Analysis Overview
SHA256
6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896a
Threat Level: Shows suspicious behavior
The file 6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:15
Reported
2024-11-13 19:17
Platform
win7-20240729-en
Max time kernel
119s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\UserDotE4\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE4\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4Q\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotE4\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe
"C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\UserDotE4\devbodsys.exe
C:\UserDotE4\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 23d77fe83aa63256b8076b4a6d3e888a |
| SHA1 | 49aa5f44812c36138406747617e57fa2ba9460e2 |
| SHA256 | 90049b2950213b47dc752cdcee2f5fa8f6387a7f8458ddad80c7b38e8fe034a8 |
| SHA512 | 46ae8db51ae77e3c9c28a2291e58b7e74543d0d767189851982a6bdee77d8eabfaa42a2deaa72c4fb8a598242731e64ab0a8faf2ecebb81fb652e80b06c2a783 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a0610c6989ae003c5678b5f8cc91a6b9 |
| SHA1 | 873d9b0bd31b4e765b5039b3a6613db190af9f80 |
| SHA256 | 38ff620e3be4ee47de37528135c7b2a2fdc3cc2defb8bee6a3944131435745be |
| SHA512 | d53c5dfb4ff7c133f7db3ff2e7fd8028b0940f417f47066632199031c431ff03a1fcfeb7a6ba7d8e2e8e2992e188ebaa6b4fd2971990c2125a3ed9ff346bd542 |
C:\UserDotE4\devbodsys.exe
| MD5 | 98b84b47d41552610d8c1430c994a501 |
| SHA1 | 3b1c14308951d5d6d7ac3d4d4bbc073a8fb1a135 |
| SHA256 | 439124524443077d0316c160bff29961e7f5b4078204ad0e1e5f3607d54f7a86 |
| SHA512 | 722c67f7619d4bf06e0c500122ba1bbc8f1124d1494c99cb4a61efa935d41ee8d96b8a048cdd6dd7520efe8c20b8515c2b781396a45117d69b088f6473f22ae3 |
C:\LabZ4Q\dobxec.exe
| MD5 | 2122b6d9a252958b8cef9d004c2ea2ff |
| SHA1 | f5b5ff89cfb83e115681c6fd177822d0ec9f5e1c |
| SHA256 | e1ec202085f0d6125fc136ed100806247dc1739cbfd41b223d1c949b785a31cd |
| SHA512 | 249f6e1e6590f3731ef49d4af710b76ac29b74371deb1f507bd8e86308726229dbc17a3009eb1ce4a4beaa8f151244b47eaade4c0a0142cb9fe9d0983677710a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 79909e2c34314e4617268850de4549c2 |
| SHA1 | 5ebb6bfe7ea4a339f1d3f856132ecd03afbfb674 |
| SHA256 | 76b9e6a9c787916307c5f85b1ea6f2f10ce7400418c5257442b0ec2b1a364c07 |
| SHA512 | 380b50cc6222a15798b1299f08ba72e8cbe6b1241c3bcacf4e17c03291380a1ca7a4d50893ab1f057f5362c9324c3052ece10016127011d43b7ff585b82a1dab |
C:\LabZ4Q\dobxec.exe
| MD5 | 0dc16b3da36d946a744dfccffc702518 |
| SHA1 | ca5eff12fe05e6ba55ad08672247153dfa1eeb0b |
| SHA256 | 07245e1aca2cf7e79eae377f5ded86fc4019256c52ac6cc8246a8f203be19272 |
| SHA512 | 7df51044ce324789b34942ea70a4e5b66e685e1e74caacacd84c5ee563484d1fa37a1dcd35230b7aae4241beffb86dc930a8eb6e09930f371f0d8b36f1b67a96 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:15
Reported
2024-11-13 19:17
