Analysis Overview
SHA256
8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971
Threat Level: Shows suspicious behavior
The file 8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 23:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 23:33
Reported
2024-11-08 23:35
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\SysDrvTV\xbodec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvTV\\xbodec.exe" | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZ4F\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvTV\xbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
"C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\SysDrvTV\xbodec.exe
C:\SysDrvTV\xbodec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | 2662a859c62031ac88d3c0749a31ec44 |
| SHA1 | 179ce2d4c88c54ae47f7c03d0c62966533c69f68 |
| SHA256 | 6c28e766a20109f8704ee2cba0658e085db76999e06023d7dfd0c72323376699 |
| SHA512 | 22a9fbede53642aa153e2ee19665d8a1024a91772b322a3048c60815b6b5ec15c6539031d3a11a68a6b2dcff1c3f805e359a83c385fd8ac3d7b9f78f23ec6c40 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ff851da78cb205dcf7e259b97a6443c5 |
| SHA1 | 2f6e351eb6fffb60d8ecef1fb45bd35e64a2aa66 |
| SHA256 | 99fd0a2d4a7492c0234bf7f94e4e577cf485a742013c6a94ca0585bc0281de71 |
| SHA512 | e89f6cc418661d35f9c2d385dd0febd51da98c8a6d6e5519697e00b13aa94c9ccf6da0e816ab3db0534f9f1d7071427b7d07044ed5d4686e83ffa25e59aee881 |
C:\SysDrvTV\xbodec.exe
| MD5 | b55f347584547a05ea5d9dee61e02848 |
| SHA1 | 3a836a07df8df535e7b32f1bea21d266a1c0d3a9 |
| SHA256 | 2c78428ee5c4855a75ac5450e12a7a54d6466bf65ddc0b6e34d36a656c918087 |
| SHA512 | 820d5112c884218f5159868c67de55c4fa42002b751ea25e4d90a3d44d17b91daff0f35895f767d7d0524e8fd2f9252aaefa99cc08e24c713a4f7d5a11b7d0c4 |
C:\LabZ4F\dobxec.exe
| MD5 | 1a36cb06d005923e75f06ccb4505a064 |
| SHA1 | 2fd854f12a4e9d71ec7a5b8e69a569396b7d5048 |
| SHA256 | 051485a52972ea5c0603dd9736040cead746b7e92e9c982589493d4e6b5b606c |
| SHA512 | e5362ebc0702021e2e3720fc57e9b360f3685010aeae47c65dc18c7d68ecb2be4429cd9eec606b95744a7b46cd1a292c6058dd9abea5f266061912ecd4065e95 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | a1546d5a76b42629e0435f2d02e3ff2d |
| SHA1 | 3473ccba667a8387310dd44be12aa779dab0db99 |
| SHA256 | cf061f16ce7ce59139c9bb9531335a1a7139e79eee86d1ce668e74c512dba104 |
| SHA512 | ba5f3c37a25fa12c8bb48e342bfb32da7a8ae717e7fc5484c38eaabc8089561fb132e434eefe58c4e65a5b07795e68a1eee3738ec8ef5649e8d3cd0cabd5a340 |
C:\LabZ4F\dobxec.exe
| MD5 | c102aaf0ee64348275dd221dfd70ff61 |
| SHA1 | 68698087775e5c1a974506adbfdf3e83e56d1362 |
| SHA256 | 2615bf3823319c3c223060d066cbd2b39ddf92e0cabdc0869392df9db338f0e6 |
| SHA512 | b0de666a57ab3cb939be25e8502df18230bd00438d4493a8276ad7a303bc6f7a550df9464abaa4d016e8738ee55c1050d8fbebdb69b8043712de863ca4e246ac |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 23:33
Reported
2024-11-08 23:35
