Analysis Overview
SHA256
ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736
Threat Level: Shows suspicious behavior
The file ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 15:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 15:08
Reported
2024-11-08 15:10
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\Files0O\xdobsys.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files0O\\xdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\VidRE\\dobxsys.exe" | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Files0O\xdobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
"C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\Files0O\xdobsys.exe
C:\Files0O\xdobsys.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 3d57528139d71390b2f3fe2f869ff477 |
| SHA1 | b08919cd879868ec890dd3d6b5558d6ba2eeee1c |
| SHA256 | 26a5966bec9d29e8cf53950f631b8dce26f698ed204289fa64c56f0d6fecd00c |
| SHA512 | f971023e63a1148f7015bc075c60909abc0b009839706abac0f03b6c0c4d03c3db0db7a9899320fe7e617541dbeb3911facda7e45bf0e85246ec4d6626d07ffe |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | d82cac5925de884ae90aa2054d57d346 |
| SHA1 | 910de397f1413a243d13505c9d6126434a956564 |
| SHA256 | 3ffa47291f8fdf2b6f1306464c1a58267ff6e394b801d44e233d106517e4ca3a |
| SHA512 | 55e7c4ab8cd57369e663aa8ca1f7f016b40cdd4f0c27ac72b8f635957e1744a71ee226d92b646b1d83c56c82666fe042516c2ff4e0b2f7cb562cd827a006e7da |
C:\Files0O\xdobsys.exe
| MD5 | 6a73d9c98b6dce850ec626ddc86993b4 |
| SHA1 | 33346d6841f2f4f32921c034b3576f966827b446 |
| SHA256 | c282d9f59b2890538ccdcc998f877290d1905ad52c3dcb4def30acafe6b934f3 |
| SHA512 | dd0d7d8480fc51db8d2a2946b9dce98c816fdb19078d0ec83b2255e2eaae7a09dfdad4c8edc3b50a2bac7890913f4a625eb8a60b3dddb700df44469bb70afd99 |
C:\VidRE\dobxsys.exe
| MD5 | e8fbad3b2a56f8d65e86b9788afe7266 |
| SHA1 | aa4de61a8b9fb32b5067e990ad55a8d039aeb3f4 |
| SHA256 | a7fd6173d525d576a3a482e52ac41859f552d1d861e28bf0fdc931e64aba213d |
| SHA512 | e18b35aa5f56059eeacd139d9b05752c6b5640d4a56386c72366735badcd13d7de3357b91ba43a91ad19c6e699b08c1edb99e776e265c957460075bbeebbf82a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5ab98fbf633a425a8a114b8d04e4328e |
| SHA1 | 1e93e02194949ed022f1179bdb6a9615dbc030f7 |
| SHA256 | 596a30f165ddc8e76856cc4c4431a7e3240caac07ca04de312ac5f5837287fd4 |
| SHA512 | 094b4197b6741d3997e5603b0ed3b6779f943baa440984d213a5bdbbc37b30ce54bc287b8e223164d47202d049f407c239980e698f166ef267a8eb6fdf3013bd |
C:\VidRE\dobxsys.exe
| MD5 | 6843f8f48c6b08412830d6db1f113935 |
| SHA1 | 83f66b4ef66565beb675d2c879fc5e587eb37efa |
| SHA256 | e9e64960df16bd6464d3814dfe634685bc8354fd7df9d86c0178bfbfec8dc821 |
| SHA512 | c7f05aa65f869d626cb413dfbe06a29647e34f2dbe0a53c7af081d9af6b2a3c621e228b4bc98e54a4b8ca83f8385bc087031d69914592368875bf83e3bea4382 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 15:08
Reported
2024-11-08 15:10
