Analysis Overview
SHA256
2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189
Threat Level: Shows suspicious behavior
The file 2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 21:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 21:13
Reported
2024-10-27 21:20
Platform
win7-20240903-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrv5J\abodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv5J\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintN8\\optixloc.exe" | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv5J\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe
"C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrv5J\abodec.exe
C:\SysDrv5J\abodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | cd8098ffb8e4cce83efdcbb7c02dc17d |
| SHA1 | e6698c46be9eccfee0e9208af3859b735b19ab86 |
| SHA256 | 9dbf362f6cb6af6cd5f146e80d4253c1e380a6840d2c94ee52a2719ed4eaaf47 |
| SHA512 | 748ed3185334f1601b2aa8314ae475d6896e9ccd0396e19f1c220b6d7bcf3982c097166c965ae10561a98a827d5964b967e4fee394f07fc6f8154a5a3054ca67 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d7bfc83cbb08f514df109777cecbdf90 |
| SHA1 | 22af8b008d8d9bc4cb608b4914847c0971970c7b |
| SHA256 | 78402528d38ed99669112f6319e8b1b859012bcfd802293ebe3378da6e06847f |
| SHA512 | 165e3812331c0b255cb923f5a8f0857dd4bad3a838c2c2a95a9acfb436f1c79208d48b2478f687a06f3794b13477a693545007f6bfbf437d1c2f4ffe9b824511 |
C:\SysDrv5J\abodec.exe
| MD5 | ae1c2349c858de7098adacd99be313c3 |
| SHA1 | b60fd52796c42b8643b6b86691e4378fffce1d00 |
| SHA256 | 37fc3ea1a55b448a606e3298ff5db28f0b2117bd21755abc1ddb9a4822849829 |
| SHA512 | 1602fa85744aa9bd3ec7238d7e7cf8207a3c8bdd456c66ce3370ead52d52b1cd9242a1d60f6d218efa75f20cecf27bcbd1e815568af20a817bba10bc0f47625a |
C:\MintN8\optixloc.exe
| MD5 | b7c4dc74968bb1b1c74cfc2a128235cc |
| SHA1 | 6dd87bdb1986ddd62a91aa5e1190cab4623736e6 |
| SHA256 | 592c17c5c4d0cb710c52fea5e4db5277de87708f21b7d8f2b7cd8060f78f8442 |
| SHA512 | 512bca76fc1d2057051f8702366bc2249882c152d9a5448a8a66148bd88b13eacb219f2939b995b2bfc4ed19866474904951b29d888c1691ed9e5e0ee4b4c70e |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | fd6f0168db961bdca36589a3613de265 |
| SHA1 | bbac8c6e4aece9c038f9bb8ffcedc6b58aa27f50 |
| SHA256 | 40f58c0a5acc89606c32f568a71df926829d81395057205a1a2a90e748d49c9f |
| SHA512 | 01de21b7deea880ca6add017699aeae5369ce4420d22053ebd85ac3582d387e4a05e4554bf45c7ac2ee1c7e53c87f4aeeea3a65ca0bd1981287dbb093e591a9e |
C:\MintN8\optixloc.exe
| MD5 | fcdedd365bd06c2e78078b63e64984d4 |
| SHA1 | cd8669d605c2aa5c9ce54c38259de1643e1da1ef |
| SHA256 | 106e78c676a05bba8a57ac9e45977255c4a99b629b815e9b547ead412164acf4 |
| SHA512 | eddf9bfb05ff7d9b989879caeed3be657a6b571f84cc1cdc6a9e5b83119122c4d04a36acb8d61c1e01b380e59b8ad59b5ab6d342c14a465c2e7de6308633cc16 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 21:13
Reported
2024-10-27 21:29
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| N/A | N/A | C:\SysDrvZ9\devdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvZ9\\devdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintXL\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvZ9\devdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe
"C:\Users\Admin\AppData\Local\Temp\2b2053f6b55df3476a9463cb40796a2a9f39b1b7f34c6a9e3a88a64c07e83189.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
C:\SysDrvZ9\devdobloc.exe
C:\SysDrvZ9\devdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
| MD5 | 8781132727bd21164f9dc6ec010a4b90 |
| SHA1 | 48b36ed34bb57bc4dda75b616de32b77a87abeeb |
| SHA256 | e0810419c141af28e1446deef9498ed2772fcac7ed1266a300c4a1b242d3d1b5 |
| SHA512 | 961e958abde6652d661712d069dd47a9de43ef761132ca6b1d87759fda27070a43d3d6652e9516f2ef561b4081b30930e71738c464b3c533e50c9acd434a6986 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 854c232a225269e045136916e2759f2a |
| SHA1 | 564348ad6adce6180bda0ec75a03a87556a3cd6f |
| SHA256 | f6d944c370540b226e5881c645fb3bb8426f423859a6fa3599a4c374890a3e4d |
| SHA512 | fc280dfb61ef4cdb6c7250bc52d3554656ff4c2b8bb8a26218eed7591ba91dfd372a0c63dd6321b22a7cf466002478c7ffc18acc426595ad6c45eddb10d28076 |
C:\SysDrvZ9\devdobloc.exe
| MD5 | 87311463019bdce197b9b156564bba75 |
| SHA1 | 19e174c2515edc56b337133b77b6e62efdb2f2f3 |
| SHA256 | c24eed4ddf7283c7a0a49032ed362d55e859abb6db4f1342f5b414d2fb5010b7 |
| SHA512 | 511b23fe42a310c68948a4b4877679615ebd74b0be305a160dcfae1798d44a8ac5ed9120d4448cff33b55c3fc6cb95aff000309b2c00e8fc2d329105e22e4c3a |
C:\MintXL\dobdevloc.exe
| MD5 | 41d9576abfe3b372f5d710ca231394a0 |
| SHA1 | a55d8bb9bf08d20ea2b199199ba4441f8cba845f |
| SHA256 | e379e8d8086b6c804bf6f89677cdd33ec08a6677cfd8f7b8ae817e96e0fbe7b5 |
| SHA512 | 69b06aeb4c33ae6d7f8143f92940e6ae11d3c1c64b110677902e605e51192f4a02e4e3cd727bf2ec537068d069e3a7a4f1f40837823acdffd2890c96ad8f3d66 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | c8d522c77f5ddef15b8f2db4a0d8423b |
| SHA1 | e4a85cb23a6fbb77d4f758a2603e61ebf9cbbd6f |
| SHA256 | ec0ce132a83cdaf3c19836af63c1b5553374d19d4f5b066552cf16962b39523d |
| SHA512 | efc37cf4685b40a7c3c60b88fd448ad2a915997afb8fcc35167e90aa3aa447f0acf6e43fe135f1eed6203d2d865812d979bfd2867bf6a3cbec8b198a8d9fda17 |
C:\MintXL\dobdevloc.exe
| MD5 | 6dea89a669e78ffb86c105bc91beed26 |
| SHA1 | 2b520a6e172589d84bf52085e0c1b8adb7e2995a |
| SHA256 | a70bcb270de4f47861734df5fa8318c2684ca6c8c38d6af4a01abd1f23fb16bc |
| SHA512 | 63b3ef6d9e1433f6c50cf181504b7e7520a7e33207fde6404ff3776546e2ebca95599829b862d1c9b0d3f3099175205644c969a668b606bd45c1da70fd5b2cfa |