Analysis Overview
SHA256
3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044
Threat Level: Shows suspicious behavior
The file 3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:07
Reported
2024-10-27 22:10
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\FilesMM\abodloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesMM\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid7X\\boddevloc.exe" | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesMM\abodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe
"C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\FilesMM\abodloc.exe
C:\FilesMM\abodloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 96d65d457cf8fce0aeb184bb9b7e49a8 |
| SHA1 | 7f9d0a1c134a3c2f94f324c32d2f9c9b6d1cbeec |
| SHA256 | ed7e0c9a59b30b8af0178f91f319134191dd7c2065a95100610e9ebed578956e |
| SHA512 | 642a92b7b5c832a92e8fd8ffc9affb8147232883e52dcb40ae1e5bbf0b20b2ec70c6b4a0c576828f4abcee6ad8b900515fb1c9a2cdf8cb96db5ed8191f7d943e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6f7a736741eb844b1ebc87fbee4ae9f7 |
| SHA1 | 1b01bd026638a5c08574be5808009ab73c8bf0e5 |
| SHA256 | 917030f1778f17245978b7157345538c0357b49aa9124a07178335aa925999c2 |
| SHA512 | be9a67e1c3a8ad2ec10df552d3e4945345378c7bde7ba17140c5e79a99ccdffa3a8ab63e16d7bd36f593bdac838ec630c72ea78117488382cca1e759536fcf65 |
C:\FilesMM\abodloc.exe
| MD5 | e3fcb43e3360e7608d1022e773e4cd15 |
| SHA1 | 5812c06ba76c8b6288b7a22782684ff592395036 |
| SHA256 | d2fc479dbbc255b407f491c7df879f45711bf86fea97574843aea43c9f0c8cee |
| SHA512 | c7d9c9c6272255d86b90fd7b9a8ed22d3042acab487d9f66d5abdac7f2e1e91a2ea365826dbb24e5ab4f658cc964a7be5f2ff02c73dc25b8ab497507360e0804 |
C:\FilesMM\abodloc.exe
| MD5 | d272763aede4165b6448bd12ca44420c |
| SHA1 | e852a4c95d939b713a910b5c9c3d759965f126ad |
| SHA256 | bed8e4d0f6786c8c24df6cf518f2c6ce6401c31bc2b5bf21d18bc80d3028f42b |
| SHA512 | 0e3fff4e7b752a9d08bdfc3e6ff882de8d9193065d58cb9d8c192a391fd2768e310b8573a244d7a6f611b156a3083a78cbe52542d807877502a70ac3b83c67b2 |
C:\Vid7X\boddevloc.exe
| MD5 | 994598129f11cb475616f24dd01c79af |
| SHA1 | 7ac1cd752d20f2747e0861a1b813da8b06c1af88 |
| SHA256 | 010aa662c4e816a73082fe5de9945c82e2d169bbf9ae1f0c41baa93cd4060268 |
| SHA512 | 06ce3f9490813027086fd45a2ae2cde583fb54c2689d5104713f13b34e8a1e3b024a50c1375db20cc8c991aecb540cbd092c38d36fdece50d9963af09b2bd00c |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 6d79ab039689bb32ca868c1f8761756c |
| SHA1 | 324fa5bb85fd8393a48ad446e23f50bac9d56425 |
| SHA256 | befcd4cb9d17872b97a83b773ae5c34041ba38b395df0058dd147579d74ebd65 |
| SHA512 | 09b299089daec0aeafaa74cfb852efc756b134482da62a1faf33a1f54785c85208426220aec940914ccfe6cc077b257f2b2e199eae0ceb5215c6f4189d8a1b0e |
C:\Vid7X\boddevloc.exe
| MD5 | ae9fe898ddc24b479c7a893bc88d8dd5 |
| SHA1 | abdc1e7dcffb6fcbac018027117fc09d17260f76 |
| SHA256 | 6240d77086d1a677f88920c43013c84174d5f403b7494014f0af8e0559c601d8 |
