Analysis Overview
SHA256
ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5
Threat Level: Shows suspicious behavior
The file ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 22:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 22:55
Reported
2025-01-15 22:57
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\SysDrv9C\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv9C\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid1L\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv9C\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
"C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\SysDrv9C\xoptiec.exe
C:\SysDrv9C\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | d986cc24e63cd102dfaea8eea0f1c83f |
| SHA1 | 71635511797a3bf55b529a09a68e700dddb88be9 |
| SHA256 | 6eecd8b1bdf6e7fafed7da62df74e401de31e4d51de3c2832b8e010a4aef9d3c |
| SHA512 | ebf491aab2e68d82a6f58adac544840e9ee525f31a45cc0d51ab8f8235769943ba97cfdf45605622d6cf0c63d8bdadeb40a3b4929c21d41956a61b07c3c5567f |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3676060e78ee753d17f16f5d58bda5c5 |
| SHA1 | 6a3010a8df700e890e8798e4688b29f0a292af3e |
| SHA256 | 65b267513c0fc92367c10e34c188679ff8f41e0b9e980d0e1683e2b83738c984 |
| SHA512 | 931194f255fd16c370be1b3b5db121f138d7be58f53eb3c63ebe05bee41a685ba5ef11d2464c524e5cc2208364ea3c1279e0610597b0101ae41011795761fce3 |
C:\SysDrv9C\xoptiec.exe
| MD5 | 049267b57159ccf97113a437187f96d3 |
| SHA1 | 480449ed37e4c26191b36b77f8e401a29886f29e |
| SHA256 | 97e3de9db29d1d446f07b93acd437b771d9178dbbb1ca3335bbe569b8dba9d57 |
| SHA512 | 9a439c29a9c2a6d61839ee62b4ad8c577dc3bf08808bfc011e7277849d2580b99ef0b5744c92d29f18f6032419f5961e51edf54c9812ff9700c303ab25063188 |
C:\Vid1L\optixloc.exe
| MD5 | 6143060c46a9a5bca78137541bea11a4 |
| SHA1 | 530d958f1df5c8050fda9b1982a47c481f018567 |
| SHA256 | 76b290df97224fb698860c4396d6c8c777f334896e587002db9b2fe302967f9a |
| SHA512 | 48d328ae6bcc011860b3619034a19fffa3d63e79f0a1d580f658011e83507ad6bc8f4bc48234191ab394abbec7dfce58b0eb618f34cea60af1225ac77e33e6ed |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9bece9117abc8b1bada525ba833140df |
| SHA1 | 66d2e0f7b73432479c26cae097fcbfd9c7bb4392 |
| SHA256 | b0ff3d871f0f5b098ac682c06cfc84a689f91ca91a3ade6e46c473664405c953 |
| SHA512 | 33fe43683bc17a6624ca522a8c466cfeda55ae4b1ac72be5e6d03056c5cfe0d4b5ba04b092ee451f61ef2b4187c9e2f4b4fdd0c0c7623149acca5b1e6b1142f3 |
C:\Vid1L\optixloc.exe
| MD5 | 80414626d65d29e426772e6ae7a758a4 |
| SHA1 | 45b34b315dc9c425010f4c1607088f6ce2eaa7e8 |
| SHA256 | 2d36c8fe9208da197ac92767901931c16c123e36b408628e728d54f0133e93f5 |
| SHA512 | d249875ce64528ee2030cd40ebf3a974292b79647319f4c08a694c19a03f115b72a48b120867a5a1a590ebf73286fffc3ef2113873e3dc9f8afbfe1b6a03f7e6 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 22:55
Reported
2025-01-15 22:57
