Analysis Overview
SHA256
d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604f
Threat Level: Shows suspicious behavior
The file d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 15:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 15:02
Reported
2024-11-08 15:04
Platform
win7-20240903-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\AdobeUO\xoptiec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeUO\\xoptiec.exe" | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxIH\\dobdevec.exe" | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeUO\xoptiec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
"C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\AdobeUO\xoptiec.exe
C:\AdobeUO\xoptiec.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 1eedd30760f00ef950f4c8ef01d4e2e3 |
| SHA1 | 6d7d79c03fc6c13c40ee8591d5e86b2e3b9a0ff0 |
| SHA256 | 809c349c8be486e55017cdb0106b34cfc62929a7ffaf330d9c7af4f4f4bea232 |
| SHA512 | 72aa0ccfd480b1581a5455d9eb911b851eed7db70386a8c71c77313da41496849be94e45c16411b5c2d97efb8ab1ee3e2719f258d92e36fe9e85c79f505ba9f2 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 0c61154b9ca7113fcbe6c2f4c67e15c3 |
| SHA1 | 851d65913064140c8ea4c0d96a21812da2cd5fe6 |
| SHA256 | f2d73691031bda161f82e28e858ae6bf0c5c38f85db7974b421938521542f2f5 |
| SHA512 | 211a629fecf9d224545d7a30fc170c8c7f5a016062dae3ca42f5047528fa3d1ee935a1e4cac4922e9f59533f5605e5f30463b26975e60c28faca34d2cbfde053 |
C:\AdobeUO\xoptiec.exe
| MD5 | e3c1e18d7770dd893aa942c9aecc4dc1 |
| SHA1 | 8adf83645cf43a82cda77bf18d759a37e4ad54df |
| SHA256 | 5b8be73bb804b9ca4c37d5459b2c0169da52e4ad81ee12172845ea4a33d90525 |
| SHA512 | 534642203718bf2987c9ba3ad14ccbaba203295936a70dea0d2087ce906fe72fa2864588cadbe8b211cdcd8a247aebe86b466d7a4476f58100c1a9e2368bab25 |
C:\GalaxIH\dobdevec.exe
| MD5 | 16c54a64187790732bdf14c743e75567 |
| SHA1 | cd4508cd11043066a0110db280963282bd8e63b4 |
| SHA256 | d1d257486204cfa71efb312a88c94657525696c9ef867ae06728f605f0868201 |
| SHA512 | 433466abc27394a54bf1f98aaa193d32b4228ae55e6a27028a8940b3aa0f4442515304e2deb1bd5ceb1f246c9a03d772e25a864af733ef386bfd15b53b232154 |
\AdobeUO\xoptiec.exe
| MD5 | c3d24a0e487ca5b5604bee9b5701be2d |
| SHA1 | 4890aa1af630336fbde43031803e048ac3f07911 |
| SHA256 | b8d75be3b5bb0541eea5bcdc5e59c5b9db87688003a264a3dd179c5b667b9939 |
| SHA512 | 7c9fbc04f33a6cbc98a5ea136c21d7a09880b49d95fe880795771d30799d9fb46e22e74d3512e2e67136af3d810d1194f48a8abca5049880be90423fecf75a82 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 16f60b429e68d5719235976ce06e65f5 |
| SHA1 | 62d31d5967e0a783935016695d858a8495e3090e |
| SHA256 | 1289172641c63b485add18a9588fcb94ce23e802c5c9ab5e9170819220095b67 |
| SHA512 | b53e1fa10b4f9d1f22d421f43e897fe892d382133d02a71f01e27a16216dd90f5035914a094da30ef00bcab8eef9b0e92eb85a47e4d025f996580a14d009fefe |
C:\GalaxIH\dobdevec.exe
| MD5 | 56a7de17573464ed782da58d2969bcf2 |
| SHA1 | 4b0c65c9d7dc2982402361ffa09eaddc1bc87d61 |
