Analysis Overview
SHA256
3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b
Threat Level: Shows suspicious behavior
The file 3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:09
Reported
2024-10-27 22:11
Platform
win7-20240903-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\AdobeWF\aoptisys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeWF\\aoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBAX\\dobxloc.exe" | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeWF\aoptisys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe
"C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\AdobeWF\aoptisys.exe
C:\AdobeWF\aoptisys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | ba1dc3b298a27c546c67b35d08b73155 |
| SHA1 | 2435d7a0bfa93e45ed7822bbb3ea6f6ebc5c1f3b |
| SHA256 | e957efefb32bf072646ff9537e42daddaec30a1fa4ea46fa153491826ac3c0ad |
| SHA512 | 81df0ef0cd632a63999b10ae2578d9ec045ac59b8bc22587f7c9399cf0a2f9f49cc5602b155814be6d65fc380f1ca45ccdfc10a74e04f4765d48fb5119a8eecf |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bf321304be2b72dd5b3a9613af6b9de4 |
| SHA1 | f47e8cbf0529c22d4f2579f333f86a9acd734512 |
| SHA256 | 4c96deb0a8956b872222fc659ad72d363da859653ecfabea41806521f50fdcc2 |
| SHA512 | 6aef08a497e40240f09c9be413a651c74967fea15723da2f6ca036e7f7b5416c11f6f0eeb4a9c2af05c1f4890eaf268b2e1e35f0f330f876b71bc29e5202bc11 |
C:\AdobeWF\aoptisys.exe
| MD5 | 236f59dfdccbeca66f24c13d60591f7e |
| SHA1 | 5dcf68f98dfb2f626ee8cdf0d0aef5f6db7f5c64 |
| SHA256 | 812daae597f1f64aac53643e196bf5b28b002fe91cfd1491762f855677eaa526 |
| SHA512 | def8687e5239e71cd8913bccead2c9e7f6f4c2dd7907cb6a2390287f53dddf4d8a4ed7beabbfc72590479cf4d4b303e85d4eeb967eea96a7c0f814f0b74f8734 |
C:\KaVBAX\dobxloc.exe
| MD5 | 311384407809d803b87685fffb21c30d |
| SHA1 | 6a818ba4de0e20662c6a16d21049d5fd793e39a2 |
| SHA256 | 32f7b2a35dde33a9e6ed475669cd4e9e3f7841a4a3b862fd56913185489cf091 |
| SHA512 | 564f38997dd86fb9d84c8514aa7245f547905d31eb5d179c9a8b8bf78bb5d254a368d4c6764f41c1bca27a0e7df0e05aa4a97a162ea952f671c7fdfd85ef1193 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9ee0edd8212a40d46cc732d7df431796 |
| SHA1 | 9c486d6fb1e8caa84287070bd759df6a03fb566d |
| SHA256 | 88fad07fb0a650441970b16ac7bd7cff5e1ea5aa416df578459763a10e210a84 |
| SHA512 | a9bf30526675141b5b10f31937b7f1d5495507f9e60d651af3ef26e392989da06ba67b379bdb748b62ef33ae0c8b1a9f927d78c1d8837c8ac1cd8362d4c6ff75 |
C:\KaVBAX\dobxloc.exe
| MD5 | 572c25f0a0d252d573d0488b70cab9cd |
| SHA1 | 9c8186f97d232a424c1c5574be9ec0d6b2164ce4 |
| SHA256 | 3ad61609c4b14b5dfeffba4619db58bbdb6ca2e4d366349daf07831706de8009 |
| SHA512 | eb221fc8b4a87fda9958cdecf47b6ff91ed77850ed3748801f6524224615b12ff27f880d1bcea2f3a7bffd58692e14b1512fb281c5274bcf65f8805323711489 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:09
Reported
2024-10-27 22:11
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\UserDotE2\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotE2\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZLT\\bodxsys.exe" | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotE2\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe
"C:\Users\Admin\AppData\Local\Temp\3f589eca3018796925ec70c0472e5f28393a49f475d95a73e500d82d5394a83b.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\UserDotE2\adobsys.exe
C:\UserDotE2\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | b360988c64e17dea3553e681ffb8a957 |
| SHA1 | 48b6721f99f05692b2744101967ee7e40e48cc0f |
| SHA256 | 2d45e0044e88d954e554a1f17b9e815574a38cacd4fae784d271da67bd66cce2 |
| SHA512 | c7ea1ddfc1b138a8aa7d71e286d10942627483bbc00c218b53d897f6079f6630950931b7e4ef6891801db3ff9c35ed5fe6e2d83c25e95883ef2cf7306427819b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 3c0e30121450fe1019dc3d76bd6d00b5 |
| SHA1 | 1fc7c4082a18eaaeadd5700afc71f7bf6fd0185c |
| SHA256 | 1891170a2825f9bef1620d189052803192ac79baa8abf84ce5a33facd648bd0e |
| SHA512 | d8966ea5280eb3be6868c648745104f30ebfbbca556fbf718330c17f7975e217d3636892de9f0c393f117aba9f6dba209590ae2dd074fdf3fc9a14db9e32a028 |
C:\UserDotE2\adobsys.exe
| MD5 | 268a68b83e50729cd119af918b5fc162 |
| SHA1 | c61558ddf027637a468d766bcd211d61d046decb |
| SHA256 | 344ce2843456b5557a2c679b884eda431b4b05538d6c16a476d44979dcbf482a |
| SHA512 | 6f84a3d8dc69bf4a826b7e856188c9a6f085f507ddcc6ec0d35efbeae5f57d7a19b2aaff7d3bc2264626f413f617d08ce49cf1886d05418609b175ce8a08ff7b |
C:\LabZLT\bodxsys.exe
| MD5 | 1159dee51b63b011a5e6c39950fe4226 |
| SHA1 | 8ab72d21f58f9bca102dac809ce2a1cf3e463b22 |
| SHA256 | 82643ff087a07fd79b1cd0d3c723efbd2ede49b06760f3e078c1af14d81ba25c |
| SHA512 | fec376f8113b076713d38f888455e19e8d05fbd8297704954aced436d77c2485053b3f15730fc3cc85f384f86e5e611a2322a7528f219fcabe32e2486120e655 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ce0c498349d8df71f6531ed484efa923 |
| SHA1 | bd74867684c8b1e21bdeaae662a2f708711b000c |
| SHA256 | bc0a4465c1f0a8450b4c3e27aa5bc2c9c599f5978501dd729c88869ddd8f3736 |
| SHA512 | f6bc3381925d1640351c5e40433cc67e9f69246cfb14066d1ab1cf515a07c00fec2b57b0318bcd68aaed783b228af6e3c360ee6bc9e29c1783199e1cfec4d9dc |
C:\LabZLT\bodxsys.exe
| MD5 | 317617964d52d599db988926e9ada257 |
| SHA1 | a514b10b433c4cca4a8a3b6488d67e94f86c2453 |
| SHA256 | 789b4399afb6f72e3885ee0e9b64d7c1a2aee14505d0d9a36e346dba629bea69 |
| SHA512 | bae990a93064a7cdf99076a69b36941066f17eaed829ece6786fe4af918cbe387d9ce54ca4de262103a97301726225aaac52c7fad44f9643c2754649189a119b |