Analysis Overview
SHA256
7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ce
Threat Level: Shows suspicious behavior
The file 7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 00:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 00:16
Reported
2024-10-26 00:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\UserDotFK\devbodsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotFK\\devbodsys.exe" | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidFH\\bodxec.exe" | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotFK\devbodsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe
"C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\UserDotFK\devbodsys.exe
C:\UserDotFK\devbodsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 193c703be29185fcbe987dd016ed2da2 |
| SHA1 | fd2ae7551838535d59385794bb06da5d26a109cc |
| SHA256 | ef715974aa19b573c7d2948293e239d02c461eb53c823e50013b88db983d2aa1 |
| SHA512 | 8eaea8b177197ca0641c20d616a7812aac5ddd9c950d8f3b30fdd2879ea646c6c7cafc888b699d6b3a5f56fd1e96098a51f1e625d91a577f6ae2cd8a820b81f8 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 02db9bb94344c67fe189a45403ca5f29 |
| SHA1 | 58f06500f7c873a8eb49ba3f0587403bcc56d03f |
| SHA256 | 42ce7ad3559ac2afd9e61040bb12840d98ccb90b56901322dd0f67a8b78185b4 |
| SHA512 | e252d34b8278d04a6c93bd3f94e74a1092e7ca5567b162b0fe645cc29886ef2cbf2d8859ed7cffba4a8a69e41f762bef8094cb8e69718114160cf99ad5f85199 |
C:\UserDotFK\devbodsys.exe
| MD5 | 7c8cb3645cc0b691da3cd2767d5f960d |
| SHA1 | 7cfe5331981a1410ea461780fdd064c1f9b660a7 |
| SHA256 | b172b59ba655ba84453a235a70b9d54a505a022e5be76b55345a47296d6aed73 |
| SHA512 | 6a30601a3d262ffb07c0b200d6584f468179ea884011cf84341283a4c51842bb02afef05acdc007756602136ae593eea5abd13a5ab134fe3290c6ed5fa55e24f |
C:\VidFH\bodxec.exe
| MD5 | 80ca44f0ecc829f86a4a09f43fff0d05 |
| SHA1 | 62c8b923bbad2d816e8c5cc7cd82e3b8f34b39e0 |
| SHA256 | 3b2a88933717ab3ffa438ae8bf465af021e03ef363fd932427467b445e80face |
| SHA512 | 927ab875d4651976e11717ea9dcc85a5483b5ee68aea0fec2017fa6e7b3861928662ed9d382ce2a54b6cb3e4ad6ae8d7040634cea28631cbc167ec753ec7adcb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 435b4d34758ad5b07a7b9492a6928bb0 |
| SHA1 | 01b86fc02ad367b745fbc9715295aa2e897fa19d |
| SHA256 | 45e3b4e207f9c93616018080b59ddba0ebc1ef27a78e8c5225b82553ec370ead |
| SHA512 | 0a33b7e2aff2ecba6d1731ee4e0d01452a0e05bd519f3841cd5e70b20753b132bc8c25cde64f7ce8995717cc857125b1c8301a5cbc275559d874e61ab616a04b |
C:\VidFH\bodxec.exe
| MD5 | aae214d635cd85837d0f51b6889ebb01 |
| SHA1 | fae6211148d6c4438a4f0d25467c468213718c03 |
| SHA256 | 07121edd5dc8e5a6602da771ed494fa8266648087fa62ef8daf7ed0387ee694b |
| SHA512 | cece591b17e801f5b9b4a90477b19da2724ff5300a21aa6cd9bf912a50d6e721d86a06b06bc5acc2038a332a04ab53be798a3965de5b330afebbb21f98edcb8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 00:16
Reported
2024-10-26 00:19
