Analysis Overview
SHA256
17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d
Threat Level: Shows suspicious behavior
The file 17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:07
Reported
2024-11-13 20:09
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\FilesST\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesST\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZU8\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesST\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
"C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\FilesST\xdobsys.exe
C:\FilesST\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 5b72dc17685d8f8b2792e2844a592b72 |
| SHA1 | 52ccc79fc1ef8533fb3c0bb2bcb41e9c8074894a |
| SHA256 | 720cd7f39d3ba938c5363b95db52caca2ed35dff245ae46caf274bf213f8bc3a |
| SHA512 | 17790b4ec5b789b726d9fecde4a02966ccd39ceb2e15a094f4a823331f1ae10dfbfed6ca0d99f8c158033c356698159da6326662c7646b0c50350645529a34f3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | b4e7397d11ef9b276fc9fbe4981b0d0f |
| SHA1 | 9206a7eaf9925e9d8a9a7a50ba52360832f22ed6 |
| SHA256 | 7fe07a660f36206439fc23209cb9a764514ff4a95a0408b73944acab01f3a0f2 |
| SHA512 | 7698c0a23a91391daefafacd1aaec681c0f03f624d36edac644ff93df2384301cd527ccb3ae17c6dc82685b855d8c295f18914609ae9b6a6ba4a010ce0266ec9 |
C:\FilesST\xdobsys.exe
| MD5 | 4ce85c6ed15b5cb55ea1e2bc3ef05382 |
| SHA1 | b5ab89cc8094c245fad881e14e76ff79effa4ce4 |
| SHA256 | 6f19875cdefd9b9a85173704094c1603d1d51f6ce2a14744876799e558a334a0 |
| SHA512 | 8fd21de12eddf29b5ee814b2dadb6e2fa0752be2505d22163a27e9a10eb95472370f45559eb30e44a047226deec1c1d49b26b3be8a9f41b27c769d84e2d6bf1f |
C:\LabZU8\optixloc.exe
| MD5 | 71f3018b58c711f991078e7960beb296 |
| SHA1 | 5b1f336885b3c3807f2ebe42ae38082c83c56447 |
| SHA256 | da95366de0803d3aa164414e276b2915703e39d87f640c8b51e690f1c48b78ce |
| SHA512 | 12066556dcbd8470b27453330b3239a6d028ae02f1823be599cd37dc4898d8f8bf36998a22023b14699b48218bf352a79dda622c439b7d0834f82cfb5c8fb273 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 6919fb1c5518a212545be20dc3f8cb68 |
| SHA1 | 6b56462b7bc271339afe0213d4786d026e983886 |
| SHA256 | 8497793f8a4fcc012052dd3cf88b21ce0c44fe17435da34fbe08693f5e1b0a7b |
| SHA512 | 7b0f6166c93d34d4a4894909b4518c9312501eaa23c09f72df745885fb3307362486ed27ffd362d98d7d82ad0f2ede60e94b69d8b2bd1dc052e4250ba5de2b0e |
C:\LabZU8\optixloc.exe
| MD5 | 41ab4e1276cac56848e5b08f41bb54e7 |
| SHA1 | 7dad10488a92b71b57d92643ab54c36a7a675100 |
| SHA256 | 04bf27f09306ad74f52d4271b2a05c169077b915e18e72791c3ef085e6aa81e8 |
| SHA512 | 58923c44c7a54c2b79585aaaeeb842a096e01fb37cdb40b58809579d4cee89c0538c4632b49632ae4783f1e44d6b53ede11d265aa1793d9e4e64116f706737bd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:07
Reported
2024-11-13 20:09
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
| N/A | N/A | C:\IntelprocFT\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\IntelprocFT\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintNC\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\IntelprocFT\xdobloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe
"C:\Users\Admin\AppData\Local\Temp\17f7739c7c77a44ddcb9d6c590e5088e4cb7ac3e9995e61dbd22d8ee0f23da9d.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe"
C:\IntelprocFT\xdobloc.exe
C:\IntelprocFT\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevdob.exe
| MD5 | 43fcfa2c72d552e9c05601722a0a718e |
| SHA1 | 9ab8e32fb1bc89b7967cbf8ca730202a96a07ff7 |
| SHA256 | a770ee52f4b979eb467e667b24dbae74d8284f9c4ec504c73af3e108abbeb27e |
| SHA512 | 00c5cf8d2df4fe23f36bcec6024dccd21ebb5fa640e90c6b4339bc632d24707c453bfb9f71a9dd91f0c5b4d7772eb3b3ad7288ddeb8d31817baf75c5c8012043 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 701dbf1ecd0054eedb47cd021b9cc453 |
| SHA1 | 162423eab564bbff4240251d14f2f0b698529519 |
| SHA256 | 7b89d3874842d56678d158e12aa922e0239f2ea08a454aa0de41fbe8283ef578 |
| SHA512 | 17f94b973e2749df11bec5b0c84a621bfb2d8431aeb417741d1441ed0112e3197b3d78e7e3f890471031080c23da8dbe473c58a5206083ad06a97617645c7283 |
C:\IntelprocFT\xdobloc.exe
| MD5 | 89db457e2ffc5cbb17de8c3cdcf2a613 |
| SHA1 | a7f80c8646df9bc20227833d0a09acd934594e70 |
| SHA256 | fd8851833424620967ffec223b6ab828c39de0b8be134a041109bc607a7d49f8 |
| SHA512 | acea3918f76d669f21b8ffcf4256b56b6675ffe16a4d1a6351e39f3d1b441fa2c86f54b755a945a447bca2b0e4290a44055f3692f63825a304e06cdd66082804 |
C:\MintNC\bodaec.exe
| MD5 | bf845aa8fed7c334e79467066e5cd0ee |
| SHA1 | 140def44fac131579f5f4da3463c20b153235186 |
| SHA256 | 7ee55a06d189cb8d1299b582ea21657c46ddb041be44b0ed08c797a8ed24c03e |
| SHA512 | b2abf257c59ffa167b2a10925e00220f779c8011052d5e07f569b934d10ad5e54790042f64bf7a7be932d957756f668812ad03c854bf3072482e597a58ad1341 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 40878f1230354d0fd041f4f470710fe0 |
| SHA1 | 11aa86d24de207762e1e586688f64e3cadc9d37f |
| SHA256 | b51c926cbd19bd14caff6ec099db0b349fd836209df5cc7debd30b693d9cc9ca |
| SHA512 | 45007ad39d3b11c202caa8a86c8326933ff528c269fcdfbd7ccd1f08abc276d3a3e97b58df2141dfc451468b778f0ca59c0a76b7f4b224992c4767fb81bf7a97 |
C:\MintNC\bodaec.exe
| MD5 | 7194af4ca8b5784e038c373119d798e5 |
| SHA1 | 9c114add88126c1358d7020ca7697c5b0528ea2d |
| SHA256 | f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050 |
| SHA512 | dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992 |