Analysis Overview
SHA256
e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448c
Threat Level: Shows suspicious behavior
The file e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-26 06:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-26 06:34
Reported
2024-10-26 06:36
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\Intelproc5O\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc5O\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVB46\\optiaec.exe" | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc5O\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe
"C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\Intelproc5O\abodloc.exe
C:\Intelproc5O\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 44900f8c6a8ee2f3f3a29338d3f54623 |
| SHA1 | 34dcbe989a4faaf7757506489c4c0af637254953 |
| SHA256 | ab939ea6b9e8fdf87dbacda7b0f08011c0a6bee799e96d854778572ad029f794 |
| SHA512 | 88c651c0bd3d945631355ef95056a0e929bf8ae04acd5ed7f1516eabee8b0aecc2bc755d09272115aee7875544fc868040548d24d7fad09c302835c8d5647772 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bce7e8c38796903758ba5fd29fc3b8e7 |
| SHA1 | 530d7a0916b804f4961b409a3edd4bf11e504618 |
| SHA256 | 6f7063950624ec2352ccef2f6e22b3a7332347915d3b9ba369fd3a23d1f764f8 |
| SHA512 | 9a9feeb260492456eef3e57247d07b4be180ab0d2d47471de808e3664a00cff2d106052d1f63844ff14e25c08cce188b20fac248f79245aa0a963f3308baf297 |
C:\Intelproc5O\abodloc.exe
| MD5 | 640f7b2ac26336229373f2ecd8f1e3a8 |
| SHA1 | 8cfce73dd133747809bae24c696a802d971ad6df |
| SHA256 | 66baea018715e78994053487d660febeba43540f4d76ae24735f7587954117d3 |
| SHA512 | ef4e20d859152927a79e4664f7e94555cb4816cfc7746d897db81ec06b07015e8e8d2d096446d27e9cdc3935f8a9e520a00b2f9582f31ffd83a9c36f0ca33267 |
C:\KaVB46\optiaec.exe
| MD5 | 0497494d3b5991c113550c69319c4e11 |
| SHA1 | 1ced82a9ecdfba4363e64a6b5a78a6996bec653d |
| SHA256 | 4311cddd34736992fea415ac3921ff26100ce056cbc5516fb2e8c66706c06bab |
| SHA512 | dc70dc16003bb08b3424f66f8f1d0652409d4b838510f4f0e5cf53849914fe298423763ba5ae1899fb1b458c02656bff8efb08b18a187a3982e3e685dca36bdc |
\Intelproc5O\abodloc.exe
| MD5 | ac32a2b40625a7ed90e188e98a362711 |
| SHA1 | e1dcefb94f228ecdd8a0761b76569239649e3898 |
| SHA256 | fd2befbf8cba93e71007f2b12af018ee31a4af3654b6ca61fe71f522c52b0718 |
| SHA512 | 343c3a085119906c2b8f64ee11f2441af863ea535c17c2a686438d9aa161b951c28da7ba49a636e065fb74e709992fb1c0e9f04a7888d57369406b6a58b78a2a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5c709c29603d33a7ad0ce85c03423b78 |
| SHA1 | c24641bee9a765e8643d04e0ae6ae54876761964 |
| SHA256 | dea4e9c1cbc74492ecc51c95e5398d82e65260123eacec6bfe8c8d6fc06b72e5 |
| SHA512 | 8fbd18258e1cb17f5d9a46e22dfcc683dc7f7c59d4e1966d7c81465e695e5b78a7feee7aab5e1af8d505f838176287c6a4a83c655f7d97c9d05521ff2e8cb495 |
C:\KaVB46\optiaec.exe
| MD5 | 7e9b9522a635544d92bb9ad610aec685 |
| SHA1 | 2fc58ac30f879c97f4d54d5a869b673cb5c331cc |
