Analysis Overview
SHA256
618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d
Threat Level: Shows suspicious behavior
The file 618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:13
Reported
2024-11-13 19:15
Platform
win7-20240729-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrvO3\devdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvO3\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZIE\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvO3\devdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe
"C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrvO3\devdobsys.exe
C:\SysDrvO3\devdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 453e38ef11866537ff246ef6003daeed |
| SHA1 | a8b24ea73747680789986312619b2456417a2e5f |
| SHA256 | f43b91e3723823d40c54588bafec8ca599f85834da15f901a7a0d1703af5c371 |
| SHA512 | b883a7f10c75c131d54566041782abbcf83edca73b007513a67e57863c786874f5eac491d0f54faa7f63bec7d637f150638b7a925f43ad40d5fe34cef30b61b9 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6d996d1b375064ef9a0d31bd6559b5f7 |
| SHA1 | 0d0a2f04f5d66ce111564c294ec9f88de8b9dcbe |
| SHA256 | 49fa0f9eb45d6386250e0b6c810f2ed30301ebf47a456c1e6ff23621f7ecc723 |
| SHA512 | bc13e2911c5b556f8c2179cd7b0ca95d1add070a5d2b6b43722688a6fc1b91ae149c8c3828e5eef7df3b887b17e1e1200322a2eaca323225790c95a1ba860a20 |
C:\SysDrvO3\devdobsys.exe
| MD5 | c853e4578d2c5cde6c36169cbf82ea1e |
| SHA1 | 8f4da895b139a8ed8d8686d89a5ac94e494ac299 |
| SHA256 | 719256db4e5026ecc4dcdb848a7cb38d231180dbe6d8b561cb5ec98380e2d217 |
| SHA512 | 55c57aae62907915ae9aacaf045281ecf7081eca640c807e0df4815a8783752d8586d91dc5f35fbb22cec4aacbcc5dd70339e9263c92c7a5d48ca57073fdbdd7 |
C:\LabZIE\optidevsys.exe
| MD5 | c2f697a3e794670ff7ff89399d63b090 |
| SHA1 | ed51206fd0128eb128adec5b0955521a6aaed5e8 |
| SHA256 | 6c15cc4cd9e1d1da9a2f701125c474817e4e8f3e923abd15812784126929243a |
| SHA512 | 26606b3b50fa75f477ab346d47302b2e3aa0f3447e57f499fbd2df00e75289406c4b2b58a72e7f79197ff6fa9d0ad5435e01febce725dc27d9b14b81672ba3a7 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b6939a6b5673e11e5adef232a838b7c8 |
| SHA1 | 48aa400cb4ffc68cb30b89730ad7aa027eaf3ef4 |
| SHA256 | b73e13d49282ba7d0470eedfe0efac9a7a2fa1b1951bc786f658efbfaf527f66 |
| SHA512 | 4d051d9143388d8974cf69271a1728a6507ca488f11dde21ff087f095626ea9abd8c4a54f14f4241ea05556d202af9b0de4f537b64b667ead0dcf3d2b9c30418 |
C:\LabZIE\optidevsys.exe
| MD5 | d6d247593de12e75ab20824172b4190b |
| SHA1 | 8185969c7c4227eadafe3c752ad16bec895ada94 |
| SHA256 | 55798cd5cf55a3f32d902ba763b4c73736b47a10e07a2684caa9313841995cdc |
| SHA512 | 32a5087350a26ee741d703df4de39c2d0d4ca00f77882d40b0670ef95073a6c70da9c3f62a5592a83c81f74e25699265b22cc7af571894c0c9d473d65d8e80c5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:13
Reported
2024-11-13 19:15
