Analysis Overview
SHA256
bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2
Threat Level: Shows suspicious behavior
The file bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 19:51
Reported
2024-11-13 19:53
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDotVP\adobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotVP\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidZJ\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotVP\adobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
"C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDotVP\adobloc.exe
C:\UserDotVP\adobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 5caa483e082bc29ab84be295f233d41b |
| SHA1 | 4413807b6dfded29dae77e9bcff661527a59544b |
| SHA256 | 05d7275c56bd2d14607576eabbc1e6328f51c9628f65660263f23132f05c5d07 |
| SHA512 | 6abaf58b413ad5a1aeea47effa18c2e44fb74d385e2bd02f784935dd7b62162789f4b5223f32c7269887e1a4e8b67729cb7dc9da5a9d5bb8081b60d016c0ef2b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 924c1df92c2972a703fc41a5f9dd1142 |
| SHA1 | e87c0bb9714ef5e1524fb45fbe97211cbfd52b97 |
| SHA256 | 6c5fd35e989155e26dc0211d2bfa8e02ced13e412e896ad5429a54079ab396e1 |
| SHA512 | 3a6e50d98ecca3b05de456564dc6886ce89a6e547ed3aa307a45e53ed7169418f0d736efd01853fa9f5f42c2fec7e19ee6b52c9f7c45e383d8295d922339c271 |
C:\UserDotVP\adobloc.exe
| MD5 | a9b59fd50ebaa96fe4b424fef373164c |
| SHA1 | 363f9fa726dd4efd3ccafda46ac7c80017ba33c3 |
| SHA256 | 1c11c49bb849841baa860a28d7eb783fc87316607980d963665b3b945707c2c9 |
| SHA512 | 1f1fd00be44aa7b2bf184f5dff0c87310baf36fd6c0092048d2a0ca9520c87b6f409ae0b62710f8b6b218dd2474b5256a57345fac95aa1a45134b4031912c863 |
C:\VidZJ\dobxec.exe
| MD5 | 8ad735c4b1fd47bc059253faf6a96257 |
| SHA1 | dca508a9e3c827be0bd82e6982e101ea1915e1b9 |
| SHA256 | eea5793b496d55ed232476f2596b5d7509f138802748dee1852b1957a98ce5dd |
| SHA512 | dd458c1dd6151c2c071895e1cee7a2c60665eb5b3e015d6ef1cf92edb8d8fb7ff03638900c6859d832c5d182ad5eca4407c856a34efc93e5b4df7e69b97607c4 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f9117eee618ab2f518669fc9e9ac0b69 |
| SHA1 | e46b8ca88d18838e0c13d41f73e3efbb9440e350 |
| SHA256 | 2e5f1564c70b9bea81e670441d620319cfb53b6bc75e08ed4c18c648478a0037 |
| SHA512 | eaa194082870ea6696f1cfe8ebb59c15885af97f3772a9f42cafaddc4140024197e90153214f737c5697beb52e775a452bd26e2d4056a265701f81adb1b7d6cf |
C:\VidZJ\dobxec.exe
| MD5 | d59404919001e16d0537d335d3186bfb |
| SHA1 | 2ba6f68ba04c126a4495f777476f7b3c8c73977e |
| SHA256 | 6a375f4e5c9ce7f1236885cb44fe6d27363e28c153f2fa08b676427841f3b361 |
| SHA512 | 40b0f608f0e7f696787eae54af9dbf1538a46f0c49e236fe8ebe4a1b0d1757d6843557de6e7a3aea541fa7dc6ffa0b5ce6c2cd9f146f3fe73d8f7e6e51c6f83d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 19:51
Reported
2024-11-13 19:53
