Analysis Overview
SHA256
6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053
Threat Level: Shows suspicious behavior
The file 6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:16
Reported
2024-11-09 23:19
Platform
win7-20240729-en
Max time kernel
149s
Max time network
17s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
| N/A | N/A | C:\FilesPF\xbodloc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesPF\\xbodloc.exe" | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Mint4H\\dobdevloc.exe" | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesPF\xbodloc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe
"C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe"
C:\FilesPF\xbodloc.exe
C:\FilesPF\xbodloc.exe
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecxopti.exe
| MD5 | 10df829abafb07d150beea1bbb02abd3 |
| SHA1 | 41b8974b70e68e67d296d788d6e42a7176d6bf9c |
| SHA256 | 6995362deebc04452ee480f462cac838133a89f6348562c5133a574ad0f5d733 |
| SHA512 | 04da83697aac29b01d9b3aa0cb86d81ebbe68b008cda0993a7820ae3ee5b3e257a0bd458838dd632958c8e425895681f23d73063f8feef58f7360fdc3834f05c |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | 9d77e31ccf9a02f0d344ff57160c6a4f |
| SHA1 | 28aafc63a3e69518f02d9dfded9f74c4045bd44c |
| SHA256 | e465816049714854f3799d28a0994dc5743d58b80b4ab26143bde691572f669c |
| SHA512 | a1cb5ac8cacc904b9bbc28bb0299e6044b64aae5ddbb68b592f13d2fe406417cfdaf9e49ea323e6c02b21c7ea83f00e47fe41f3439918b69a768c455b8d1ee59 |
C:\FilesPF\xbodloc.exe
| MD5 | 93a5b90cab384cac72e32ceaff17c320 |
| SHA1 | 89496ef68c4d0d03e1e563d2ee282b24afdc5cdd |
| SHA256 | 9ec292852e46ae3629fdb3c4c0b4fbc656d7da5db9b01a6a34cf5e5bdeebec6f |
| SHA512 | 48938b3b18b966f12c47b425d294e8759827e20ce699f5e35ff47d6d7a9ff2fbe7fccd8e9f049b86caa1200699249ee5e7a00233ca6bc5a091ca59bf73958a78 |
C:\Mint4H\dobdevloc.exe
| MD5 | c346de548654eab088b033eeb72e5ab8 |
| SHA1 | 61d5e6da50d6f7b00217db8a4faeabab00794f6b |
| SHA256 | 1521865ffa35423f24e6bdb83604d41a34fc1c35747152e884821e8d8880940c |
| SHA512 | 71996885c5bf78369a6b117b33876a4ff88a61e474d45695d776216dbf0c5c67b726e0167ec40d11578f9ff9e4f05d4d09be5b84116cab7e67d7e09c4188b2df |
C:\Users\Admin\253086396416_6.1_Admin.ini
| MD5 | ec29632cd344d30fe99f2440798fab28 |
| SHA1 | d8fbb1e67c6a440742cfea10f4b1e864c19cf751 |
| SHA256 | 04ccb09e6eb92c3d321ee4a0d2e9cffef9a1aee2f2b59a6b9dde348c29200230 |
| SHA512 | fdb48bf4430e23546750b58ef4bf79ff1a5b2709ada89e2ae27324374609ff72657c378d87336d1a3a806a04f986b6db923a7dd907816ca5a9a34c8efa6ca49f |
C:\Mint4H\dobdevloc.exe
| MD5 | effd51d4791e91b80211959faf20c1a3 |
| SHA1 | 38bd82eee83a4c41fc78cb068ed159f4aaf484fb |
| SHA256 | edd47104efa2379c5a64b36fd7ba94036355918ea012144146db65c95d5a6528 |
| SHA512 | 4aee620ae2c77efeff1da901c9a7a5c53a5ec96f223ca71b1b61305fa77ffe12809292434a18d23a99d08a9109fc6f879df8c6d99286ff9a75ef4a0099e5c432 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:16
