Analysis Overview
SHA256
f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc
Threat Level: Shows suspicious behavior
The file f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 05:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 05:33
Reported
2024-06-03 05:36
Platform
win7-20240508-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrvU6\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvU6\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZD7\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
"C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrvU6\abodec.exe
C:\SysDrvU6\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | b7bb8edd4e2caeea06934fb4571e43a5 |
| SHA1 | a3909c7611517ba066e725bebda7338a55138dfa |
| SHA256 | 401fdc1be8ea4ea987dbdf26195f61b66b4240a2f3cf7f9b0d4ff5ca567620a7 |
| SHA512 | fcab33a85831f07780fac91e2f839642bba9a234e7efec2b11caad8a07accfe09de5f05fe669f6921f6ced92d34a14b1845f45c22fad0e389b77aedb09112245 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 891c967c987ea982c1e60cc6bcc5a40c |
| SHA1 | 20e30f1ed605617491e7585ee90da44682c6ea4c |
| SHA256 | 2e08d9f0bc66b04d64a7534ec68d4cebd2d07523028fc084488779347111d1bc |
| SHA512 | e7f7a3e258b6defd7dfdf02b952b0a9783a2b6337d57a23ca3e826f366ba1461c5a6a99cac66b40fea945367420628b6a8e39317f7a68e1d412348a2204f2be5 |
C:\SysDrvU6\abodec.exe
| MD5 | 4f22d799849ad951d457b82eff37db75 |
| SHA1 | 4e1063fe8d636bd72f9cd680c689c23c67188ea6 |
| SHA256 | 6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948 |
| SHA512 | 9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a |
C:\LabZD7\boddevsys.exe
| MD5 | 9c2027a7c7492e3e9c9e9e76551a9910 |
| SHA1 | dc58d3007a7439d9090f8871d30e593200b0c170 |
| SHA256 | 1b17ed84060ccff1425351c7cc60b227b5be60ca125a590f327b2ce17115a6e2 |
| SHA512 | faaf958baa6509dbacf5ca2c05412824b0f0dc35f73db49ee5e3802ddcaccc3fc8e50ef05f7c6aaa0e56d92323b8a7008d5830c338df5601b0e806aa4de472f3 |
\SysDrvU6\abodec.exe
| MD5 | 50bb275267184a0e41603764ec06b077 |
| SHA1 | b393397afa25191e789c635dea9c6bbfa73ce282 |
| SHA256 | 0c684298e148c36ad575add5bb3db22037de1f9397c86e0c5702601642ce971e |
| SHA512 | 86c945be7b936374e49b8f166212345b04a36844e19c48c9bd631b07f27d8bb52591b1b975734d6dee4b8b51422cde7c59ee29aa074abbf6f692841eb1c881fe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0d4a04a3fcef2cc9f34eb8b30b62b418 |
| SHA1 | 2edbc1c297dba9631efea4f9c9f32e55d0469f82 |
| SHA256 | 0eb6cd237f3175a57fde98c1a121f8c73ff607981ef2fff9edd1576820d0d02d |
| SHA512 | e5ac0f9243fbe9f0f2b8f2b461e81139edd42a6662b2b324040af5f92d9ad45ea6e70e92ef75f51dfe7f9d253f2be6e3ba5cf238fef7273394ad609720c9c7b6 |
C:\LabZD7\boddevsys.exe
| MD5 | 31b9fdb4447ac3e03d968a552bc4e770 |
| SHA1 | d627686f45ee3073c5d2b2ab3c697fbb6c80d830 |
| SHA256 | 3b4fd6d2394a2f6e8d87efd5d9bf0a29b6d66a27a65ff07e0dc1f3f75e035255 |
| SHA512 | 4f1ef15941ad7cd5179ae19a4f6a7d244837516dd80b008b9807c6f39d623f60a7fb5b27d828623f476de96fbc5bf2a207a95127ef0f3497fed6a57e91422ad0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 05:33
Reported
2024-06-03 05:36
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe | N/A |
| N/A | N/A | C:\FilesOU\abodsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesOU\\abodsys.exe" | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZWO\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe
"C:\Users\Admin\AppData\Local\Temp\f4ca47cbbeaa07c124417ee67a62b3224723226050449732e31a0e69cd32a3dc.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe"
C:\FilesOU\abodsys.exe
C:\FilesOU\abodsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevbod.exe
| MD5 | 8158a12d0d852e060b4f60ba9bbd3a37 |
| SHA1 | e003535300e735a069753c2d84e7602393209eb9 |
| SHA256 | 2caf5241cfceb9c2eda93b750c6212346d13e69229faed3c13c845fad5f9160a |
| SHA512 | 86e75146dfefe93a47d3fc2ea889fbc14db574e3f0355cc308cc860ad183d484433dac53d6f2615bbefcab889d19c8893db287d3fc64b839a6f4241bf122eb63 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 35999cfb797e622f5862706569985839 |
| SHA1 | 6ce2c0110f46c8518094a1f14ef580f2925ceb86 |
| SHA256 | 4b78a4b4fa896eb1546e3255de0ecadbc4387e10bd6ef1dfbfb72a92df234f26 |
| SHA512 | 126cb8536d521f94c321ae7a8494cbd08b0c08f9735a4aa9f31fac0417b74676ff413ffb11f7aae6d4e96445d6e05e0367e60ce33951a745c886b85815929ee5 |
C:\FilesOU\abodsys.exe
| MD5 | a8b6d48fc722ddd617a46d366bc47b12 |
| SHA1 | 7aa42f30b67bfc0bfc3029425037df54da3d719d |
| SHA256 | 14ea4779fb0bfea29b24dac1a88d2eea4f17bb3366cfb9d88b269f89ae5c600a |
| SHA512 | 1673d13ecc9a01215a5bec2e2d6870bc9d74b2c7ecd0a2baf468d59c49c29fc15e261dd6c551b2cd373837a83766930fdaeab241f72c0a78abbfa7ff88d74f0a |
C:\LabZWO\optixloc.exe
| MD5 | 4f22d799849ad951d457b82eff37db75 |
| SHA1 | 4e1063fe8d636bd72f9cd680c689c23c67188ea6 |
| SHA256 | 6d731a85e1aa5373ae56b774f79879aaae0bf7acee2d491ffbe549dc72920948 |
| SHA512 | 9906f7f210918aad8326adf8876fb1a50517812f1d6dc706f0ad6c14c9363ea1c2bdf15f1589563e9483925b76a4a315f4db9d27af6ab0674f200275d3b25f9a |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a7f4aa5cbb20135a5fbce66126932d0c |
| SHA1 | 7bd8b9f703c20646f2a7e67c54bcd02e08e62547 |
| SHA256 | 17f49d933dd5687ea837526b7dc309fae2d570acda24fbf5178133617539c401 |
| SHA512 | 2e21f53b3e5efb8ee6023fc613e3309e9deadf9ebf928724ae4d3b072759da8ddf9fdda85f1e47d11e385186a8a801ac031a46f3dce6e6ff042b14d3841c46ac |
C:\LabZWO\optixloc.exe
| MD5 | fa9d72384aac85b56fd506984fffa94c |
| SHA1 | 49dcbfbd5ec47a6c2b958f9ed1218162910753e5 |
| SHA256 | d57b67d65d2358e8c397dafcf32f67b15eb0979b7fc5c55085b5d9095cded2f7 |
| SHA512 | 944347d008833196fcfbaccdd516ae115e4c31775e04b506a1497e1fb36272461f65ec21fd6f49f0459d9a1ca68d076378f6ad70fcd66af5cf33d9c215c56c28 |