| SHA512 | bcda91e551e1e637ab52aca8fcd31e39caabaf04045a04aac58cc62e07ec06979b1838626aabc7c6fc32a197dba8f0192e6b3af118e7f0bfcf98de0c0fdf7358 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:07
Reported
2024-10-27 22:10
Platform
win7-20241010-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| N/A | N/A | C:\FilesGA\adobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesGA\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZUE\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesGA\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe
"C:\Users\Admin\AppData\Local\Temp\3ee4a118b3b699ef39b39eccd067721ce3107b5688303a597040f2b177ac5044.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe"
C:\FilesGA\adobsys.exe
C:\FilesGA\adobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxdob.exe
| MD5 | a57fe69696b7fd5415ee88098f388118 |
| SHA1 | 226384b4c6b74d90615a7c0aa67ddc3210dfbfdc |
| SHA256 | ccaef78f0c4bb80475151a2812b9e51b3a065144cf4ed595ea5f5fceb2123e4c |
| SHA512 | 2c7c207808aab8b4f684dbf19bcd5836fb04738720dbedca29a389f5bfb1723880919f3257d203af696ad3fea56b81a948be48b91742bdd987e80049fdf542a2 |
C:\FilesGA\adobsys.exe
| MD5 | c3b3243b7ee23a5aa32182f9d68705a8 |
| SHA1 | cec74c6051dc01296d3db232c84fa5cd5f7087de |
| SHA256 | 41b41fa6346eff70c805c165c9d7930b0cce273656709710cf62c67cbb880276 |
| SHA512 | 1ece18f2da3aadf789780515abfc975a6447c7632cf42fd46e9902da68ba8f1b6d1f121f91b7d2becfd6df2a2de6e41647689f697e9769bc100fea75089039f3 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bec5d051b61bffbb0f7c82e253982cda |
| SHA1 | 6d5ad5ef15976c6bfeb0388e301b0273210d54f5 |
| SHA256 | aa4a2080123674f271c2af3fb94d0b36781d445ce15db85b8f1216e79d1f4a69 |
| SHA512 | 1d17c4410af96386f04be3435d4139a0e48f178f3401dc230fdd9f9723488566166f2a622aebfe858e97ab946ea9c54c4f0d575e3d8f5519729aee45ca9684ac |
C:\LabZUE\bodaec.exe
| MD5 | ee73b2422a3132bd38137af73421a244 |
| SHA1 | e0ff28c36e72dffae274f69ab5d6670cab5dba2f |
| SHA256 | 8fab226211d11368de575651b7bfd09d3f49fc5094aff02a294f9efca6aed87e |
| SHA512 | 5c22d6281ff81c57bcaefe3500ba63bd9763a577209c7c6b96d4fbf3af5ecc89d8450b5b87fbf7918495042fc105151b5e8276b1ee3e336118fde9438602d889 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d9ce38623653627c025f3c967910caaa |
| SHA1 | 3103e93fe7c74149a007483d3bf9bd8b07801418 |
| SHA256 | 466b62bc1dbfe4975312babf86a01d8f69d41be2b01acfa633f948f47646f31e |
| SHA512 | 6df839276e4869ef1f497abbc4ae1220b534e9f8d36665a6999ca2c1cfa72aa37c4fe29cd43ee491904b5bcca6518781f4de4ebc59c21ad5691998c5de6382b4 |
C:\LabZUE\bodaec.exe
| MD5 | 0ddde550724478de419c8fe40bfc5698 |
| SHA1 | 15558da21b07691aafd1558029a91b87817b7151 |
| SHA256 | df0361bcbfa3a47280a297e84bad40efed942b27e92398c9acb2bb00980b30cf |
| SHA512 | fada05a99fbb5c8d3765c004cefa028ef6c9ee6549873b0431f990b38a53770e1042e31776e90b42c7d41879d9adb89a4dbd8ecf728401a7120d80b99c273e01 |