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| N/A | N/A | C:\SysDrv6N\xdobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6N\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBPB\\dobdevsys.exe" | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv6N\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe
"C:\Users\Admin\AppData\Local\Temp\8ebf80984acb1d9ef0433103d4670042d61a61999fb2342be36bdf9ce7347971N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe"
C:\SysDrv6N\xdobloc.exe
C:\SysDrv6N\xdobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxbod.exe
| MD5 | fe6b8eaa8f6218a0e8dfebeda823968e |
| SHA1 | 4959a3ea66fee942baa97a922a911938f2dd7217 |
| SHA256 | 4a786f95a95aa4d957207bba917e527ffd35e519174dbd75fa0fc1447339d738 |
| SHA512 | 51b3b976722dda44002855e3df1d549fe9cbaf561ca323d42c9f0ec6db63579a009c569cad082d7996502743c1b402cd1ebdfc7c1ed1b899949bc424b2d65182 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 863e0d48901c6d70d856d4efed40cb01 |
| SHA1 | b3b61c459cf6b5177645c291f3030a6ebeccb4f5 |
| SHA256 | ff5a5e7e6a827eba179d116de48a1288f9500a7c529bede3fc5456d9cd5adae4 |
| SHA512 | 3e11f2e930c8b121b1967e073a3182b4ff53ed148be8e84405a4986e2360e92fd159d8f2ae50d381a74c8256d5d633229962a578349ba931d99446faaef0e6f0 |
C:\SysDrv6N\xdobloc.exe
| MD5 | c086eba78c30d076c12734e00cd5c026 |
| SHA1 | f043e2bb506b346b870add636882f38d5e49bfb4 |
| SHA256 | a771e3cbb26259f20348bf74ef2b5e3c3293f714878bcc42dc476657dfc0a503 |
| SHA512 | 6419c9fd9d9ea0eae2c6ebae7dd50c14bdebaabaf568857ccd979d12e8821606f12dfd1e7a4bea29d2f0ba15eedc656ad411ed870fa3edcc1af0c36047b00932 |
C:\SysDrv6N\xdobloc.exe
| MD5 | 20ed5faa9f27e2999b65d5f52887ba5c |
| SHA1 | e628ef7a917482fa9e20ca1b52b8a4aa0a353cbe |
| SHA256 | 1e068902eef35bf78822e5bd2d9982b7a36c3cef93eee4c3bd3a933259eb1319 |
| SHA512 | 14c416052b3a7b6de99794acf7f5f97d9f1675722483a4bd930d7866d35b5bcdc9577c051f96d7ad8aea7b5a88b9123b28e5b026a7302cc856baf85831178582 |
C:\KaVBPB\dobdevsys.exe
| MD5 | 23497ef37ee3467d3edb83457238a3c6 |
| SHA1 | b515b9ac3705b3a5c4f7980537fe717a66e62fe3 |
| SHA256 | 26b7202f6fbb8ed46a4a8686021fdedb8b96565df03da9785627c5fc0e4b8ed1 |
| SHA512 | b88a5105b1df502437b9165eb9727a1f0bcd08a26965c17de0c9aeff21038f21e58bbd14fc1c0c93012acbea7a6febd8c091ef6a8da6fe728a7e9eaaac485f09 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2098c1e54610b0badfb761c52a704010 |
| SHA1 | c0fce5bd3e4a8e830166f7e1829e6b123a076de3 |
| SHA256 | a9c156c67fb65f36766bc958dce96c409bc697efcd636a979d10e2725026b338 |
| SHA512 | 72c2c0d4bb97b3e5c47dc144579794c1003e0cf21f363edf4cd1e64c9f9a6d6019b651df028bbb3fbc0291a2436f8a76f168b198f62797298fd6e2a129a00b8d |
C:\KaVBPB\dobdevsys.exe
| MD5 | 419ea425a9877e8102e6026c4dff10c4 |
| SHA1 | b48f829854cb2605ad87b003bb2c51cc672d8e61 |
| SHA256 | e0456e37529a37b27e3ef2bdf2edcec914bcbd717835e081cd99b52896948f01 |
| SHA512 | 3204a01421c2a13defeef72e7c01b83983e4778e31dd07a2b327d0c4f8d6aea4807f6557ae947870203c621b23919945e2e9033270ede34f9ead2b47af74142e |