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| N/A | N/A | C:\SysDrvQ2\devoptisys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrvQ2\\devoptisys.exe" | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxX6\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrvQ2\devoptisys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe
"C:\Users\Admin\AppData\Local\Temp\ac83716bfa64d4425bf9765f705cad48dd0665a382dfc62d1841f7300e21f736N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
C:\SysDrvQ2\devoptisys.exe
C:\SysDrvQ2\devoptisys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
| MD5 | 1aff8409e99a76064d811e1320248c2d |
| SHA1 | 7bcae354523424df22d184c412aaf26c34e574b8 |
| SHA256 | 99fe2ea9833730ab338e181b1a62b051f4efb86cd9ac33e4384dd36766599161 |
| SHA512 | 3d8daa8836c81a953f1949b81c9d2a3880c182268a672f3244b2bf66a8cb8fc7a943fe882da092ee3bed0872bd709241a0bf9955c583f3b91ff986844e482275 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 525e275c6217d4423188c55ee97c1bde |
| SHA1 | 518c721fb1c672e4cc25f30906e73cb9d28f66c5 |
| SHA256 | fa1ec07ebc43aa1b5a61042cb87fe77b49bccf965b2142695f5eafd61b103079 |
| SHA512 | 67526ef9bce5e3c60cbca4ead6a29fc0981dc343ad6febfba157d64897f71014e86f8176b8fabe28d81620eb21a5e7b08e66658136783c333b84ef2ef73ae714 |
C:\SysDrvQ2\devoptisys.exe
| MD5 | 48cac46c51577705034e8aefe6e3e26c |
| SHA1 | 18b7dcd0190b31a22078e53de73d10f639e7ccd7 |
| SHA256 | d9ad39a6ea61ca88fd5bf44d792fdefc6b724a6d7cf5cf6b6b84b9ec8966c653 |
| SHA512 | 6b072c32cda36076a408e1896d9f25a03a37886e87bf4f45a4475b7603e42cac8f5193a71f1cd4c21abd39968a246a9996bb1c4feaa6dd438c81961e47000689 |
C:\SysDrvQ2\devoptisys.exe
| MD5 | bf98eec1d3c215339a6f9b9cda791272 |
| SHA1 | ef820f281918d19efbbf4e77320497305981255d |
| SHA256 | 2f66409de32e3d15a91688b20cf290790ec949b64ff81b2bc3bfa0b245dad89c |
| SHA512 | 50bc98473404c75bb3232f4971fce734cd1a46b7e091604aa55b5b625dd48fb1382e89eebf439029682c6ab1ba00223d6c4fa1b1589e21efab72e944417c92d8 |
C:\GalaxX6\dobasys.exe
| MD5 | 4e965642b360681528c8f5125aba574b |
| SHA1 | c34fddc401807e256c747638df9745c2e853e8bb |
| SHA256 | de10a88f95be38be641f63e255e5c31bd2a2d004d1e8ac915c74e8fcd77d8eea |
| SHA512 | be62eb8797c02fd84c2d2b0112751885f4290802921187358bcd10b606747bcb416902f3f4533eccc6e326f645a0bc887ea504f94b60b0489871adcf58f60a13 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ac80a94d12a54cae29e6eb6aed6bb7cc |
| SHA1 | f555bbc1d8dbbc75971ded28466d11ce9b11e6ce |
| SHA256 | 0473ac8c1902a57ee283d6f67f5cf262ab4edc1c2f3af137cc49e72e6c6ff7f5 |
| SHA512 | 97fdc4f7e2b951088693c441eca0c69da9d1e292433f4de46ef2c6e25df6bfe57418084edfd972a4e5bcaa5e50ad9f374e81ee7de60871fe675aeb1f7d31981f |
C:\GalaxX6\dobasys.exe
| MD5 | 3240fee6e83f6fe53b2bed700cd7f35a |
| SHA1 | 402ba2d91f71b67cb2f9c469e346921f002d3595 |
| SHA256 | b8ada584c069a48155045ff2393f88ac5f70739fe8ef7c6fa2a2b31d77c194d4 |
| SHA512 | 5299d7ab732e3581d831d90d1a3d04e50c7496bdcf6e2c177f6b82f6ca55f06a1d6af37035c8370db1874129db2997febd6c779e1e752b7b96a75bbb0a712efd |