Analysis Overview
SHA256
be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85
Threat Level: Shows suspicious behavior
The file be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:58
Reported
2024-11-13 16:00
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
98s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\Adobe7G\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe7G\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZVH\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe7G\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe
"C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\Adobe7G\devdobsys.exe
C:\Adobe7G\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 043242be05d411a4ef8bec7022b80bce |
| SHA1 | 49a11cb454ce2a424c5200c30def3622f4eb6157 |
| SHA256 | eb9d385844aea678f73a2538a8e81aab8f5aeb9936f138fe83f8a5e00f9eda87 |
| SHA512 | 79a7f572d2238b43ea5f4f4100ed0d43dcf3486aa9d205955403a6af3e04cb973e5041e9749e32a1f97f5fa5607a8a40833d98f16981bc8a577c58184b17a933 |
C:\Adobe7G\devdobsys.exe
| MD5 | e0694d4e9176741dfd74bba0f643cde6 |
| SHA1 | 22d1791a5d27f637e4283969bc0caea8ed7ac969 |
| SHA256 | c06bbf894e9d15795c305cac4f6e8dd0e37aba7923800c17e1c8a55593c6f003 |
| SHA512 | e4778729e9e8383aa95847be6401818186fb41a8676778510987375d8682832e0c1005bfb657f8443420242200fa3141d738f1e4c1884325fc5f0f03b4a31c99 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 8f32c01a56039f80ce803f6ac3b6c804 |
| SHA1 | 357625cdafe915a8a0ad884eb494ebc64b2cc1a5 |
| SHA256 | 814b01fdf5127b45d0e2d52cd916c1d02f0615869237a097df9e104e9ba7aeba |
| SHA512 | 4d1a4d19a586999169978978b61a943f52e80f3c259ecfc7590cdd512556390f9cfc769b38faf1b7a642987a7b5a2b5950b0da7502bcd7cf975333ae4faf94c0 |
C:\LabZVH\dobxec.exe
| MD5 | 2fdaadc6c863484053716813592b9fba |
| SHA1 | 8c5b0bb83a77a9a3fa7700866fbdcef6468221a2 |
| SHA256 | 75daaaaff865c88de85a03a75ce889798fc7038d1eee35d11aa67a5f6369cc83 |
| SHA512 | b893fe8e42f3ea52bdf580119a9c4d8dca897f0f8be30d310944665e70507d7fc43852dfc18d51dd299936a5aa9e497039908055215cf836218cf55fa45e75c3 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 277baa1dd248cce4f5eadc90221b0546 |
| SHA1 | 3e2511de4fc1785cc4bee5daeeda927305d3e6a5 |
| SHA256 | 2c3721f8917018cf51eabbfc6a33ce90beae7a986e432cdccaa1b7ce736be456 |
| SHA512 | 3f406d0baa68379fc2b2e195a0df2008cde9de13a2f3f3440600caf2e690a282344a7362d9f37dd1e5914492cb8ec38aab1423c7dd13e13f9c6f512a3d3a84f3 |
C:\LabZVH\dobxec.exe
| MD5 | 3d558927ddf5fa4eab12ef2d2c227020 |
| SHA1 | 292bb0c405cd2f5e123fc46a06fa38a73c565963 |
| SHA256 | 55d11279b5affbc724d017bf90e75c7b3bd209ed08402680d8d0cc26daa001a2 |
| SHA512 | 707d434b638f4d11bdb2d71106e1401205a414075c0ba3607220067e5e4e8b4eaadfbaab810789b4b05c245f56f8f426f9d0cc043a81a9b0f9131824da861914 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:58
Reported
2024-11-13 16:00
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\SysDrvQP\devoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQP\\devoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid9C\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvQP\devoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe
"C:\Users\Admin\AppData\Local\Temp\be6fec8c880474b1480bedbb94df888ba41d286131a09939fd0bfeb635866f85.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\SysDrvQP\devoptiec.exe
C:\SysDrvQP\devoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 53044703ab4350312dc3b5d5413ee4a5 |
| SHA1 | 05a710796abd134ee63e55e94d3710d3dcdc37d8 |
| SHA256 | 5834b68c5aa8e2ca91080173f00eee0bd0febc1737b6ba778af9333b360a31d7 |
| SHA512 | 475bf9d63177930b17e070a7584e6c5deecd8238ee8e6e09e866bf7b807023e5731efa73f8c2400c6b43be4ac61d18a2a14b09d9e9847fdd7e91fc3f6ac1c54b |
C:\SysDrvQP\devoptiec.exe
| MD5 | 227afdf284300f09dbb78b13de9117fd |
| SHA1 | fe44f4251a7504b206c25ba0997786e78bf75990 |
| SHA256 | 2f3096f9e3aae8c8ddcdb18318766bcd662fcd96fe185d0ef6d97311f0907562 |
| SHA512 | 1c5f7e6c4637c7f89ed39d5fe46751cb70a1499ede3d38434b153583169bfa853be13f5acb0ce9d4898980e50d60125fd120af3af7ffa7be2e1b4f5c90a42fcd |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fed27b719c4cdfe03f18999a38451f2b |
| SHA1 | 307f59fad7e878baa37ce595d205e5f328ef0fa3 |
| SHA256 | a451bf7a3ad0c760afef2b4542d1bb15dca066711aa10288ea07eefa4b666139 |
| SHA512 | 3d7d5848dbbb18f4fa5ec2cf554e9b6252d14cdc76e82125e352adb0920ad25d17239a682d068a3dfb955eff3906daf4f2d5b484a715f75f1c8c3410a527625e |
C:\Vid9C\bodaec.exe
| MD5 | 15bbf37a0426d58825313bc1c88ea188 |
| SHA1 | fd982eae0b74d5dbe7adaf55dea0f3b2bedb480c |
| SHA256 | 9c842ace8013ad91882795fa50b1a411c119f17fe6f2308bc744bb31eddd5bfa |
| SHA512 | c8909c0f16f2875bbacff3a61d8af65f256b25785440f0c9f51590608a0c176b8e25a5b973e438d9ce67a3f60a54588bef93f9ed4867fc919102d799d3c8e0c3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8491316c67e0deeef51933062bfd3d5a |
| SHA1 | 378521facf24ea07cf21e27225739a22871626f3 |
| SHA256 | fe0e84c5f934ec001f0db5649975365528707270980d2856a5e2bd8d26b30556 |
| SHA512 | e8578ca14ad93e067ac2c8a476aa868a54223a410283c6b4f0746579b0d384d739bd0c9e6094e83d0bb53ade88f163360d03500e4e1d1ba51cb0c78c38f20d96 |
C:\Vid9C\bodaec.exe
| MD5 | 99489e7e163e920c6fc87332f506d6a2 |
| SHA1 | abd462be5493d1d1d52d57544010928f82b6ac12 |
| SHA256 | 0f4fe07e2ad0c9be5677ea3c97651894bea40c9a0fd7440de74825470924c464 |
| SHA512 | 8d191e5683547dee20ac263ce6307e266de1b88cabec8747f0930bb146ae626facd3645431f56ceab6e1950511e64e0e80dda6ef436e2d75cd4f0b9a18ac6bf5 |