Analysis Overview
SHA256
30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50
Threat Level: Shows suspicious behavior
The file 30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 03:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 03:30
Reported
2024-10-26 03:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
110s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDot7Y\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot7Y\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintQL\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot7Y\devoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
"C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDot7Y\devoptisys.exe
C:\UserDot7Y\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 36029b303afea72101cf411e51e3397b |
| SHA1 | f2fee78488eeb32b1923e56548c395dfda0e424d |
| SHA256 | 5ca064ac40f7b36bc76b8253b93e9114675b6dc8210e358ab05ac6b14d44c194 |
| SHA512 | 4e19c067842eafd72ff585c59dc44e8457f0543a6721878d73e72958aaafae13428b1211d48916fa2c02e0731b1d2ac752f2af78e761b2254e20dd49c930d5fe |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 367928d6d11135c9f817103762279199 |
| SHA1 | b7a53b71f840624a15d8ecc5d76c4879229fab02 |
| SHA256 | 40bc32f3aacd60013cb4196ef781dfbde62f45ba9c6120bfa11b6b1bbb728a1f |
| SHA512 | 7e572f627bbcfc0fff110e4bfcc34791f0b099408c3a7733f1aa33bc2d19a3992431249b15b1303b12ddca578afa8821a2ea504ddf1c6b36c1f5544f264e86e5 |
C:\UserDot7Y\devoptisys.exe
| MD5 | c197b96d4aaf6a94d8c9d5e8eaa46647 |
| SHA1 | 6a5d202d5c12f92ed08c4e3173e8076b30599e68 |
| SHA256 | c1f0ac365490dcd4bb79e6fbbb426a12096d0d117fdcacf38da111f17366b8be |
| SHA512 | 982ea75660b8c55cf14fe2ee62c499eb526f3026aafc6a74a6d32c0f3a52de610668874c9718769e8d027b547fe20cd043415c6f30956342e6261f31117096b6 |
C:\MintQL\dobasys.exe
| MD5 | f57b426268fa0ba166d8bac35a663008 |
| SHA1 | 813ae1e3ea4918704af55f395b3bfde63d6f1966 |
| SHA256 | 7e6821e920875b2c3a32caa03de7658e00726dc1860bbe21943489fb95834fe1 |
| SHA512 | d335b7b09c8f38afc17160d00a3272b59354b914908a0f6aba7a4b86a8c8b9082d7f8f3caad4e35bb2886c7c621db0cc124bb7fe2a07fd15f378c09cec9f2ef7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2f978ab78172161cfcfd62406c2e00b9 |
| SHA1 | 40be35cb79953631020336baf50a0b2d54c198ad |
| SHA256 | acc0e2f1a3d20cfefaeddff8f64644466905ca618b310e67c2ded09ca1b0988e |
| SHA512 | ede343473b6a11e8cafd669b0fc1fa658ea0c028bed54435d26248c7cc9b5833a955a563bb042c72f0e5d77fd5ad6d0c2ee1a07526f26fc1d1fa6c96695aae5b |
C:\MintQL\dobasys.exe
| MD5 | b608991e294a6491557bff168c697a31 |
| SHA1 | 48c751535e6745b4ef30fb9ec758245769a3c6b3 |
| SHA256 | ddb40df2c664917d94d71cbd08abd6f6b40ce9000b579d4971dc089acb8c9680 |
| SHA512 | 2ff1dea59c82ed4e4e92280269946e379451a49b2dce51147774471012312e543101a96134b1b77da7a87a8a245f6896a88f75bee4a78a237a109cd8f53a5a1a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 03:30
Reported
2024-10-26 03:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\Files9A\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files9A\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidY9\\boddevsys.exe" | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files9A\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe
"C:\Users\Admin\AppData\Local\Temp\30656b304b47e869de28fddbc743f4be8709498fab59977951ac3b5a7e380a50N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\Files9A\xbodloc.exe
C:\Files9A\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 10b0d8cc1ea309ddbad132186b02a24e |
| SHA1 | 1a2a3d8a89a6dfbdd361cfcd443f72814d226c41 |
| SHA256 | 1bf9f6560a39e757ed45e976cab948004fde37c6fbab457bcc2d80ccdea329da |
| SHA512 | fa0175317c2170c19eb306a931444c1047f99490cb2a6b88fd943969354a1883bbd4a88cc9383690fc4a38030aec8138846ed9e26a8f0d29fc886e4229025a18 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 60151bbe6453256c273a81b6ba25146a |
| SHA1 | 46e5f038c3e30ca153cebc9e53a680e44faba881 |
| SHA256 | 7db7bc0c7179b17a9799eb73b9fc7da340b6da90b04a76614d149dbd1f7beea6 |
| SHA512 | ab055009c3ec3ba7dcaf6b97b189a593ca7d9441a7f83279726f241b7f54a4a0499c337f5be476e4bb293ea44364e58b6b451e8692cc31f7cc4bc288b312623d |
C:\Files9A\xbodloc.exe
| MD5 | 814039714f546629801b3047f049a201 |
| SHA1 | b84a1cca1e97c89b0804b532465c841d896010e5 |
| SHA256 | 429b29eacb036167712437df4d73d7853a23908e8869851d12ce86026cb74c0c |
| SHA512 | 388d247e977dafb4a549100d415cb5efdca2c5b984bc49438fae3785421edf98ccdbd7accacdede165facc6b97c39811674af4fadf42575cbc75e5bb9f600c80 |
C:\VidY9\boddevsys.exe
| MD5 | 8662396c1e4afc713b01501c42900ad6 |
| SHA1 | 45a35d02a58869d6d3b27fe7e22bbf320df3e251 |
| SHA256 | b43ecc3f6730a193130ee2b7fd2dcb6b913006b28bf90b214f4f79d29f813704 |
| SHA512 | 0fb09ba191ed0133b8eb83985e7334b3f5c95223827d75ab22f1ee9e8ebfe68554a0d843c7f31c151f8304948edcb242d72cf2128bb4375890a964efbe925307 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 478a7bc2b9f9478fb3850f7d8e89c557 |
| SHA1 | b4360a28f1b6def3490fd4ca6c0e5b3e74e679a0 |
| SHA256 | 3d153829e970f9e58d3c73428552a0d5c3e2968500e7c42a892b8085963cc2c2 |
| SHA512 | 63c11c270fa1e36611ed874be000d791e4ac40322e463ef2e579541e462def2f01f802dc2127ce92c027fac2e49bfad24825b9f33e747545f11a69d47d8783e9 |
C:\VidY9\boddevsys.exe
| MD5 | 92e7358bd80e3bcf619adba852d66be5 |
| SHA1 | cfa209b6c36d616a69dff3caedaade4b929d0e8f |
| SHA256 | fa916b3e2e03840e3c2fd856ec18b9872450bc1a872c9b291769caffcdc7d41e |
| SHA512 | 7a45d20f377b3f770bfb55e15e6a8ad92c9c08fb32aee95460a485dc20e9d58a55743f1fa56e380f53d44b86d6a1c5c563ad6f0119dde45fa12ecb6bdfff0c42 |