Analysis Overview
SHA256
1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72
Threat Level: Shows suspicious behavior
The file 1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:05
Reported
2024-11-09 22:07
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDot4F\xdobloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot4F\\xdobloc.exe" | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBHI\\boddevec.exe" | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDot4F\xdobloc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe
"C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDot4F\xdobloc.exe
C:\UserDot4F\xdobloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | ccdf4c4c220be7ad4ae62b69a74913a8 |
| SHA1 | 7e267d8517dc441676d4eed0d83e86679a627c9a |
| SHA256 | fa33286355acc932577294e02f2ca649cd86bc7e205dff0282adfb7a7ea1b349 |
| SHA512 | aff0195ed0dd7311b4e854249955475b5f77f8dc063f99b405c0959f8ecbaf39805c979477c73071760e26805a69f475d78facc602e3cbea7343cd4b89ad62a5 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | bd277bcd18b6b249d21551640d405432 |
| SHA1 | eee301f4e1f6ddc29a22e377e2a7aeaa3f3fa6d5 |
| SHA256 | f53ccca62a359ec741d343e063d856262149fb014612d98483380980751a5897 |
| SHA512 | e3add9b90d6c0fc5461356458fe1b533839526040467203b6c743102ffa8763e26ea9dc0622f804a056b5de72c43c8b0775bd7f31dca5bd6c358db061098676e |
C:\UserDot4F\xdobloc.exe
| MD5 | b67d9a6925d551b951c80207887360be |
| SHA1 | 9aefb3837efbdc9e957c4beaaeedd2fa19fe757e |
| SHA256 | b0d2cb0fbf42a1061122f0a14de5547beb05e961d858b8facb2256ded705f3cb |
| SHA512 | 6bfd4edd2c5024ed52fcc02f67dbf5d3e4a006cd9785d0503d4d84998d123b12447f14076e2e6351e8bf14c97e677c4d32a653eb99ea3d831d805c2f0298c6ae |
C:\KaVBHI\boddevec.exe
| MD5 | a11f76255b9ca6234bfd6aa66474643d |
| SHA1 | e3cc3fe2e8e1a624e3288e828320a33d91a8d733 |
| SHA256 | 2a97025511d98dd7e5dd0d7449ac38752616c9d970792c41fea246edadffc1d6 |
| SHA512 | 5b3ad563c733fb5554189481e067a3fcec5460f763afe6445d5eb45bde640f5543a6c59de55edeb77e6711b5792e8c3ee8001ab9a7d7f8f8fcdcc56932530c56 |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | f8cd19bd7e35db32eb02bf90a397c260 |
| SHA1 | 0d32d9e2d2a5afd0d9335e08e1d14f257f956a4b |
| SHA256 | 1dd319848aba6407c5ef6cadb28df7741b31947843f69b8ec5746b35b84102b5 |
| SHA512 | 85f8a984605a9001cd3714ac156f0bc63eaa5a210f1a660150d18bc54004241d242e00de2c76facfe072d1757e4d1de14192e5cc11b32e9cc615becdd84163fe |
C:\KaVBHI\boddevec.exe
| MD5 | 7b39c3a5fce077f3d95cd61a992c49c6 |
| SHA1 | 9460584f3165aa2ad2d56d1ef81e3a01224249e8 |
| SHA256 | 960dab904e60314a2ebe2c5315c920c9dfd0cfbee794093de227b714cf7abfee |
| SHA512 | 480792984afdc0afc63dc5698edda7207a84b6ce145215d37343e244540bfc784a7a3012b25bcacd1f5bd6612ac3ea544696eb48e8aff222fd96f74edebe8917 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:05
Reported
2024-11-09 22:08
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
105s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| N/A | N/A | C:\UserDotWZ\devdobsys.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDotWZ\\devdobsys.exe" | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint3N\\optidevsys.exe" | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\UserDotWZ\devdobsys.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe
"C:\Users\Admin\AppData\Local\Temp\1aca48d85b35bdb4c207108292a8eb078c1547822d625ed2e1e9acec85168b72N.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe"
C:\UserDotWZ\devdobsys.exe
C:\UserDotWZ\devdobsys.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecabod.exe
| MD5 | 5d8762d04e409d29136fcd89b9a73f8c |
| SHA1 | e7dc90d43ebe5f49bac4918decfd6530585a97ac |
| SHA256 | aa182177dba2ead393d80064230c14ad99f9760b050bed421fecc60f91cddde8 |
| SHA512 | f09f53893a2f1347162ccc298e8b83663cea480ca3e117aecbb30200c9079dae8c684de7c510b4402f17c256e01bd10c4b1a23c43c2ac9b9b5bb5742a9461951 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 2a11f0a10cababeae5609330b49097a2 |
| SHA1 | bcc35156da70fa1ed5635b6f353f5b8c3b88ec27 |
| SHA256 | 9aad5c99133896226ad0e055c93b37d4b250436ebf53c82a226c7f2b44ec40b3 |
| SHA512 | 1cd31aa2e35bd0c6fad4aaebc04ac06ac1d7d0cadb3bf651267cac5aa5428c232c97210c43fc056cf299d10229c445a8d7166374c3d84b78e24ffea06df9749f |
C:\UserDotWZ\devdobsys.exe
| MD5 | a90cacc642ec6d879eab69ccd683623a |
| SHA1 | b23bc33192ba7557cc88820e177b302d31946e18 |
| SHA256 | dbebed5416dbdbd62327bd8f934eb9ceaf2c482917170899c4dd57f262199076 |
| SHA512 | 63e1231d21b6c1f34db5b44174cd3b81460c4451e85f8b6f3e2e0a46aeac05156f3b1fae73def3b72d3b14a3473e5bc1e3a99e7fc83defbaea00df8fa6441707 |
C:\Mint3N\optidevsys.exe
| MD5 | b0f86f43e550bb196cdafaea1f4b9279 |
| SHA1 | 74219889e0d9c96f2eba8a2045f81c0a4f2cca1c |
| SHA256 | d3f7028e463e3f3f70c8ea073aded0baf33dd67e5b94ae2223a63dd8543520e2 |
| SHA512 | 7d48f6337d803978ea2d21f30e98f4fd26a16066097276580841d1b0fe4300e1f54ba9aab15a8b0979e8b8e752f7a6517b1f23894e1faa59f0db176179d316b8 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ab00608f38433c2d9547e70302ff2901 |
| SHA1 | 9cb3a775bf44a36fc35a1d0e20fb354ef0e3d59b |
| SHA256 | b0ee07e074ab1a3cac12b825d512dabe299f7cb65895412323da8bfa2e730f4e |
| SHA512 | 17be297c05dcb2234d27f60468a733fa855a84980582f6ca6169ccaf71576f6a01a1239a9179e854e66e01a1588a07742edbd6ba2e3ca0a86caa887df066dca0 |
C:\Mint3N\optidevsys.exe
| MD5 | 5ada971dfd2b97d548b110ada34bcb81 |
| SHA1 | 97f4f5bf8d2cd7c32989ee9b85d203f98c911a90 |
| SHA256 | 9995c7535f64317d82c8f9145104ae0a85424a6a7d60ef04a9edc9901924aef3 |
| SHA512 | 4fc54d069fb057be1207fae27db91d713bfbd1fc44d9d722224b0a617967f77be97a45f68b3e7b62a1b8031d6837785ae9112ce114f171f079bb91c65fd81592 |