Analysis Overview
SHA256
ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147
Threat Level: Likely malicious
The file ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147 was found to be: Likely malicious.
Malicious Activity Summary
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 06:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 06:56
Reported
2024-08-25 06:58
Platform
win7-20240705-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| N/A | N/A | C:\AdobeTM\aoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeTM\\aoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidR3\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeTM\aoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
"C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe"
C:\AdobeTM\aoptiec.exe
C:\AdobeTM\aoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locdevopti.exe
| MD5 | 52d27372daadbeebb2690846e2e5c197 |
| SHA1 | f620c48c7fef857d1e732a8433de0c84db0d32ef |
| SHA256 | 32095b13d2ca1fd0ad0fa4ee0af5990b8e00d1f692db99eadaec6194809bb664 |
| SHA512 | eca6913787befb5494e46627567c784d9834fc2021465f7ca1c01eb987b59579c9734bfa857fd9b7c91636823cce13a66f5d5e65f1527d403f5063261f626a31 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 93bbc64f264d9c06306980477aa70fb1 |
| SHA1 | bed619621f8ab125bcf8dd7cb9cffd8216171ca6 |
| SHA256 | c5bcdf0d57c5b357fc32c20cd21c74a91da29e941e930cbbeae6acb31c57d20d |
| SHA512 | e3f5bba6f07a147e13a1fb8e112358fe3bba740e5f9ea18d3116ed5f397920d21acb554772e684e9daf2eb27cce58521e2b9aff9b37d0dc05a6c7632243221fe |
C:\AdobeTM\aoptiec.exe
| MD5 | 9df65d4209bad2446dd1453034970c40 |
| SHA1 | d9cfbdf63e6a101ab5b0e9b29f026facb5a5a5b1 |
| SHA256 | ebe8444517aa06fa4efb2839387ee6e862c5281d5cfa3f1fece60535c46fbb1c |
| SHA512 | 7f3f40f5f0fc6f44d9a4f4b0b1eb829e7a0d9275aecdae13a86512eb719a68d6bc7f59b3ec4375752f5ec050787e4bea352d3c9470169bf0a231d6b19927a86a |
C:\VidR3\dobaec.exe
| MD5 | 7ad023471e0b78aff9d6fa68d59d0a77 |
| SHA1 | 6da48e06cf376b32bcbdfc7576e8505aad6d2bda |
| SHA256 | fc79329f711c40584278e468042a9c8501d141c34cc141acf08aedd5a2f19e10 |
| SHA512 | e6b2b01b1afa948226629e00e735be539ae7bec0e41b27ca3ea7da17158029f29613a68ab800ec7cad0488206fae0a8aaaf29d39db2e2262fc338285f27f0dd8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 49cb415ca76dedf6dc9bc7fc54aaa39c |
| SHA1 | db364753b14853cad59339b2be28dd6b01491e42 |
| SHA256 | 6a6a03b381b39ab4c0dc6ae95f3952068bdfbacd65167ddb5aaa96cee741c2ef |
| SHA512 | 53fd7e1b2629270054fd753c52a0036cc4031eae49634c6ca3e178859e7b42256f78381220133cd79af54e28aa738c9333cf3ce84722f2157f9590059bf132de |
C:\VidR3\dobaec.exe
| MD5 | 853afe4a94b99819e3842d46201869f1 |
| SHA1 | e95b274b4280e634be604c7c268000fb39bf5c22 |
| SHA256 | 5c3cec46bc1b4ca0d4ab43a6b0af7034a5e1dcdb4f51c3a78ef3fac3343b0c3e |
| SHA512 | e8822fdf14bad941d6c17e5b0946adb6525a44adb36133a418e4125c9aef0e81ac7af65e492492906ae10f4f90bbd4e2a55f0031b5d1963697c6ba7bb76c8bde |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 06:56
Reported
2024-08-25 06:58
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Credentials from Password Stores: Credentials from Web Browsers
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDot4S\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7Q\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4S\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4S\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe
"C:\Users\Admin\AppData\Local\Temp\ed6686adb87185692b6d47206cc622e74c44712eb0fcde6c95b2224e08e27147.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDot4S\abodloc.exe
C:\UserDot4S\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 217770b2c24e8b9639794f6c63881f47 |
| SHA1 | d62bda020d5c04375d7d4f379fb25ff6f0247e28 |
| SHA256 | d79519806249cfb9e39b4c53d6adffd9dfa8a61e8a903024eb05d0fe46600b52 |
| SHA512 | 51f2b0ed7078252835a38d2824e04553b7883cc1e6b7f4767bd62817d58f10d39e3a063dda61a52d2b98873e8e68fb45eccb8e40d41d300981fddf5f8ac02037 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 4eab212b02f1e5eb42718bc5a445e31d |
| SHA1 | 297357164e8c26d96b0194ee49eea84876d0e9b8 |
| SHA256 | 1710f160560df7f586b4128959133438955ddd2cccb6fd412d14c86768c9b25e |
| SHA512 | 295aebad42518e4659950a3fdde7cbad74b6be2c37211be7c7d8efd76368a192f12abc7eeada070fc17ec33e6232972781d21d66e44e94800e2548bb59dafe9a |
C:\UserDot4S\abodloc.exe
| MD5 | 52ca94fa6b6385d763178807a4ad1db9 |
| SHA1 | da17fd99a7ca5ad9ec9e0f79ac3b911e099a7610 |
| SHA256 | 614aaf9ac567d23f7754ca341325d9b13dc538434f782666e7ed0630d2891872 |
| SHA512 | 9aea4373af478364e04ee5d97fe93db8cf2a5e4d0bf45357aadcf9a26bc9bf1c305ab036f794c64e4815fcca28ae18eed88d277b5570e4a896f8ae84fdf5c680 |
C:\Mint7Q\boddevloc.exe
| MD5 | 5369e0b55aeaf14f76d0137af6e8a0d1 |
| SHA1 | fead6d7bdf128f6a146b989e90c3a21c1ede7b6f |
| SHA256 | d6154a27e5ab172a170273fb95fd57d73a78f4c051c041fcc7023d6c08f157b8 |
| SHA512 | 9a5856b182295c0fba2536a56b0af8661341cab964ebd80cd34f2cf85d73023d3f5a5844dcb802b84dcbea56d86809a110170c386d38bf3b19d70400608ad12d |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 74993698a16bf66f0d95bf33324c141e |
| SHA1 | 616b0074f15be768a9b0879a7e26b1755865238e |
| SHA256 | 78b8c30983b7a5f49a9e6d372a3e77ff4ed0a4587213e55d038ccfa9c97be64f |
| SHA512 | b12808ad2d542674efff6a78b4e326fe3b0ba360d0d273b6ff887aa204c368ffe1cbb7ef2ab6e52c2073f96cd842c4fb127a7acad072d3abcf77681d4dde102c |
C:\Mint7Q\boddevloc.exe
| MD5 | 7194af4ca8b5784e038c373119d798e5 |
| SHA1 | 9c114add88126c1358d7020ca7697c5b0528ea2d |
| SHA256 | f49a5b25906bde4ad4744acd2ddf6b578eb40dcaee1e76a6cce91e836ac9e050 |
| SHA512 | dea51aa435f72ea947472a3d1ccdf8ab4c514fe964d86c9fdfb0484772ee56ab728d2b0ca997da1d392b38e9abbc4526ec702dbc83c527a01e04264766012992 |