
| SHA256 | 7d92023d22c585e27e18adf392252ebb353d67ab067f5ccee881542dc695fec4 |
| SHA512 | 387644b329a908ee834d2e1403819cbc2324593c3c9b64e6383f013676cff3df75c591bec9404577d0043381080e7909cad1203f5954c77ad8f3035d9cefbad9 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a2e41a5b040f00c508764ab9fea0a856 |
| SHA1 | 1b6b65ea4f83784edc5b5fcc79112d9d4ef93379 |
| SHA256 | 8903db978660edceabcc794aff3479f2ece3c3c8a3e8bb116264603b9067d61c |
| SHA512 | 3707862de8f03dd99b269440dcf694d0474979c18d2025ef4a697f49a822d65eae06962a1563d7a5ad7254479d8c6c48890848f9f0f3968fa3d62612b21870e2 |
C:\Adobe9Y\devdobec.exe
| MD5 | c33e4f7c3c5f6419d574846481d6f40d |
| SHA1 | 0bd336a2f8294b60d86f0e32fae5ce9181c0d07f |
| SHA256 | 4c844cf06203eb8e0fba5d60db66eb2db3f2332c0e6d1d8daffee483efc56f16 |
| SHA512 | 111bf15e5a985995475a6ae14954c64a0206c5893a8b49f3118fce6de56fed67d62a3ab87e91dfbf6da44f04f06148774b31e8b88e075584fea711adef9069a2 |
C:\Mint3D\dobxec.exe
| MD5 | 3007fbb55979bb5692c59e6f9cd8cdb1 |
| SHA1 | 458571a2785d5feca98e39e72a55487b61df6601 |
| SHA256 | ef93f256185073fa846b430b9af925cc7fe108786730e9fa7bafedeefd535f24 |
| SHA512 | 68913fa4dd12346576c06fb760f65f2a3d52110a71b0d6209fb282df96f0682c2987eb7afdee3576c5687d960008cbd097279f6a9472e1cbe43457edfaf2172f |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | fd61c0b9e1b97a742b09c85bd193325d |
| SHA1 | 10e5c2c1b61abd984e0fcef08c814d9392eea68d |
| SHA256 | 7300e6185db80521363b55afcc8bf852d7202e279884138fe00d6d2762eb1967 |
| SHA512 | 7128cd57050e99c0af406d8dc421d3a8a90e353547de44118945c952a16c813496c31ead536c9c8a30e482dea20d84450c5b142c7cd30c35191bf35a3bc1b37f |
C:\Mint3D\dobxec.exe
| MD5 | 51387bf65f6ab52367768502a2735d4f |
| SHA1 | adcba95f62ed11a127237a38267dbea37b262242 |
| SHA256 | 95db967c76a97f220ac69083da8205dc232cb635dad141b4ce7b59ba2778182e |
| SHA512 | 62a1c5440a88ccdf2a2a912e0f4b677e0b1955ff22222c62664b5a0e8a9fd5c8061bdd404a9e2058552da4a379d8195ff64f4c9a39b1c38daaaf8612096b6297 |