Analysis Overview
SHA256
aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cd
Threat Level: Shows suspicious behavior
The file aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 04:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 04:10
Reported
2024-10-26 04:12
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\UserDotBZ\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotBZ\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid52\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotBZ\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
"C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\UserDotBZ\abodloc.exe
C:\UserDotBZ\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | 60d981fe7cfe3fda017f028a5717ac4e |
| SHA1 | 5d2ffa89049068e048f0cb7b6e48b16e8fb3f764 |
| SHA256 | 108aec8fdfa8537f5fb3891994ffcafe2ea5f366809d7f197bfd1869ffe06347 |
| SHA512 | 0dd2ed5a6e89a6c8247dc28b5fdfd7a0525235c838feb8ca51ab16b54cf23bc5d51a1997f652d46a44e87aa6fbcdec9341708131fa795671dbf6449a494c3b59 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 92c4b010fb0c6f09f07c8bc25ae5347a |
| SHA1 | 8c5f12d043ba6e61fdab5318dfcddd51ef0f8104 |
| SHA256 | 4ea55b7c5fc1ee347e71129cb5dd578c110f22f1d4958ef2189e00fd331646e0 |
| SHA512 | 322f57aebc43cca24369a301df6195b753ee5052126fac52a830291efad3f83a45bc8a8330a2ba017ecc10788cc681bd9d0c830c0d0645f43c7202ea727dbc03 |
C:\UserDotBZ\abodloc.exe
| MD5 | 397864bf775f654c32970aeaeb5773d5 |
| SHA1 | af69980a966beaa7d1ff405f297b0e6c6a20f61d |
| SHA256 | a4b062b523182323a9f39667081b06da24133eb0b72fc182f29cac6c21e5b19b |
| SHA512 | 5d60c4ad89bd04e6c9efaeaec6a3bcc07a9e620e435e3b6a46445dc2935dbb20ea6ca3a181d54df1a2824d14805cb319273951eaa71e1d80785a8e99e5baad28 |
C:\Vid52\dobxec.exe
| MD5 | 3020a0b48fecb07f934b0e72f71556a5 |
| SHA1 | 96f167383f3b8c3a40d5c863a1621dd4525598ec |
| SHA256 | cfb4f6f135a196260b98eef1e1a8d6d477718d2e51de25f4d1d6070a71ae6018 |
| SHA512 | 2f725db8aeaba87d2a8b5ea82944c83ad502eed75c1886187f508951579f788c38003faa28a80ab65d8dd2f427327e7dcae1bf62ac1f307175772d9f8bb35682 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ff4d421683b4118ac212c2cd65885aed |
| SHA1 | 2b872c1659a5ffda83e5fa7c71f0ad9beb973da2 |
| SHA256 | 29aac207e7f0b6b4ac1c9b0ab8cef692d392af63e7afc53f76ba1a9da93512de |
| SHA512 | 3417109c889a4d69a0c91ef9da8e78e284b510dca3a3de65c32dfd64c65b768401f672cc992c1a50836a8c29c094bffb44649d7e0ffffb1da1a53e2faa671eb3 |
C:\Vid52\dobxec.exe
| MD5 | b2ea5c939cedc90761e6e4ffd8884193 |
| SHA1 | 6005272bfee16697476a692e1ed6bdc02c300885 |
| SHA256 | 58e24ca59b8e52712beadd860e95a296c0a3490d8e49f6ac5f55f85613c2980d |
| SHA512 | 5cdb91f1f749706c4b4adc13bf31bd1c94a9126b23cfa157524dc4669a11f79b916f03e086ebf2fd11d22b9db6ed588be769724d57fa92dec2d08f5a840dbe1b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 04:10
Reported
2024-10-26 04:12