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrv00\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv00\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintT1\\bodxloc.exe" | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv00\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe
"C:\Users\Admin\AppData\Local\Temp\6a99ced0574ce15b8059d34b36ca1f9b9597ced4d6feb783ee93ad367b58896aN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrv00\xoptiec.exe
C:\SysDrv00\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 789f10d02e84ac96edc31dc3331bf36c |
| SHA1 | 6a3c261cf47d385c49d2749a1c877612ff52360b |
| SHA256 | bf1546ac4867495c955d7e659c01fa4ac2995d3da0bbc7930ebfaef3cb3c45ce |
| SHA512 | dfc3d9722882451a736b5aa3d46fd11ac11ad654400b1370c13aeac7df72b96698c99871d658431f50e0c8fdcc16e79a2953b548d34770bec68a45d5d6af5f62 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | cfe262e905918b197fecda1a1a0bde8c |
| SHA1 | 87a2aae98e839911f138cb6ee09afb99bea0417d |
| SHA256 | 7f11e91cb66c6b25d555cb2ed5676b7fe1fd4121518bf37b23f801a28baa01ff |
| SHA512 | da5aa6cefc8453470e7d5f5ab4a87aa121baca32904ad6d376729de912aabdebe6edcb15132346fd80d2c3ea3c6cab473a6f01936bb77d120dc8f05916d607c6 |
C:\SysDrv00\xoptiec.exe
| MD5 | c8190a91500bb1d9caa61e3b11eaf128 |
| SHA1 | ab7eb6ce00d2fb8ec932dee7fe6f72551ada8684 |
| SHA256 | 6396e1bd18ed0ea864d8f56b7885ef5813fe836854b68c3ebafb7d49b8580b1e |
| SHA512 | bc143ae225ca8cceb9e90f7dc6f36a8608eafed2d7e67396657444f3a004832c0c51921fe8c0487de4ca21430686dbc62c6a304de00cbbfb8c0e8dc538f5492b |
C:\SysDrv00\xoptiec.exe
| MD5 | 7ba443adcda5fcd4849b202d668b8438 |
| SHA1 | b56ab43879a035a1aab7a98885ff4323b0a0b89c |
| SHA256 | d8054b59fd8ac7c084812323090eac524363755ca981689eca5a5404a6250824 |
| SHA512 | 682ac9b55f723a114df19ffaf56997eae0804672876203cbbb879e67a3dfd3d2fb887dd90b61622b0f9e574a21a17a9e63cc767584f11def349145277f6001ac |
C:\MintT1\bodxloc.exe
| MD5 | 3729f3873d07e96e53d21528038a27c3 |
| SHA1 | 3df5495d9824814644b8adc062a1550b66078ba4 |
| SHA256 | 6f61b709fbfff1666372701bd517679c36d6eaa886c9a4f99df5729341d8302e |
| SHA512 | 2c8e52ebe2681ebb9cb2695c6f2e0d12896470b3494e8106f7a9b9b6cc5a21ee2e51c424e68dc7b2dbd2924f4fa332f6329590cf628158a35e061a0bc419b731 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | dae381593b55e76e4142be306b410391 |
| SHA1 | 4f6cc42d9dea2edb7dc816c8c9bd9a361f838fc6 |
| SHA256 | 317950db3b5147bedfa8a83df8357490c81df4a5c46a0cf7d23d88055bf43bd4 |
| SHA512 | 1cee3a824f48f0bd3c313534188476671d28c49b50a8e84fe40dbc9b1c0eb061f124eae7dd0cf1ede1c4c66d68222c6e63dc3613f5ed2383393d664c2117a88f |
C:\MintT1\bodxloc.exe
| MD5 | 62b4a7a188090d7812f324c9cc2274da |
| SHA1 | 5b4b7c3f9f72e129ff0bfc7da1b485379babb2eb |
| SHA256 | 1ec1520497006282d991bb48db7088f805bc58ccf589c4b46640c7ce025b73a1 |
| SHA512 | 985b994d0bb1c791215a9181cc92b293bf0b4a6f9a820f441d5363cc24a91102efd98d412f1d1393ebb2b796313ea60009158fc1cb9a3ca52f6c055ea8fb82f5 |