Analysis Overview
SHA256
db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9f
Threat Level: Shows suspicious behavior
The file db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:05
Reported
2024-11-13 20:07
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| N/A | N/A | C:\IntelprocF7\devbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocF7\\devbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHI\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocF7\devbodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
"C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe"
C:\IntelprocF7\devbodloc.exe
C:\IntelprocF7\devbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecaopti.exe
| MD5 | f3b2b395ada98d83990d0b8c1c6a86a4 |
| SHA1 | 4f70ce1778f519dbbd3ac337b000d1fea389f3b3 |
| SHA256 | 299f0e3e8027adf2e34c1937b2b87c30c19b0ba3780f049ad84f4e79c1aaad14 |
| SHA512 | 51f2c05a1108aa4986bdf5938bd2d6c02e0e993afcd07f224af0fa17f5b50c993f5ae123e8bedfdc164c14e06f9310f3a8400e1b28cc5ba291f7726c5be987b6 |
C:\IntelprocF7\devbodloc.exe
| MD5 | c7cae401176155dccd042a571fac8818 |
| SHA1 | b9fd9b8a5e880cea58579f813a3e1b8c37ce9513 |
| SHA256 | 7581b006e2e9b799484788103d9fd3414daede52d3b435ce5babbcc6afffbb5c |
| SHA512 | 8e6e43e9fdfe7d3f93595b045dccdbdc8248397aa7c9da35e541a9c8a1d2e8f7c64c70bd7f8f6a7b6d4e13b9877cab2f2f2fe319e62530d6f19711cb6e06f61f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1dc7aa5ea432558316d16dc625b9212c |
| SHA1 | 42aa895bc586cdaa3d6ec9d71a87de8339a70eba |
| SHA256 | b3723f2ac97d969788fc6631878d736a7274815de9bd588c798fb2fa02ebc3ed |
| SHA512 | 5ee3714df7c60fc6ff510fb014b5580ad06bbb6fe74867a37786fae92c395939e96ca50638495d58b76bbac645afe9680dd1ad7d74ac4b29e154b766683b5e7a |
C:\MintHI\boddevsys.exe
| MD5 | 2719ca20d9509d01814a22f1d4743f14 |
| SHA1 | 3e5655ee0bf7456279f9e692a6b322ad321f6c74 |
| SHA256 | a4c250d44d43362adb143f36715f8bf3951ce1d6d442a28a59fde12681eab781 |
| SHA512 | b41fb92f64b109cf96072182f288f4433e80f0c5971e857ade54b74f8fea4dca563e5ac87efc57403041c53765cf215eed3c43dd797d32050067f323a5dc1595 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fda0b68d30890faa25943cf7e033e08d |
| SHA1 | ec8bae9e166ee1492b9e990c320ab2a2855ce427 |
| SHA256 | 734c45571116cdaaa94af27cc6ddb50b1871f332eaaf3b89424afcdd8a213974 |
| SHA512 | a5121007f68a69eacd77f4c2d7fa6e2c0f841d63b3e6a3a7510075c17e7bf054fdac3dca255091dab90c756b0741f7bb9ce282cc26cde717b11ca9e3c5e9c9d8 |
C:\MintHI\boddevsys.exe
| MD5 | f3a24a59afbe17d52edf76a85a5c9572 |
| SHA1 | 5c06d06703f5ebbd68a2f69d9fea9c68ed686f36 |
| SHA256 | b301bf2fc5c221bcacd828849e3f7b5fecb1a36aac39942d9fe226c86f5e22de |
| SHA512 | 2d9865c67ed25fbe722aeaf710a291126bad9d2fd413bc7cbb34733a80f989524262e19b0d8b5b408b3ca90e1e52ef1b074b4cfe0dff86f9be4f005209b76a10 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:05
Reported
2024-11-13 20:07
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
96s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| N/A | N/A | C:\AdobeED\xoptiloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeED\\xoptiloc.exe" | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBU3\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeED\xoptiloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe
"C:\Users\Admin\AppData\Local\Temp\db0927bba9a568c7f43f44742f73aad935bba038eabd6005a5d4f6c5e0e88b9fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe"
C:\AdobeED\xoptiloc.exe
C:\AdobeED\xoptiloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysadob.exe
| MD5 | 2074a25d2dfa523193cc405103af9770 |
| SHA1 | 5d101ba203011b3ab6812d6a38fcda3726fd8769 |
| SHA256 | 66f7659ca6005b9889023f4c06ef0ce13907bf9c6f9fab4f138594b2c800d5b8 |
| SHA512 | 968e365e666a5df315041ea3ca555b368345dfd8e745f01c6e88eb4d76f422b01e5191d8295d70e7e39edec330cd7682a9bc201973a8e4b801759bea94488825 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 1626df9605f1df0f9b4c924b073a3138 |
| SHA1 | 0d6e3f721bbf30814b0b50f225fbc4b9505cb169 |
| SHA256 | a2a2c7fdbd9ed5dc0bf26a22f76b3437a98c713d1b2e3d4909147201ca252cee |
| SHA512 | 936b18aa155f52ac37af0fd6613899d7cddace26fafe5005f3beda7d01e8ffc969a37a57473245762254ec2ef57fc2f1d195de167708731cd089e6c805cab2a0 |
C:\AdobeED\xoptiloc.exe
| MD5 | 39927e8550afdf1d612706720046ae1a |
| SHA1 | 5d0edd26d4579c8f058764720f179c6992fe8d9b |
| SHA256 | 4a26bd814ea231d9ffb53f9c08c1aefbbf2484b74c95ab76c4b0f739b69c6927 |
| SHA512 | bae31135bf8e6ad2f4bc4bc50ddf791b9351c9966f1c3a1d7ca1f3c83033acc2bd61acce52bede915ca4bced642d1d9de9a0fb9392630aa0f3c7a3131d8fd1da |
C:\KaVBU3\dobxloc.exe
| MD5 | f87826ef3bd35c10d6d36cf0ec9d9818 |
| SHA1 | c0ae1913e6a0f3b2f8a78008bb015bf3ac8d862f |
| SHA256 | c9a3ecb0e11bf714274e07e2d73467cafb582909fcbcd540880b1df8ae9c7f28 |
| SHA512 | 1ab1bd1b1df96ed29027ab083f759c3d6dfc27bd77c42120e250aeab30d3925b9abf0c146a40efc8e6035e3ce6fefe12d58b4cd7c0e1646933e990ca5afbcad6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 27cc22543cc4eafe166fd15152f4bc5a |
| SHA1 | ec48e5c55284e687143f7835d8af4748d29c18b4 |
| SHA256 | bedb3757c991ff3224f45a590154238956621152434086a08d6f1edc2872a550 |
| SHA512 | 66ab1836b67715def83db0484b2f2491b4260b0791658646831db2b41fa580cda499175a499636cf524b9b5dfdd4124b6662beff617c661e017304d33b6abd4c |
C:\KaVBU3\dobxloc.exe
| MD5 | 10e6df3619bbbd1a2464d5000a56fbb5 |
| SHA1 | 9080f324c059847c04fbc434d62d8ab2e06140a9 |
| SHA256 | e437e0733cdde421f32dedbcb49fb69873f23116dc2523e2a45b18e005fd1559 |
| SHA512 | 9cf956066c20f94e36fc21e8c536ef7625e51e279c3c9794d5029cac42d155db5a2e79ccfe4010364e50c34b0675745a5fc121a112892a31b331ab14427ac6ff |