| SHA256 | 6210a5d3ca6df722f01bcccfeb1ac9d2fac85fe84488850e08eb1f70c8e5331b |
| SHA512 | 1863b89353604e62dd267761e96146665f92676fa4af7b59226421f9779b6f453caed88396025dfd294c28267fbf7fe7a293de3bb7a07e79e37c057725c7e40e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 15:02
Reported
2024-11-08 15:04
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| N/A | N/A | C:\Intelproc4X\adobloc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Intelproc4X\\adobloc.exe" | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBC9\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Intelproc4X\adobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe
"C:\Users\Admin\AppData\Local\Temp\d9b16250ec098ad70e19ba0baede20f503e4fcff1080b860b8a06084feaf604fN.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe"
C:\Intelproc4X\adobloc.exe
C:\Intelproc4X\adobloc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecdevbod.exe
| MD5 | 6815b175b20c15c35ce583a6e786c9a0 |
| SHA1 | 903fded3d9f648528e9f828226478c316305e77d |
| SHA256 | c54225be5740cc2e3deb0a8288abf171f79a9c6a4ca2bd887e42827fccdaad7c |
| SHA512 | 8ff2ab0b77b370940ab8a8d6c24bbe7bd86e7725618a0698f3ca58ca4ec21f957dad6231cf7af841e710e037d66182ee92e2590d95890330ad7bea4a918ff8c7 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | b2b1c316e726793f9019748527d2bbfd |
| SHA1 | e71bc8817d9e59d6e8a46cda70c2c8a7e9d9b949 |
| SHA256 | 13670891a0d80dbea94274b8b3558d50650bd84fe6e01f049ad57e473204f480 |
| SHA512 | 1aa5318b9b19e9851ab3484fec254b0aff1dcb0a89431c1c73b22f82cc36793e7b4b7ba4a73a8298a4ca838abb5f6ca1e3909e2897d6e5097d31ac9c1e22dda1 |
C:\Intelproc4X\adobloc.exe
| MD5 | 8fe1ba40f9c97ba155bb0a2c673bb5d1 |
| SHA1 | b783b067d8c1f9bc2618babf486ac0cf346b2856 |
| SHA256 | c8d5611539f064ebdfd0e9c7a83d908047a3a2e1f9939caf818998414a5ea1cb |
| SHA512 | 29122daf46e11a17253f64e110fea247a8b07a58efa7f1f4b8eb4775f75c5d025ac394194771454d84bf88c981a53be0353a7f1962c24a3e55abdf8d5fee4788 |
C:\KaVBC9\bodaec.exe
| MD5 | 6cbb35f729029522107489be5b65c7fc |
| SHA1 | c034e51adb3b36da130487f6751c50e260654b1b |
| SHA256 | 5c02c3fd083c2c3c788aeeae3cb1a99a405094074ac82b842c61f4ea660e6061 |
| SHA512 | a58b941e57ce366974c64ff210c4a9a02559053ccc0cf5ccb55c380b119cc5538a74f298d9aa5eba512d9abc5a7e331b38ccfba6b49150f79ddcf57db73d522b |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | f8ab6d8faf85ee56838f737e91d39fc7 |
| SHA1 | 7e06cead2ff139961875dc7ffaa17faf78426905 |
| SHA256 | 44ab223fd74758dd23b5a1694f1191040fdc8d664d611ec67ec11c48813dffca |
| SHA512 | ed9cff55984dc9c99cf194da98ef236457480be4ca94f97714a78af1a932b05c5d1eb9c2ec4294181158d8a2cfb9da0e73f203e378839efd306013ddf495cff1 |
C:\KaVBC9\bodaec.exe
| MD5 | 20ec6effd447fb35f7db816f8c616148 |
| SHA1 | c8c9edd9f30b93dc161fc035c69b57e7af305dce |
| SHA256 | 43b6a06c6d792569dc3a4b802a1882bcef34d458cb6c626267bf303fc8dc3fa7 |
| SHA512 | 6a01a317698e30eec8ab65c628488a1e6108d6eb9dd6bdef9a769d497807ace3b68a23452d40d010b95f19759903bb9bc1910e8d7e46fa618aaa3fbf6a80fecf |