Analysis Overview
SHA256
9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbb
Threat Level: Shows suspicious behavior
The file 9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:05
Reported
2024-11-13 19:07
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\UserDotRM\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotRM\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZMS\\optidevec.exe" | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotRM\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe
"C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\UserDotRM\devbodloc.exe
C:\UserDotRM\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | e9e5270410e80e83cb54bcd9a1e3eb32 |
| SHA1 | 7d2eda8dc0d9b85ea3c352d3dc2bde0772cca0bf |
| SHA256 | c7d8bf15cc5aa8e75e048dbacd2a11cb840e3ee8dfdbd7fcff8d6040c0884256 |
| SHA512 | a191fdd3ab09f13669a909c60acf3ed8cb47ef23845c14778beb443d853f75fda1a21f8ba14d22595a4ff435dd6194129c0ef21d83dc105dd19808c1ebfb0275 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 8ca105f73566d0a66e75a00bcde33103 |
| SHA1 | 877618ffa63e2b64646b51b6249a3400f1416092 |
| SHA256 | 2499c431a21935a20114807ea561f527115218dcf1e7ce115b7dc24686ff4ec7 |
| SHA512 | 469e69f7ec7c0ba376936c8e88a3f8fd89a3bb3703f1ef194ee48814eac1a1bd7c4a9ba7b1565255b78b6220ed29019605147172a2575e5eaef8e35fc690f209 |
C:\UserDotRM\devbodloc.exe
| MD5 | 855d49810c4270e9825bb63c3ad1abf9 |
| SHA1 | eda4a1cfcf81938187678cdb55a988d0f0a65cc4 |
| SHA256 | 2b5b60976ad7dbb98a5fc6faad63d54c70563487d1ca1f7ed62e3940208641f3 |
| SHA512 | a87c9d8619d6708c6de911e25d86d1da13ec96d9767061389f32a33db775d7a0df45917e89a2ad11481c2d478580f3904c1aba1ca4b8a6ea5d024f2d76eab54f |
C:\LabZMS\optidevec.exe
| MD5 | 88262d829639f8396b4a8a7faa8e147b |
| SHA1 | 78037ca369a0fb880695e71a74a2ec4ab7aa2649 |
| SHA256 | 25cbd05485de230860938bc6427e580fe5001f4bee7045b4caf68e1b59384b48 |
| SHA512 | e890e8adee53480d033ebd6a24a19f080832d1bb95e7669a864edd3260e96abc9826519a5e77f946e8b3cce706e3acf0455103fe48bbc15122405cf3fbd461b9 |
C:\UserDotRM\devbodloc.exe
| MD5 | 4126480dd0af35d224de16d52589ac88 |
| SHA1 | 08487748bfa0c6971616c76271bfbd1003739f9e |
| SHA256 | 5372265f2760edc47073750d56203272c1c3e21b39e4396cc881ee675e22e392 |
| SHA512 | 8915dd0e58733757ffab7e686e60248defc6a635dceef57efa94e4628e51a1071975e11682ef7ee4d75f9623568a3139aeaf6b9148f0b8c40d248a03d1e15690 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 57016e978167686518a83f036b3f8fa4 |
| SHA1 | 0a71290fc78d198dc58beecc85164a7242cef69e |
| SHA256 | ccb4af0ec12fcb61d8934724a6031a962f4c8c92338fe1d0aa372b4e056565bc |
| SHA512 | bd4d6123234ac414d9ec35791e43c8200c4dd8c2b7616279866e78818805cade3616d2b808f0df8c6dabcd655e91b4da5a21b06a03057c48a6fa3b0554b6ebab |
C:\LabZMS\optidevec.exe
| MD5 | 3d45e05c419c3c832bd6bdbfe11fc9e4 |
| SHA1 | a58297132d0e9f27df0f3f98a5ecc8066c40294b |