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\Files41\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files41\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZPN\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files41\abodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe
"C:\Users\Admin\AppData\Local\Temp\618977b9997ca8683b1b33465114a7fe5add4df697fbb8508d895f958d98a69d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\Files41\abodsys.exe
C:\Files41\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 95eb53cc2e96f507f17e868fd0b97796 |
| SHA1 | ec5033158eb497640819d8597e9cf7110360b861 |
| SHA256 | e300e20e14fe8fdd7b0b08d8ec0fc7c081ac9e80c4e51fadd51aec2fb500df4e |
| SHA512 | b2cb59e37de0e865a6431a884b5b0be3464f62bbdbe6a966d03dcdb9fb85b7b7c7e4b766f3f4ed5bc694b97588b99035dc9f77e09e2ca71724aff8c0ba81f82a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 55094becf3611a820882bab54fcb1b82 |
| SHA1 | 8d2890176e25c6ebe94695d68fd2e4c73a41e890 |
| SHA256 | 3a00796d7e0fb1cadecc57521232bab537b03e52f5ba99b92e53253c5e91a207 |
| SHA512 | c12151b742358b4b2cd7a08e5de2bc7eece25a1220fab1c8b1cde53994e7cd268f50ad2b07019485299459ff1e3c5b764c09f449a0e5c173cb976ab578a77f9b |
C:\Files41\abodsys.exe
| MD5 | 89c0eeeaadb5df883e1bae700264e1ec |
| SHA1 | 66cd83160c8e6905ae8804bc829283d96f91e7b7 |
| SHA256 | e569cbe3d8e688c34611f9879b55cb1d8e89a4bc00ab64353967933583248847 |
| SHA512 | e828c668b47304ba5bbbc8298c1ad5369b2c0272489cca23013b06403beeb52c319adcf9f4ab8696fef523c3762f3f913cdb82010c1218b9c8d242263dbbd8f9 |
C:\Files41\abodsys.exe
| MD5 | 1e9099c7973dcc8daa43febc207121b1 |
| SHA1 | 4bed9976c8424b55e74e811ae84f515c0b0445e0 |
| SHA256 | ad4680ab5a4da4c635d179ec771e2d014e8f0a3885d4e9442400605a778ee446 |
| SHA512 | 6762a7d43f8f6931d4200c69693302ab5e361b3a78bcb5a71d23f9cabbb6dc9fc43ad5accd07974feed61034d1acfd27bcab14f0af1bb6c17a5d44d1ef644ba9 |
C:\LabZPN\bodxec.exe
| MD5 | db779a48d3d6a21311e809e3a3932c06 |
| SHA1 | 24ea6b6dae9ce71e56ef59e7a1ebc95c486cf721 |
| SHA256 | 32efac82efbb6a462d03a3899afb1baf3dac1ea6b30b339e2b3fa789e00f326d |
| SHA512 | 0da07c8a849aefa41eb5f282400669f42d8af85e29ab95ef8a4817666e273b29a7ac84dcb37f26b6a8d71b4f8f999f206b5b37ce7cd7154e108b7e4c20a8c872 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cd0860838de60bae8da302e6504f6a4a |
| SHA1 | 4f8bf67784e9f004798e67d758294fb0a0272e4d |
| SHA256 | 88661e7ba04732c1e26ccb67a8cb28ad73017faca1ca9ab0754d3e9277a6fc06 |
| SHA512 | 833dcd1e86d36f305d62611e8483cb3b11eed25bd5ae25d26d8e288061219b60e4afa953c3c824ca70293c5ec9f6d49ebe449ce004ed1a658a068437287ba1cb |
C:\LabZPN\bodxec.exe
| MD5 | a24ef1de3deb0d2827a52bf7494f9db0 |
| SHA1 | 55891ed8d0925fc335552290f06a377a1c934c89 |
| SHA256 | a4fe6e88f86e804297bbadd3f1776ba8f30fd399a2f92714404c567d3b34811a |
| SHA512 | 453a4a6379a3f1f2d317cf21733376640a32e962f57d66935ccf4246f930b95da50278fc26adaea8c36efd759f2ab3cd780f84612bd605bfaa19a042615033fe |