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\UserDotZ5\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotZ5\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintS1\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotZ5\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe
"C:\Users\Admin\AppData\Local\Temp\7b1af1370f8d7411458e3bbcf6da165a4661489facb001ec82a7403d376c08ceN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\UserDotZ5\abodloc.exe
C:\UserDotZ5\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | bd07997789b7650c554dd2d59fa4915b |
| SHA1 | 9799c05182ddf2d6d517c3d58f69586abf979885 |
| SHA256 | f52ea9c0f127dcc5396698060d5edbd763877154de5643ca013619c4231deecd |
| SHA512 | fb2897cba20b2b9e8209adc54fc9a8bf02f160af4723e5c0045317d8601940a77b96228b4d4ac9b4135dbc72848cbd477e41a7ad8158175c3b5127df10b28e71 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 38f8e059569de891d8719d13767913a9 |
| SHA1 | 77c1c2d727a2f1e76dadd383b14ba61e55a9e3f9 |
| SHA256 | 8608a3a883da4b1c2f9e3d0c4354d336ae629b240beede19aee66c3b2704fb8d |
| SHA512 | bb60423ffcf02a03c930061c4d750e10fd4c209d3a3d9c57fcad0cdfe2cc93145a99c9330bf5a41b9bed968040ebb680276c955183f9ec4757e3774606695d2e |
C:\UserDotZ5\abodloc.exe
| MD5 | bae5eb085a9f023b8d36e2a083933bdd |
| SHA1 | c8f3b383d6ce74e8606027a03db4b0ae08c513b1 |
| SHA256 | b505b72bbec0ac5ef11559a9e1cd5d9b176f6b03b0dc9296023c144e105605ab |
| SHA512 | 93d15b5bec81644cf4030f24c5941cb76efb1e539e47e25ee9c722db4b1b52b8ec129fef26b9080ad23fe6b7d1f0752e3a263040aa5557656967acd4d5e485f3 |
C:\UserDotZ5\abodloc.exe
| MD5 | 07ce61ebb0305d89e99f981426a5cd24 |
| SHA1 | 62ef377bae1e78e503cbe2ee567a314c08617d2f |
| SHA256 | 9224abdb09757fb1382d222bd69ba418124a1ddfa8644ae86f4928d45b1ce439 |
| SHA512 | 24fdc8d63a2ee3250565886d7782f5c7c16d5feb1fc6719e0ed93c2cc4465965b45871338feb1125b466c74a2532f7b0a225ab29d44b0e2eb5299e676032cd02 |
C:\MintS1\dobxsys.exe
| MD5 | 3ec174c1bd67657f61566904b0c4ecc1 |
| SHA1 | de6656e1a8ee592a1e52e9512b409d5fac428ad1 |
| SHA256 | 6c0d2763699c39850e3147d4814259052650a622252ae44ae29326d99d47f6ff |
| SHA512 | f2cd3863a863ce8e9648377b568c2acffee8ef757e50f8d0a35baed8f10e2e142609ff05a264de4c6ea3ca382eca3f6445715adc7e225b5142abdecee98d5e16 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 42aa21abadddd8d59cb7e8949d5de96d |
| SHA1 | 013776768087a228facda0eaa660765e30fa1373 |
| SHA256 | 08f3184ef3ba8583bee94d3a0a03290ee042295fa7b00e186bec9b4f15b250d2 |
| SHA512 | dd0ed9e75138cfc893fb739a862fe48cb45a7a89d661ae3b119ec7415445c9432fcf0f2bc069a30b325e74bc1565ddf6bd52e1c99ab483ef688546406cbe219e |
C:\MintS1\dobxsys.exe
| MD5 | a6c1c7b5734afb58e061d2596500d20d |
| SHA1 | 8e9bf47d47d1a37b3873f24d46b912fbe17fdb11 |
| SHA256 | f00bde4b800865ad97afca52f28bc6122f0853fd18931a2d5ff27b263aa49173 |
| SHA512 | 2e9a2edd98ed9d7ece931d0e9c1eaeb9803904a4e3e43f056561a69ca4514a59146f7aea68a1e15a3a97749965ffea8cbceb87fbacff7e704693a497deba3531 |