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| N/A | N/A | C:\Adobe4D\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Adobe4D\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB77\\optixsys.exe" | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Adobe4D\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe
"C:\Users\Admin\AppData\Local\Temp\bc2bb8a046ce0d270703c4c450a3f3b804b0bfa7f0fee9d6b39c185b676533e2.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe"
C:\Adobe4D\xoptiec.exe
C:\Adobe4D\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysaopti.exe
| MD5 | 361bd2e45b7d1f765207a50696e449ee |
| SHA1 | fa7d84ed2af90a1f331685905a8ded9d8234ab37 |
| SHA256 | 7d69f374594ae8ee3c0f242d25d29a6899f2a62a5203bd3093cbddf972e7ac40 |
| SHA512 | d3380b0b1f4ae238c379a5812190cef45e8f73f97e6ec9ed704b89770e43e7a75f8ad03d91e15170da544c7e3acdd8bedc622e3082c18e0b7bf71f2f73d85c89 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f1313b234f2682e17991eb2f33ba6a85 |
| SHA1 | af54a47211bdcbdf1d7e27ae7c49f8906ecc9f77 |
| SHA256 | ed86aa7a87388e97e47f333d86c319f8a4e2085f565c026a9a54dc713dd5a1e1 |
| SHA512 | 8563e01b718187376dc0c96107149f5966e26c1d76cb70e67de6e69bc6c9936bada5bfa9e7ce71e2b786178f217c11b227d447112b428b962f78539720592027 |
C:\Adobe4D\xoptiec.exe
| MD5 | 9fc1849177510a0591329ff5244f28af |
| SHA1 | 3d31bd7052d59387665bf1ddfeaa27dcd7e546ae |
| SHA256 | f4befeb1326145a5a70064232b41af41054f658f44bdbd745a80e1de35c2963e |
| SHA512 | c8c2687b4ee9f632e75db9588b2949431004d29bc25c654a35ed37c667499eed41c405dddcf9e07790601642bad9b553dac78492dc38b8688a1c41b2a17ce91d |
C:\Adobe4D\xoptiec.exe
| MD5 | 1afbf8ead4087abb4a4ce90ecdea8108 |
| SHA1 | b110c78a2ec380d905e48c48d542477935b73381 |
| SHA256 | 92baacbd494e79dae788ed8265e6bfc4982b62c874edea02fe0faa6162e28813 |
| SHA512 | 914570b8db3f461dcb52b2736834c55ad9810991d449b74c3cc02e61a60df2c9847148db9fc8a67bb7fcdce5775ece3296edff89a78492e1ae929320a172e9e1 |
C:\KaVB77\optixsys.exe
| MD5 | 0d544b383b5ae7742cd903f8a186af77 |
| SHA1 | 400e568e99c7b961c614fc309f028ed4e011476d |
| SHA256 | 586567d2ebfb6479284d01e773d8c7807b93875339d4305dde32f24900572a53 |
| SHA512 | 9acc3f242bb34e4ed1addcee46df81731e7e551c9f2ce0be679ed4bb1f02be9dbaccdf61570b64fce6b51b7a5ec266893ce022b94c8f93e8ea7059fe0f27c310 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | e9d9fe5f6375b0a4e1283c182fac34bd |
| SHA1 | 6c93c2fe53c736c288fad644938c092e8b9d8fc6 |
| SHA256 | 992cb1960f6a6098c49c129d3e22eb8b638b8f8172be1df6771182c657008132 |
| SHA512 | 0bd2a3d3c5bad19571b180244961f19f1d33dbea20e7b943fd4f62c066d73d74f10b97d3eefcd28efae896b8cb9e4cb9c8eae67fcda924b61de1e9bb672bab4b |
C:\KaVB77\optixsys.exe
| MD5 | 70ea0b8329bc3f76f03ebb2493989dc0 |
| SHA1 | 3b1f9b3a09984a127314b0d2baad71d31499aa7b |
| SHA256 | a52afbe9d9ac74f84238acdd505e9770f5d4752dde01f43d12bbc8f68e6634c5 |
| SHA512 | 7a005d752a8579256f7bec2647e7c01d63b79a6491acc3cdfe72c32a7b8370c2b96682822e055bf05e23cc55febe4d9b1ce90800caa67f5a9f5c4265d5ca3a8f |