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\UserDotFP\xbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFP\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintV8\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotFP\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe
"C:\Users\Admin\AppData\Local\Temp\ad30c146d098411fc2980241b569450c208e49858569d31b473f8e069006aeb5N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\UserDotFP\xbodec.exe
C:\UserDotFP\xbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | 9467251cfa809c9b6de8477a33868a13 |
| SHA1 | d6c66cf7c12f54d90da33c0de2f3be68f4a15c64 |
| SHA256 | 7f140aa47479eee52119cbfac9919d93e742c76444019ca6aa9510464ce04295 |
| SHA512 | ab6abb5114c389060bb9c552481ab7a414c7e75737d47f3207c80b36ca3e1814d543b126d91a7ddbab0a319b9353a1fe7d3439d60230486a8c9018408f7225f6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ffc7d599e6cf7b2deca03c55b77ef468 |
| SHA1 | fc13b5d737ee2e5e382274c0f60eb3a0748ff698 |
| SHA256 | 3b16ea547d0f1ee08704b9bfd0a3daab1a4702383ce908d4e5cbe681be0f2365 |
| SHA512 | 8d2a9c906b27f602bb83d8808b513a8ff1be1f12b8ab380807402a6f798fd49812c4e42e5c3fc298a347877b38dc50f1a0e1f4fd157ed500f9b096d65e2e394a |
C:\UserDotFP\xbodec.exe
| MD5 | 8e8e820925103b3b2c083de15dd4fd1c |
| SHA1 | aa18a08d1ecddb360e575e01031d95610bbeee91 |
| SHA256 | 0005f03ffdb99aa9fada1ba622f464f235a8753c264f5602ca0c117e923bc155 |
| SHA512 | fda6d18e11d14947d4da5dbcbea8832355421c7688442975ef3aabf3db71fdca0b4f3e46f409cc7360914bd7dab11ed898afd8b23dd33dd247f0b20609f64fee |
C:\UserDotFP\xbodec.exe
| MD5 | 0076d5f0cedd9343247fa2668549d1f5 |
| SHA1 | c22f8b37cd090c1b86e8a228be20614b71c6064d |
| SHA256 | c3f200af03d9e719ecee4742f49f715062c3ecc67a1af15e96c2eb0229892159 |
| SHA512 | 77b8bf4b2ec9031c84c3490fbecee3d7d6dfb03e36f0187337491b96a7d949417e5dc59bc152c215c5b6ddbb2cb02b2a082e38e1618a3a1a9dfe48495be09b31 |
C:\MintV8\dobaec.exe
| MD5 | b3b7a9f5f3d17e3555825a59df9f2a7a |
| SHA1 | 6161f42b3651f2a4691dd863f579bacae1a8da4b |
| SHA256 | 9b8a5165f6ec39bf0e94858053b926663bff0d17eacc6095aa35c73a48e8e911 |
| SHA512 | 5b907b41c898f42947fdafcdc4aad87678845fdd5349c6af1e82a3f2586cd17401c2a5621c3b4893aa92813ac1f0ced6b6f591d23027580837ced8108b4c3c05 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 0bf40e4d687a5aab43ed4e273222f39a |
| SHA1 | e5494b94fb0a27010675ccb9527a3d19bd1abe6f |
| SHA256 | 03a1638138f6dc5f5857f3838d6b59bb8385c0d7032cae8ba87a53d656aaf006 |
| SHA512 | ee485649b3106cf7bcf696d4a64db51d927bd556b2c5e6fed64d59415e06f840e5bec2a00f39ddc7da1fa79cd3ae523e57fe3855639eb18cb2399db6437e7630 |
C:\MintV8\dobaec.exe
| MD5 | ced5548eab3b7ac2d65dfe4e79582ed8 |
| SHA1 | 78674c5faddf5a35f2f09867cb5edead7a524bad |
| SHA256 | e2b09e6b04e2c6d4183916ddcd2d02d16c47d6cb0c14772879c035ab642235f0 |
| SHA512 | 1498c396d3ce702ae43428b9bc92f8fe5de3e675bda0701b9e7393b6c3b9ee5e6640d4a89a4dbc7c6410e3a2ae45315486e678b1814e2a048ce7f9d2ceb4a529 |