| SHA256 | 410f22bec291620b521d146b5815e78fce498b1f5c6b9eeaba9c1d80f7de213e |
| SHA512 | 43384c99bb14378595d7da4054b477e2ba7ccadf038571bcee6026396f5f0ba4035b3a325d38dab66214cf405519a31e67420d31ea8f4809e24cd526c508b6c7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-26 06:34
Reported
2024-10-26 06:36
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| N/A | N/A | C:\FilesSK\xdobec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ2V\\optixec.exe" | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesSK\\xdobec.exe" | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesSK\xdobec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe
"C:\Users\Admin\AppData\Local\Temp\e7a58663afd21879effb764bd9495632deb37f053ce6e53e632201e9ca94448cN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe"
C:\FilesSK\xdobec.exe
C:\FilesSK\xdobec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevdob.exe
| MD5 | 8be6f945155e2cd20711131a997e7be3 |
| SHA1 | 41583fddd920e9a72fef686fe84e821b1793e46c |
| SHA256 | afc76b713d1d946949cd7ff29dfee98e4d8839b66c19ac2b3a79a13d337216a9 |
| SHA512 | 59b66ab5268132bfd2a0a4a7145e276abc5c61855f1a534415b51367f2c32315563d6ffbe2c3c732759eedd0fa44634133d9d083765fea982b7217fa57d56eb0 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | bbd5dd00ffeaeb58c4a8a99a8ddb1f56 |
| SHA1 | c5361782e5908e0bce7865df1f008daa7bc349d3 |
| SHA256 | dc4d76469a69a49c706a6e2ba36fdda3e7bff809f416e882090fbafc2aab3462 |
| SHA512 | b903b8476ef65be0106d1eecda47318d746f5ec0d49e71f43ddda666d4b0027ca1901b4ee73fd7861e17ecf9713f645506dcf6a6087ad05e8e1cbb74964a2a07 |
C:\FilesSK\xdobec.exe
| MD5 | 357835d58a392677cb345939525bdfbe |
| SHA1 | e33947804dd502d214c541c27f6e358fb03c3fdb |
| SHA256 | 897408a144aa51ecd59af36c5c5485f74bbd5e3f0b144db37f5d0374432e6262 |
| SHA512 | 2cb20c3b1c0492b167eef370a44a4822e9b1ea5467008d557b5522e2e0ed3e97414d8ee52dee74aa08151cea9de68e796aa10e9b8d0b20d17373e90f75549331 |
C:\LabZ2V\optixec.exe
| MD5 | 44fcdaef303823b7dfdd87e5b899e27a |
| SHA1 | 63ffe8223712af77d68a7cfb55a5d99f25b3b54f |
| SHA256 | 5a353b56dd3bd71bbc078cbf9711b8e8cfb3c248b2a9e407d3a98d722ecdbde8 |
| SHA512 | 38e56f6d725c61548c76cbe5b0b950d88c2e382f875f97592d5beea410cade334e79e486bbde9664f6f6abef12e7a6397e44693f01c3e78a86e920921319f214 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ae9bbec2c401af25b9e07e46e967fe50 |
| SHA1 | eeb3249df1b4d37f410104b62977aa55d02fa3c8 |
| SHA256 | f363106e8e27496d3e67a3d8452013ead112adfd71f9498832b7f152269afffe |
| SHA512 | 37f54aee5d05872a7bc8a5b78f05d1d1d747009675c74d67334894b81bf2bda29f67af289cb8abbe4c4b0f9c04d2053c3c3dcb85e56ccd4aad6c49c7d9daf6df |
C:\LabZ2V\optixec.exe
| MD5 | 87862775eaaa7f4b49aea85688a227e4 |
| SHA1 | eb3e5c726ac028e56fae186074d6499c7f5971c8 |
| SHA256 | a785fe2f95f1be78e8835ded3d1b89d136b6891472e33d56ff252fcfa4763b6e |
| SHA512 | 6252bdf22730797c9901c028530a515d047d1c92c0099a048dbe5020dae90031fc4812e3c39fa1e838faee97bf6591edf2fe758eceb506c2e8e0f41d58957c8a |