Analysis Overview
SHA256
3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916
Threat Level: Shows suspicious behavior
The file 3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:06
Reported
2024-10-27 22:09
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
| N/A | N/A | C:\SysDrvMT\xoptiec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvMT\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZHC\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvMT\xoptiec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe
"C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
C:\SysDrvMT\xoptiec.exe
C:\SysDrvMT\xoptiec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
| MD5 | bbc200fb3f1f772cb02e8000593964d9 |
| SHA1 | 01486c372ac7e8a71aea6debe495403f1f665d35 |
| SHA256 | 786a1210a20a2433d65e1423df0151492d9641baa2352cf8c335f1495cdcb803 |
| SHA512 | 35e4294c9ca0acdd28527b76dfc6380f4a4d5c0f647ee9777259f9caae69f5bf6e6656b35b70ca0fca677025e578e4935f578b287c6d1dacdd9f39a354130177 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 367701502caade2d6495507b93bf3919 |
| SHA1 | 5f6254679547315600903910d27c6b17437b336a |
| SHA256 | 533477a30c9fd51f1e4049e3e3cc3f0e6589799f77e225a836aaeef5a05a5472 |
| SHA512 | 7fb9d8ce30ee642b5d98d056387baedb9997485f20bd274c9bd2f7e7fde4b8de26372f917f5eb7911a7343780a7631378fbd7dfa00c23f4d2eba82e09b98a26d |
C:\SysDrvMT\xoptiec.exe
| MD5 | 2035ee86df12ddcd8c853947e97d26eb |
| SHA1 | d88018ce865c5bf58743750dd1b8e41895e69196 |
| SHA256 | 214ddfb1815e510293ad0646b4255685d2d19ab2cfc14ad28091eef7595be52c |
| SHA512 | 798b36d9d4bc89f6e82a3af77d1c877437e5cbdf809d2bd7dbb4bc8ecb1553a526434636e69288078b2a00d375c239fe4288095c0a82b5218329a46ebec389d7 |
C:\LabZHC\dobdevloc.exe
| MD5 | ffd285d9184ca850feebbaecf34dcc4f |
| SHA1 | de31149502e35054cfe5355fcb03b38ee112c005 |
| SHA256 | f96e03b626b1a13b3efc7e7e4613fb7f6cdbef84aa2376d08bbb31bb52fb298e |
| SHA512 | 2754e2f2203a30be696fc75922aba2ffbf40b404f9eafdd5c74c8c3c759dc63e8ef64799d0701809b8d339086875d0adfe0d824d5181f15f5290d1a4fb5763c6 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 41af23f586e524df24db364341f32cfe |
| SHA1 | 371beff72a5729944098b2649e200602a7a662ef |
| SHA256 | 230543a2466c517dd30191e0c1cbabf559aa51ce4b381f45a084d363f65dd04c |
| SHA512 | bc94fb4ba060e06f629efe0619fcea6909dd34bd958757925bf1414528630ae5b63c56468a3cdba32eb3fc7f892581a1fe7c835b1491fdabb12c64a110f9bc89 |
C:\LabZHC\dobdevloc.exe
| MD5 | ea62b5be8d0b618f667e535a0c02e4c4 |
| SHA1 | b8594c390e209826ff9afb4b1c9156648479a9a2 |
| SHA256 | bda5ede08e731e6f550544d36c9bb278613f3a24df9d811f571c5fc740be057a |
| SHA512 | e0af0ab69865493a77c63b4f8770d95ed67e47ae4bd10f66b858cd951b3edabf3be029230c38cd30daeb18de4372a0b0ef596b4dc54c73ded747e9faa3138538 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:06
Reported
2024-10-27 22:09
Platform
win7-20240903-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\FilesTK\adobec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesTK\\adobec.exe" | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBEJ\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesTK\adobec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe
"C:\Users\Admin\AppData\Local\Temp\3ea85bf58553d93ea33eeeb7ad5318ab642eaad7ed067d76fbb7cbde1dfc8916.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\FilesTK\adobec.exe
C:\FilesTK\adobec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | fab0ca29b70ea6c9ec0945864f0e8f76 |
| SHA1 | 2e9b5caa6eb15a4acef625e02ad8f36bf5a84aa7 |
| SHA256 | ac26d9d0ab96d21c36eb96f3c34fa0a79d1f218ae0643ae8a00adebd40b033cd |
| SHA512 | 092cc22f57a87a85ed6b0d3f9ace345c62caffb69968953598d6db433a56d4d2fca64dcfeff08135c51ca05aca131846b6142d64554b650a2a8397662b22f7fb |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 3018e0a5d794d12c1a9385a5c741a6b0 |
| SHA1 | d2b459a3978ce86565eab730d3622e5a46c63922 |
| SHA256 | 62a89f50d2aab842963fa069d0dc25b8cfc4bf1e2577d1f4904a81b602b82a78 |
| SHA512 | 902f7bed702b30fb6712a5690e2c317e4e2241463db4e0483f2f603c37a1892fc7ccf577f661ef3bd408e6d647c57f1eee78062e29054a689f1e7b3686ff9c86 |
C:\FilesTK\adobec.exe
| MD5 | 28465ebc79575059b13588c28eeedfb1 |
| SHA1 | 0e559e1592d299e860605974d46ea06d262e2428 |
| SHA256 | aac01d9a3e48c470089ac4f5153d0216d9688823cc2052dcc1b7527d5c02720b |
| SHA512 | 2c31141b8ea337a85690ead6b37d89cd9de89f8e893b7979f5fe3a7472334c73017624f106e799423632166d621d117776f5cd1c2d7c080fb3ce5b4c08d4da49 |
C:\KaVBEJ\dobxloc.exe
| MD5 | 13a56dc06bebc932e5d83b768db8141d |
| SHA1 | ac23cd700852b75fc6b8adae07530d533345d087 |
| SHA256 | 42cd7f453a340e6278ca399b3f74439d22c42cdc4a65519da6e6dd8ffc1675f8 |
| SHA512 | 1d27c2a0b80f0a387d34cf04f9541f206577f86d8177a31664903ce3f6a84aa4737dbcdc77630a0ea0a3d660fd2c4917345a5aee9e7aefa2338349d4748d211b |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 2331fb178277a9d91ab1e49e06f87a18 |
| SHA1 | 5da8fdf83251582eddcd8a623cd50e02016b2d47 |
| SHA256 | 922022c8e154fae9addd9f06034acaac3cafd2cab53987227829c1462ee58d1d |
| SHA512 | 1aec1044dae83a6ad2a20feb8f96df708d2e338b7e9b9755fb8d18ad6d6108ffaf4513ce43925d3d71995905f2ad08326cba10fd7049195781779766788d6eb5 |
C:\KaVBEJ\dobxloc.exe
| MD5 | 3bdd5a0f4248da4c9fc6295939c6cc02 |
| SHA1 | d0005e5671b0d8a1235364648ca168a08a20e4ee |
| SHA256 | c420af98f1f794bc01fa58cacfdb6df03d62d8cadeda405b1ce92baaaa0e8590 |
| SHA512 | 4e3d6bfdbcc4da87eda59b8984dca1a8a90919e82980345e3223757a7fc3a507ec8739ee7e89b9bfb7d5223afbbf7b64e6a4d072f87ecc46926a355c7da840c0 |