Analysis Overview
SHA256
5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665
Threat Level: Shows suspicious behavior
The file 5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:01
Reported
2024-11-09 22:03
Platform
win7-20240708-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\AdobeFW\abodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeFW\\abodloc.exe" | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintFT\\dobxec.exe" | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\AdobeFW\abodloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe
"C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\AdobeFW\abodloc.exe
C:\AdobeFW\abodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 463913a62acbe5ba10e989de5d7ce5ea |
| SHA1 | d0dbd25ee479a3cb3eec3e4c81f999d3571fbe43 |
| SHA256 | da078e443bc21396a65b2eeec42bdef5237df84f93be926c7faace0c80dd4de7 |
| SHA512 | 19c224adcc17324a367c4660184e56a17a1d0a7424fb6f2c340ecfd8ad447edfe366db89d612c54bd25d2806453e118dcfe2f45212cd62600b52b79412f4cb6a |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 5dfdbd9daf25a2f6f0e31663f3be04de |
| SHA1 | 1bd39f7e3dbc45364e970d8eb9ca57eeebfaf752 |
| SHA256 | 5527b3f7de617a0f1a45c2e557ee6e85868aeb32cf2c95a5f83b16bdcc5a8df2 |
| SHA512 | ed9877593ede7b41f71c5558392b3d660227d9cf2ae129fc7afe0d3c7a62aa64f10071040dc2fb10331d9ed2052037901f755da025dd5f5d7a521ffc214b9c76 |
C:\AdobeFW\abodloc.exe
| MD5 | d2732825115fb419fdbd476ec5bc6685 |
| SHA1 | 8dd459829395e5764544009017841417932070ed |
| SHA256 | e735de2da4e2f77c0ba7c844015cdb5fcd69da15a461c0db9c87b3d580fd25a0 |
| SHA512 | 8f1c66e7cf3582b7debd9e5a23c8ab07533496b27c701ea2d8c692c58a8d97cee653f30b7f5741cfb5b8f9a61ddf4d9478c319c3c52e2ed79f2084ea9a2c42b5 |
C:\MintFT\dobxec.exe
| MD5 | a854df88009e0c545a36b767fb0cc7f7 |
| SHA1 | 800399eacbdb553b2005e2419f156173eadca55c |
| SHA256 | 4d2efb5f3ef8129bebd4b242a150bdfa5fbbd915e3bcc3e7769b9ca61fce6361 |
| SHA512 | 4201787db290ca7f6ab26fe7a85e0b1a53ab76091fd8e047126433ef8c42879e8d4b6061ab14b05acecbc9deed22eb095afca2f9ae316faa335ab065076f709d |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 75b832e1aef70555b4d6b457f68b642a |
| SHA1 | 14861c92b968c76d475908047c8e23ace86b7931 |
| SHA256 | 6c03eaf0fa5899161a0c7d98c8e78a9c21096cf031bc489b4fe41335a46be408 |
| SHA512 | 862b397f0582d7e40a4a4b855a34119ab1a97d1552b7279f1ad975a869fc2f7cb990231689aa3f699aed98141b382ed03f823c2b806aa4f1ad8a596a82a7fa22 |
C:\MintFT\dobxec.exe
| MD5 | f7b1d7f452c3d87227979772ba1e0d37 |
| SHA1 | 55c1fa5fe6141e63f15a14e380b1ca15fe24fa14 |
| SHA256 | 1af5993864879dd7e16e983ddcd38898a25bed19123f7e61b50f86e0318ba7ad |
| SHA512 | 7590fac869d3e46a0e9eca6ca3db8684c790a1212416e393466fc474e552a4e4d333158a7718259c44143f95e3841e78219dec35d69254edb81a9c77eb02d29e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:01
Reported
2024-11-09 22:03
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
97s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| N/A | N/A | C:\SysDrv6V\adobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\SysDrv6V\\adobsys.exe" | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\GalaxYB\\bodaec.exe" | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\SysDrv6V\adobsys.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe
"C:\Users\Admin\AppData\Local\Temp\5141889cbb17ab3c05f8e3735094cc54bd21ab7aac09d50da8d49d70f3f52665N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe"
C:\SysDrv6V\adobsys.exe
C:\SysDrv6V\adobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxdob.exe
| MD5 | 1077ad8766ddb3660783cac3afe824a7 |
| SHA1 | 4be2c8dacedb2d3092a7d56b9499ae93cf79c9da |
| SHA256 | 7ef8eb1ba32bf75a7a755292b7aeb2ce8ab20779c035b7d98fc113ae3edc93fc |
| SHA512 | d7ffe8c4897553f03aea93af825dd50830d52f8017f91c0527d7ca7b1ca13ca930f2b3d9c116d8c3702707fecea27309dea7c8710c4425a64eee07078f05238e |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | a3ac51a7759f43b1bf65c3a0f09d65dd |
| SHA1 | 2344f37800d66ccd1ee3ba9203ee3a7c866c89e2 |
| SHA256 | 281596be9c48fcea2a5a096a0c9a7fc0ea04008167d7b25e439b336392929978 |
| SHA512 | 4961dbd7af089eaa352ba998fa5cefcada007260e950394de1f63045423b37a51db100be23a489db701227a762d33c35369e714f70a58ff036e56d48a49f45e0 |
C:\SysDrv6V\adobsys.exe
| MD5 | 1129897dfac6801e0714b392719ae028 |
| SHA1 | 89e7d130f16b50507c0e8180bd17eaf0497c7900 |
| SHA256 | f868e4c399ae85e89a9a175ed75e8410c7a56d4c3f7e2a809dbd0447bd1f3383 |
| SHA512 | b0bcd0deafdcf960021350e49662dfc76439cb9424bc3326a3a7ad6bf7e24cf9842dea60539efb0491c91db0255bf737e362f4133b7f551eb447390bd74c0976 |
C:\GalaxYB\bodaec.exe
| MD5 | 94401bfe17b63bc12a1be12401a24290 |
| SHA1 | d92913838d668d5ca483c769340341f601110d3c |
| SHA256 | 432e066e2275750d5773dfacc42d415953e4c38538a9c4fcfa0b008b8a4f13f4 |
| SHA512 | 456c78ed77a4dc88b91b1e7cc9c50c278d1746ac194a2b6832ebc2ea19294b111cbe7a0f1fe96cc3f7ffd21ebbcf0d5bb619228751d87357ffce77537f62b4c5 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | af5dc1915088acd1ec06ba00e69c8f9a |
| SHA1 | 1d37d21e4e5a9517b0d73f2d84546f9f83be204a |
| SHA256 | f02870474bd3f3e9346386a2277527a4c8f9e3559749e804ad7e6cfd49094b33 |
| SHA512 | d30d7f2e02de0a96175f3217bb0a1c48c51af45fc56f28bd3b0d6b9ecd7958b1cb8baaf66b8dabe031331b6cc42a3729d79b52da1a0542c9a48bff344a541dcb |
C:\GalaxYB\bodaec.exe
| MD5 | de478de6caf996b396d6694e8ce2bd73 |
| SHA1 | 8a7dbddf15e7595700187eb76b422db69b005087 |
| SHA256 | 206e4986e00debdcd08ac7b3772afddf1b3e6673aefa3a88ef3f9d14828001ce |
| SHA512 | d0d2abcb42e690fbc3f5e70679d7d88db1e7c3f4e7701d844b21a6a72ce771aa0827147086666155c4d3a83b5a760f3dc960fedb63737db03986c1ce035a6dd9 |