Analysis Overview
SHA256
b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03
Threat Level: Shows suspicious behavior
The file b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 12:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 12:57
Reported
2024-11-08 12:59
Platform
win7-20241023-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| N/A | N/A | C:\UserDot1O\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot1O\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\LabZE0\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot1O\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
"C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe"
C:\UserDot1O\abodloc.exe
C:\UserDot1O\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysabod.exe
| MD5 | 80532a04a71c95a9db1b22527f664f5f |
| SHA1 | df917a4f7dd1e04bd2e8e03a047fedbe791212b6 |
| SHA256 | 43cc6d7d57eb2be88831c9aa65d4aee6cf3ae0cbac6230508e99e58f9906fd0f |
| SHA512 | 6eb52e19d4e29a254c0609a47b4e2ee2879505ed8617389613e89a53248a731648ea092a43fa546580959b9378e9663c7caccd945cd2f327393e78143e80f586 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 7930e14bd379acee77c00ed13dbd967d |
| SHA1 | 7e631b89003c26e724fd62c3007f666eff38bcff |
| SHA256 | de1df46f215ad921f6c5ca6c9eed067cf7d0b1099bfc2c13f1b282c8e8c37066 |
| SHA512 | 086cc633ad69db5d31b56e82e1237cf8a09f2b134a1d1e62b575ab35b56b779a643e9a6164389bb916457d33ec47e92cf208442905556b38394379ecf57d05a3 |
C:\UserDot1O\abodloc.exe
| MD5 | cd72d52aee41a314165a81b867c196dd |
| SHA1 | 9f410976532d24c0aa7fbcaadfe4d576618646f5 |
| SHA256 | 81529b8dd4e9112798fd294e91e5df72adcbdd2472f353652446d14d099b1826 |
| SHA512 | 125e9f5065471a1ea47b8f85bd6ea7d65c51324f76c1342beeebdfc802648a81a1ec837d7dfc40b6ce7aeedbeb10816672fa649d4617d863d7b3c680b80e05dd |
C:\LabZE0\dobxec.exe
| MD5 | 37ec865423324808010f44da53a04a7e |
| SHA1 | f7b6574c6068a87742ae65eb65631dcc7037af85 |
| SHA256 | 37b1fff7af08fc01d50d8d0375b08d9a12b69c5f0e6ecf1740e6162205880d1c |
| SHA512 | 85a83aa58bef7f4173ab0164bc63d45541136b09f650177f709f3c36e0fae7a5c12c39fa00be2519e4e6dadb701c717defe08678f9c4d60c75dde27aa33fe789 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 1cd7d8cdb61dbc52e1784d38c5b3bc67 |
| SHA1 | e370d312acd9f80c51f9c5ca4fae96405ba207a2 |
| SHA256 | 4d6faab6a156e9370d0dde5e8107d4a409f7bb971a487090331da75dcde394c2 |
| SHA512 | 857cec9b63cf9398af334577c7ccb393524fd7c94d6a2a40adaa2fcded8e034d3d28a36c64e58324f97b3c05b40a0ba83d3e8bd22ea077c567c239ea40b43d02 |
C:\LabZE0\dobxec.exe
| MD5 | a5f5abe78aea816256f1a9c58d2d67d8 |
| SHA1 | daf3591b038d8c6dd42c9337374100c7a612e917 |
| SHA256 | bb0c2e66b816aa8d8b5d3be885824cf1de8135434684977b680d07b596f40c28 |
| SHA512 | ae2f8567cc511e9651c44bab0676603f918da71bb07d91f9ffd6bd474213823187d7a4b601509d172ca67ad5a5db265e53bc0a779d35cfea42e99d4ae2245eb1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 12:57
Reported
2024-11-08 12:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| N/A | N/A | C:\FilesJL\devbodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Vid76\\dobaec.exe" | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesJL\\devbodec.exe" | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesJL\devbodec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe
"C:\Users\Admin\AppData\Local\Temp\b272e0390625308179366dd664adbd2cc42c363e999b87cf11122f42f089de03N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe"
C:\FilesJL\devbodec.exe
C:\FilesJL\devbodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevopti.exe
| MD5 | 1dc9223ccfd2657da359b90c0c05baa8 |
| SHA1 | e58ce6c82e68f67b29d742dcb0f97e104d592571 |
| SHA256 | 72e2b9348162b8c5d0634490d8b1cd29c09c8828dd67ce5ad0776878ee7f9da6 |
| SHA512 | 4d5b5ad820c4b418e8bc60f974dffeed0b7a29746385c0c7dff8383440c81306dc05c0c50d479e6eab58fe1598f61829251a7406b84910dc34935fef57ae3482 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 5b0bfa416fee4a58e0b844be29abf74c |
| SHA1 | 1f8f2e1ed7dee02a85f09fcb42fd3ec97e177408 |
| SHA256 | f4c1912e29ae6cd2b7979d7400cd87fd0be7544105f48dc40b43f844b2bc0e54 |
| SHA512 | c736fb7386cb53c497717f0b4ea05e7557953bbb27e5e528acaaba3d2fdd721fe2e8f4e4a9b3ab95f870b328670dd9fd1f7445b687d5e50212360525123430bf |
C:\FilesJL\devbodec.exe
| MD5 | f7994c4ba1be3ef7507611fe7149f9f8 |
| SHA1 | 039e5c534c46aeacfff1f621d19217c1cde75396 |
| SHA256 | 795e30cdc9503739521dc806c0fea9efc6f27e09e12594f0710eb3453b203b30 |
| SHA512 | 140d3ee866723b57d043ea8cb1a1a0273b0de179ce155aa5a96bdaefbf74c6a1e58096d0da2654c717250d9dc15b8646e0fddfa2d8e6c6c17862488d4175d5be |
C:\Vid76\dobaec.exe
| MD5 | b9409397c5ead3006db1fe6485548d0a |
| SHA1 | 36c46971f21ea85d645a60a78e8d893c2337331c |
| SHA256 | 63cbef2c1e554c7a9cb75d7db4388a7f7ecfacec4515f3d4bcd849121883ab63 |
| SHA512 | a689ab0926979b30a3a4b3d9ec8c94c7dd869ffaa78dc36060c410b9c908a301e98b7b425db18932b4701e5229e53632510403adf7d01b5f81623c6495a3ef38 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 76fe5864151704395a8c1b162d333eb4 |
| SHA1 | 4f22f56be77e3a15e0c13dcfb25b0206191fe893 |
| SHA256 | 91188e871dcd83cab6e2849cc7ea3f949eea2b852c1cb52a3006e7a56f60f9ed |
| SHA512 | 29e3acd538a45b4cebc35ee0a85cb1ebba26ec49709ff500947dd49a3b8a5dafffbc50d6e0b2080eccd3b8c14607807144cb073ebe009b5eb07ae2a0dc856994 |
C:\Vid76\dobaec.exe
| MD5 | 115bea969b14e5a6fcb2ef34be7848db |
| SHA1 | ee36becbc651d86c9c6daedec9e67250a71f962f |
| SHA256 | 0358b145bfc1f72f593ec59a2e0ac5b7fde473ed6c3606073e8f68236cf31529 |
| SHA512 | a32bc50005c918a3f32d40b7514c861c355045b40f14ff39e0fb7fff603112dcc34fd7a73265b2063d997698159089c6d2a435ddad90ee0bdc5069db344226ef |