| SHA256 | 990a8737a377030b0faedd29e2236ee07dfbf461fd2826e5d3ff5b5bc9112859 |
| SHA512 | d9fbe7d94b6f9e5f41073eb3a40080e0e6bdee7009c622967cdafe6041628bb1f0203f78b6dfe4ae9f03a97d9a7a77c6d3faf29d6b75eba34a99763e1b33a8a1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:05
Reported
2024-11-13 19:07
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\AdobeWO\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWO\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidDZ\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeWO\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe
"C:\Users\Admin\AppData\Local\Temp\9abd505a4659143a9b56420296a4d5a2a085fb351f3c1f1f9c2e008669bb9bbbN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\AdobeWO\adobsys.exe
C:\AdobeWO\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 0879f2e5d6a33586175c40a0d07a6e46 |
| SHA1 | fdcea255a448c0c521810d2d3c908531b6363ec3 |
| SHA256 | 2ba2567767e6e9ab92232a7ce5c307f1425df3a43787ab438485ea265d2693d9 |
| SHA512 | 687f5274a8e20a69a66d9fa68e91aa6d631c9056273398263a0e9df62ec2942c5f98a2321b412c915565aef27d618887e0eb3fb54a78a9baa1a805935ebbdc67 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d30d6f5ea332597da6acb08d8717e25 |
| SHA1 | cb68bda2c8d91bca756cf017933ac72229297a42 |
| SHA256 | bdfff1edb63e88961a83075974d0d391b0c4452e1184ffc9882604456f6370e7 |
| SHA512 | fb0a0476bbb13c6c9f658e9a44692c0add81a899a2b3a6130cc7d4df7d0f2fcd90dca907350b2b2efe106fd408b42a98ce0f215c2d7346e068685e197dfc66c0 |
C:\AdobeWO\adobsys.exe
| MD5 | e9d20496af73e77c09942f064e6a4f2c |
| SHA1 | 27b681e12c3028bc9e53ebf0865fa37e3ddff447 |
| SHA256 | 09ce50ce4a8733e319e5cefde09515202163dce08bf5e774601c1577764b906f |
| SHA512 | 7dc9b9ff8b1b562d26bcb0fe4e7d733ec83da19aa0488ccced53b6a36d56b5eb11a2755cb3f3108fcb47738df87ac498febed750df1a6433fa616d569b238d9a |
C:\VidDZ\optixloc.exe
| MD5 | 37cc525bac9beb92be005cb26028c77a |
| SHA1 | 139eb32f03f3b2ecaaa98bbf1fd4610748acf296 |
| SHA256 | cdfe9fa95ade55c9cfb778b86d74534155d0b8312da0dbe70a02a14e64b1ef07 |
| SHA512 | 63e34859df795cadaf02d839e06bfa5b6a38b1ae69efa42798f26fe4a886629db3404979fff61641adb0cac40709de8cdfa391ab3c5f5ba8f613887321a972fe |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c44c6677df279fa89b36e1da00cd0dba |
| SHA1 | 5e115c4e02a879202d4ce534339526324e26600a |
| SHA256 | 578af5eaf313f387380ac03b18c8b3c3351072dd1b7aff73cf20288d1451d96a |
| SHA512 | 8a3f07b88fc6638cbe0593b44920b7702c74c47a12dc738da9d67df853da84daf27417725eaaebb3e0ad42b2e7257dbad2796b13dbfc8467e2db0752a0e03d2b |
C:\VidDZ\optixloc.exe
| MD5 | a6049ad09bab79545db4a6fa98baf72c |
| SHA1 | 5ab8842f7e8c19b5f7d69cc492a3462dcbe8181c |
| SHA256 | d2d0d1b50b87b0ddf28654d37bbb6ae13098b5beb8d751e83a830eb10fdaa32a |
| SHA512 | 6ed1b39c0768aa61037d7e25a72a0438fbe81f67d7f4c154f6f2d218a3d96d674e2662a59cf7e60c6170878c2deb5ecaa50d7870cdef6d4ced8b51cde0b6285a |