Analysis Overview
SHA256
3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093
Threat Level: Shows suspicious behavior
The file 3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:29
Reported
2024-11-13 19:31
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\SysDrvL2\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvL2\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintTE\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvL2\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe
"C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\SysDrvL2\adobec.exe
C:\SysDrvL2\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | 10d1a6f6a4086956d30cf30e452194ae |
| SHA1 | 9cff3581ef3c271e88648c39b4440fc45dfa5162 |
| SHA256 | 3569e4fc4f71e2fe616112e01765816ab3bb45a070af6b66342b12fcd7a87e56 |
| SHA512 | ac9ce62a79a054539adccca1ae5a69a2907b2f494a19504ef848c6d234f20db28d943ca5bd36d668d2aa220611f774c52678ca305dd97e585506174699b46557 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 4dedd40310a4d49c29254801e3785ed4 |
| SHA1 | c9a051c8e8f9dd66b5fb221eab7f50c92bb2dee2 |
| SHA256 | ffe7849c354f0283267e097e6b52e9dd328bec34f51b1d7a22aa0c4011fc2961 |
| SHA512 | ee5c2828e423a5802cd3e34d46b94b42806f8ccac87f36cbdd6719941dda9ffce747fba6f4694222c2e33da88f6729c0d0d6b669cb666beba2373521ba9c079d |
C:\SysDrvL2\adobec.exe
| MD5 | b3a756c28dec30dc95b65c88e7c08f30 |
| SHA1 | e499e1192b7f38afce2c79bc02d1ce7b93c800ca |
| SHA256 | 94495f8bfc46beddb355540e48eff87e1309bfe03d20d783cb42877913692aa4 |
| SHA512 | e6865aa545b8d3ce8e115ffb45bef4540d40cc880e6d44b61df3d62d283416f4cd1bfea16d7a1325011c459d3ecf87482c5ee7f26827f098f416514ee8762928 |
C:\MintTE\dobdevloc.exe
| MD5 | 51e56bf951b30a8e74331c2fe30d4f5d |
| SHA1 | 968f56968a7bed85fbbf4614d27f5b890eb5380f |
| SHA256 | 1d70f2ebf4dd35fb7d98295b85872d65d9714494d935b23b00c390dceead3796 |
| SHA512 | 12eeccb42f8d141f76f6b588912b29e447fb73831c956cdd33009fa5ec5c7bc9a5c3b3784679c89e8551af9407c94abb9e8590f1f60e85a99ea440f90b732228 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 54863a24f61330020b9d6f80a59f9162 |
| SHA1 | c6163e740d6934b084d6b9e9a9953b4a9668b994 |
| SHA256 | 51558f5f8121d7fe56302b9534f651a6744f3d906827e1940cc6012178759846 |
| SHA512 | d1c39cb1de740e65e3dc025b0cbf8c58538b103cce75828dec9642130bb46be55a99037004f86f4d872a4da363d4a0e1271302d4a9daf89d193cb14e228b02ba |
C:\MintTE\dobdevloc.exe
| MD5 | 49e7b3f0a61c4f3c138c408d14f0d964 |
| SHA1 | 8273cc01156aeaec24c92b863e8ba46af3973a09 |
| SHA256 | 4e577ca01849a2dde8350b17ebb7432249f129603f728f8da83d89c84bc3f662 |
| SHA512 | 9dd9156d7aea2e870d8f0918a690e75fa6b59d2c48571b54f0a5a56c9c555a44c3a806ca762fcc492e214ee3b77006304dd246bfca0072836b20648703ef112f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:29
Reported
2024-11-13 19:31
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| N/A | N/A | C:\SysDrvH0\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvH0\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxW2\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvH0\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe
"C:\Users\Admin\AppData\Local\Temp\3999fcbdcc7ee7e48b71cd7af6bdab2108f7ce4df4c43604ea7c2927ed28e093.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe"
C:\SysDrvH0\adobsys.exe
C:\SysDrvH0\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevdob.exe
| MD5 | 9b7e3f8eca171126cd5b6e73ee0e4401 |
| SHA1 | ecc93e9e412a70173780f112d0fb2ca8c4b17167 |
| SHA256 | d3f0da413ab1221ecaa050234b1ed474ac92fc7a85c70d8acaa40e96ce268598 |
| SHA512 | e52615e0005f1834bdd483cbf045f2216f4e6a12f3f63a3d7ba466931ebb770a6ca38b3608b66b2dcc52c2638b8d2332f34d218e7fc58fbfae5e0924781a8685 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f95406e711d8adc5255785f0fffe5d99 |
| SHA1 | e7e91abcb0c11f1eadf89e32cd3551d59a1ad466 |
| SHA256 | a58d97511177fff49ab543d773faad9fadb318f2bb611bdbe638a6c4f087ba73 |
| SHA512 | 24b5dec07d8278595f26ace068ea269a2a8aea9eef1d1b52cb56bd84291439fa161bbf08c686a9d7304d77ed10593e7606140af7d13d843cd229809c8aa99cb3 |
C:\SysDrvH0\adobsys.exe
| MD5 | ba3d5c3d3987086ee4e6ef43d0c59569 |
| SHA1 | 1e1bccb09a68306184ba6089a563c4d39c7efefb |
| SHA256 | 6671736c3672d184bb52f530bc3688ed1dad098a7a5ca5abe4566830b624af04 |
| SHA512 | dcca92a447acfef4734d4134130a80ecfe74c31b11629dbbc067eaea00bcd0e562f7e5035157b903e2e7a89fb06da87bf0d9169e84fc9d24adb1f2057376fa91 |
C:\GalaxW2\optixec.exe
| MD5 | 76c819e77ec17f13afc4f466319929c1 |
| SHA1 | 4df18ad1e80b9aaa1490246f26588835d8c7b46a |
| SHA256 | e98ab4925cca7f79e53141f1597b1f91a50c5f17bc6d7690b6bb1e2dbb40372c |
| SHA512 | 13a95c1c7d6415310d0e7e84b5b483cd07567bd85ac3e70a6d4153399792291e5d74414af6b71a5c02c01e184f42e9054c52dec40b3b9e47974dca7e6ebb13df |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3b4496af0845da098748cfab866cdb98 |
| SHA1 | 8bf700c8c6da3136ab4fe0e49f7bd073d639f91e |
| SHA256 | 332905839dd2b7192262f123234f7e0c5851dc1e32f919d44f00c5afddd1b6c9 |
| SHA512 | b6ef50eff78d84831d8c16276fac739584880b3b33d14179e90ac181a25bef3de707821d55115805ccfe0f677b723db480dfec89e27ba223cd1be0a3ce3c2011 |
C:\GalaxW2\optixec.exe
| MD5 | 36188af894ec2c070aa841fa3a0802af |
| SHA1 | 2003c9c8d654fb006d9f1be3e651e2b4f190d104 |
| SHA256 | 114f6cb1ab948a860f377c0d31bb479c50e26726953ae917a8561f196b86a366 |
| SHA512 | 69ef9b957ece553d654e2bf11895f60e344466a0f8591fe243d0eff293a2b7fb632d832d2f0e7ba30b6932cbcb9b6a1176a69bd7a4bc1484e299528bc7ff603e |