Reported
2024-11-09 23:19
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
140s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
| N/A | N/A | C:\FilesUU\abodec.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\FilesUU\\abodec.exe" | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\Galax54\\dobasys.exe" | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\FilesUU\abodec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe
"C:\Users\Admin\AppData\Local\Temp\6fe5b19e4443db407c228546c6e30382ec1401f6c88d8ff8d1c8fe1a31536053.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe"
C:\FilesUU\abodec.exe
C:\FilesUU\abodec.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecadob.exe
| MD5 | d2f0d57d6089a1fcbc228b6ba90d061a |
| SHA1 | 593789a6dc1ffab425a2d9930f83d08717be7690 |
| SHA256 | 5e3bd8fc1c343aa37bef6e6ecaff96b0b0f1850ec2238065027726572dd82913 |
| SHA512 | 734228a7cef0e2cdc5fab148c7939efb453736b3873080065bda30f975043e832d93580a9f1eba69d114bce6500492b61c707e863b30d7036b3fb8f24ee93aec |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | ad7f3741f70777521a8b0d8a27891c6e |
| SHA1 | 544fc0d8fd836aa576eab4efd12e286956a7d272 |
| SHA256 | 0479a05cfb590968f5dacc7f23d964ebf1415da00601cf96b4467fbe02b6634b |
| SHA512 | aecd4a5e6913354f37d9840fd51d364fcf486c5c9c6b55f9fbdb175bd4e57ba050e93cde57e58045c0d35069e240a29c118b0e2b238e1f0c39b8818d863107b2 |
C:\FilesUU\abodec.exe
| MD5 | 5afe4d0e40bb808cdbe9bcca07459fa9 |
| SHA1 | 79202853171674ac28bae9f4103dbac64491b6de |
| SHA256 | 94784119e5b105b9c7dee004d18ee3a87192542610a1e7b9b699c9c9d35a6706 |
| SHA512 | 925043ff725d73ff4c43499e8bf2322f3e7ad5b84da7a1a2a049096d3fb067450884ca4fc4a7ff88025dd482ac720316016fd744bb9c2baf1317c363d85f6676 |
C:\Galax54\dobasys.exe
| MD5 | ca330afeda522e062645da0e626bfc6f |
| SHA1 | c9bd75de8aaeb3fffb31eb2562a80f8a47b78e1c |
| SHA256 | 577ad1b44d35cfe713ef48c24d8af9d5ab63e810431cb017799d3469a1360400 |
| SHA512 | 941bd23ece3169fcf6004f2ca140c33ce63e892286a85c8e202c3fe28a86e42552c29bbbc9c27704d7f7361dee2dfc69d61925297789541941511c6a1702da64 |
C:\Users\Admin\253086396416_10.0_Admin.ini
| MD5 | 01f2a7030c7f4d06b87e762f65312f8f |
| SHA1 | 27ff1d21b98e61dfa865119dbde39fd831ee167e |
| SHA256 | 4d6155eaa75dcb72df5c0f7f9f48c97c68e4c833e14dace35e1708f9ffac35ca |
| SHA512 | 0d3f72df0ff344292d47483e6cd334dea477212484561d3a212a8970871a5e896986aa06de12d3d8ed49ee559b85c68800592b53a4bd99dcd1fddf43d6c17a53 |
C:\Galax54\dobasys.exe
| MD5 | 67b49f001db3604534869e54617649b1 |
| SHA1 | b63afd5e5f5a2d407eb23c42d97c3e2daa3b9b9a |
| SHA256 | b8e8ff16a29e660fa485fb473214c6a30f780b4551bec56b220b7b008312250f |
| SHA512 | 367854f1f8dc769dfabef1ce874110c21df0865c3f50bb2ad9d00850ab3c438327e2ca54f7920b020906690229f80335e75c62057939feeb39de35f542b4598a |