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\SysDrv59\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv59\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint7A\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv59\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe
"C:\Users\Admin\AppData\Local\Temp\aee9e179f1fe2cead9bcc90131c38f4f34a5fddb227f2454010c36deb1eed5cdN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\SysDrv59\adobloc.exe
C:\SysDrv59\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 689397301e22151ecdc063244e072046 |
| SHA1 | acddcddcb0caa4acd2a97f4fe66fc0ec9c43eedf |
| SHA256 | c0a6cc6516a7cfba3930e89ffa0645ca4769b1607b8c334cf1bd619802e5dd76 |
| SHA512 | 620555af1f0cbcb8274f58a5377b6f54024b99710e1b18b838da0bd9b6f1af1214ada33cbb7b3be4d5d4b2457043156c46d4f2916fd1a0693813647684b4aa8c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f83b0740c159f43712b05ffe7f6ecef7 |
| SHA1 | b6bd185bb37739530514e0f56cb6e21bb7718e93 |
| SHA256 | f8adbf545890e393772519492eb229a09ee54cf472d39b6526d37d2bbd119689 |
| SHA512 | aab81e44282bf5ecc4f831b8f5a7c73c25c8828532641bdbae6c209ab208223caf43609258cd2e50ac05547395fd8597a0112cac3b4a14d5dcafa61d50ab361a |
C:\SysDrv59\adobloc.exe
| MD5 | 60f138cd300f13294b0be77515a2b86b |
| SHA1 | c7cd1731bb7edf1277c0807cd911af817d3ffaa5 |
| SHA256 | 0a659a158e3344c256b779d2ad141f2ebfd6c34a6730fa482ef602461fd6b51a |
| SHA512 | 2ab899fe5da955f3714bd50242682eba3db5363b9b495b123f671df45e912e6dd9ddef51561999d24e9f3598188ad70aa6ba89d9ffd935303be9dba3915a598e |
C:\SysDrv59\adobloc.exe
| MD5 | f332e5881f656d9faa64de05baea391a |
| SHA1 | ce169cc41c22638e6c3f8dfbc27e8ef10e8ae330 |
| SHA256 | 2ebb9e85f0cac6961fd7fe53595b4207085dcdf668c703add5c8e631481fbea8 |
| SHA512 | 29735e985bc2d35652e29eccc66fe73ba628bba6b4b115bc004c1ddfdf92a8f4f513eea2028f3cfe7910076d87452fb4eaabf434abdbcb1d6ff9d9301672eff3 |
C:\Mint7A\bodaec.exe
| MD5 | 5e5f77e5a8bba3451205d15924cd85c2 |
| SHA1 | 8dc6f4f6076d3abc71b64626f34bc06239e824c1 |
| SHA256 | 2cf5e62848375af5dfdbd237976b8bf53195ad0533a458694c774a09a1c5e622 |
| SHA512 | 865f8b9eafb8e98c518d4157321733e2b3a01e26eabd18a9260225be73c393ad11ddb23be1bcb85fe39df817842f35624262bcbe170f66b1887924be42e32d37 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 82a979e3c8b6b96ba66f4b5bfd5db284 |
| SHA1 | 672c1391e0c576ac07c01fdd71f03e36273d3cf6 |
| SHA256 | 5d386740237a9c712ea9b5eda20ca35ebb151a871c27d5e884b8f3e84db5e045 |
| SHA512 | b8f5209f94635b1e686e8e62d3100a5c8bd5911d92fe09676aa57ce98c62ab8903c6471ba259d1e9bfc77f8710bd7d15bc957728661c29501490cbc3fe76ee12 |
C:\Mint7A\bodaec.exe
| MD5 | 6a5a4422d897e38676ca7d3635d9e34f |
| SHA1 | 83f66f85e36795555f00e12a635db152f992a6dd |
| SHA256 | f00e01c6efcd9f43909ae0a243167bb3fb93eb887e445d45f69474cf6c5d4e19 |
| SHA512 | b53457bd45d6c3e3f1c910cfef4f089aeaf97bed6b51360b2f7542827b8a6c3cd96c97570cfa8c7ab03b7655d17bd92e2dc87668041de14d21460117ae1cefba |